FFUF
FFUF Web Fuzzing Framework
FFUF (Fuzz Faster U Fool) is a powerful web fuzzing tool written in Go. It excels at web enumeration, parameter fuzzing, and virtually any task requiring HTTP requests with substitutable values.
Key Features
Fast multi-threaded design
Versatile fuzzing capabilities (paths, files, parameters, headers, etc.)
Recursive scanning
Multiple filter options for responses
Configurable output formats
Support for multiple wordlists in single commands
Automatically calibrated filtering
Basic Syntax
The general syntax for FFUF follows this pattern:
ffuf -w wordlist.txt:KEYWORD -u https://target/KEYWORDWhere:
-wspecifies the wordlist and the keyword placeholder-udefines the target URL with the keyword placementKEYWORDis replaced with values from the wordlist
Common Use Cases
Directory and File Enumeration
# Basic directory fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://target.com/FUZZ -mc all -fs 42 -c -v
# File extension fuzzing
ffuf -w /opt/useful/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://target.com/index.FUZZ
# Page fuzzing with specific extension
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target.com/blog/FUZZ.phpRecursive Fuzzing
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target.com/FUZZ -recursion -recursion-depth 1 -e .php -vSubdomain and Vhost Fuzzing
# Subdomain enumeration
ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.target.com/
# Virtual host discovery
ffuf -w hosts.txt -u https://target.com/ -H "Host: FUZZ" -mc 200Parameter Fuzzing
# GET parameter discovery
ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.target.com/admin.php?FUZZ=key -fs xxx
# POST parameter fuzzing
ffuf -w parameters.txt:PARAM -u http://target.com/api -X POST -d 'PARAM=value' -H 'Content-Type: application/x-www-form-urlencoded' -fs 123
# Value fuzzing
ffuf -w values.txt:FUZZ -u http://target.com/api -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxxJSON Request Fuzzing
ffuf -w entries.txt -u https://api.target.com/ -X POST -H "Content-Type: application/json" \
-d '{"username": "FUZZ", "password": "test123"}' -fr "error"Multi-Parameter Fuzzing
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mr "VAL" -cFilter Options
FFUF offers numerous ways to filter results:
# Filter by status code
ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,307
# Filter by size
ffuf -w wordlist.txt -u https://target.com/FUZZ -fs 12345
# Filter by size range
ffuf -w wordlist.txt -u https://target.com/FUZZ --exclude-length 400-600
# Filter by words count
ffuf -w wordlist.txt -u https://target.com/FUZZ -fw 57
# Filter by lines count
ffuf -w wordlist.txt -u https://target.com/FUZZ -fl 25
# Filter with regex on response
ffuf -w wordlist.txt -u https://target.com/FUZZ -fr "not found"
# Match with regex on response
ffuf -w wordlist.txt -u https://target.com/FUZZ -mr "admin"Performance Tuning
# Number of threads (default: 40)
ffuf -w wordlist.txt -u https://target.com/FUZZ -t 50
# Request delay
ffuf -w wordlist.txt -u https://target.com/FUZZ -p 0.1
# Request timeout
ffuf -w wordlist.txt -u https://target.com/FUZZ -timeout 5Output Options
# Colored output
ffuf -w wordlist.txt -u https://target.com/FUZZ -c
# Verbose output
ffuf -w wordlist.txt -u https://target.com/FUZZ -v
# Output to file (JSON format)
ffuf -w wordlist.txt -u https://target.com/FUZZ -o results.json
# Output to file (HTML format)
ffuf -w wordlist.txt -u https://target.com/FUZZ -of html -o results.html
# Silent mode (only show matches)
ffuf -w wordlist.txt -u https://target.com/FUZZ -sAdvanced Usage with Examples
Auto-Calibration and Filtering
FFUF can automatically detect false positives:
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac -accUsing With Proxies
Useful for Burp Suite integration:
ffuf -w wordlist.txt -u https://target.com/FUZZ -x http://127.0.0.1:8080Real-world Examples
Finding hidden administrative interfaces
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt:FUZZ -u https://target.com/FUZZ -t 50 -mc 200,301,302 -e .php,.jsp,.aspx,.htmlAPI endpoint enumeration
ffuf -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt:FUZZ -u https://api.target.com/v1/FUZZ -mc all -fc 404Brute-forcing login credentials
ffuf -w usernames.txt:USER -w passwords.txt:PASS -u https://target.com/login -X POST -d "username=USER&password=PASS" -fr "Invalid credentials"Discovering hidden parameters in web forms
ffuf -w parameters.txt:PARAM -u https://target.com/search -X POST -d "PARAM=test" -H "Content-Type: application/x-www-form-urlencoded" -fr "invalid parameter"Comparison to Similar Tools
When compared to other web discovery tools:
Gobuster: FFUF offers more flexibility with request types and filtering
Wfuzz: FFUF is generally faster but Wfuzz has more payload processors
Dirbuster: FFUF is command-line based and much faster
Burp Suite Intruder: FFUF is free and typically faster for large wordlists
Best Practices
Start with small wordlists: Begin with common.txt before using larger lists
Use appropriate filters: Learn to filter results effectively to reduce noise
Recursive scanning: Use recursion carefully as it can greatly increase scan time
Rate limiting: Be mindful of request rates, especially against production systems
Custom wordlists: Create targeted wordlists based on the application context
Check results manually: Always verify interesting findings manually
FFUF is an invaluable tool in a penetration tester's arsenal, offering unparalleled flexibility for web application discovery and testing. Its speed and versatility make it suitable for a wide range of tasks, from basic directory enumeration to complex parameter fuzzing.
Last updated