1337skills.com

Appearance

ffuf Fast Web Fuzzer Cheat Sheet

Overview

ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's designed to be a versatile tool for web application security testing, capable of fuzzing directories, files, parameters, headers, and more. ffuf is known for its speed, flexibility, and extensive filtering capabilities.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using against any target.

Installation

Go Installation

bash
# Install via Go
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

Package Manager Installation

bash
# Ubuntu/Debian
sudo apt update
sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h

Manual Installation

bash
# Download latest release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf

Docker Installation

bash
# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

Basic Usage

Command Structure

bash
# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Basic Examples

bash
# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

Directory and File Fuzzing

Basic Directory Fuzzing

bash
# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Advanced Directory Options

bash
# Increase threads
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

File Extension Fuzzing

bash
# Fuzz file extensions
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Common web extensions
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Backup file extensions
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

Parameter Fuzzing

GET Parameter Fuzzing

bash
# Basic GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

POST Parameter Fuzzing

bash
# POST data fuzzing
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '{"username":"admin","password":"FUZZ"}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Parameter Value Fuzzing

bash
# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

Header Fuzzing

Basic Header Fuzzing

bash
# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

HTTP Method Fuzzing

bash
# HTTP method fuzzing
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Create methods wordlist
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt

Host Header Fuzzing

bash
# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

Subdomain Fuzzing

Basic Subdomain Fuzzing

bash
# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# Filter by response size
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Advanced Subdomain Techniques

bash
# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

Filtering and Matching

Response Code Filtering

bash
# Match specific status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

# Filter out status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

# Match successful responses
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299

Response Size Filtering

bash
# Filter by response size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

# Filter by size range
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

# Match specific size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678

Response Content Filtering

bash
# Filter by response words
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

# Match specific word count
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

# Filter by response lines
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10

Response Text Filtering

bash
# Filter responses containing specific text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

# Match responses containing text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

# Filter using regex
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404"

Output and Reporting

Output Formats

bash
# Save to file
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

# HTML output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html

Verbose Output

bash
# Verbose mode
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

# Color output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c

Advanced Techniques

Rate Limiting and Stealth

bash
# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# Random delay
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

# Custom timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

Proxy and SSL Options

bash
# Use proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Skip SSL verification
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Custom CA certificate
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem

Authentication

bash
# Basic authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass' | base64)"

# Cookie authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

# Bearer token
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Wordlist Management

Creating Custom Wordlists

bash
# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt | sort -u > combined.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt
bash
# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# Parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Subdomain wordlists
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt

Automation Scripts

Comprehensive Web Fuzzing Script

bash
#!/bin/bash

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "$OUTPUT_DIR/parameters.json" -of json

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=${BASH_REMATCH[1]}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -fs 0 -o "$OUTPUT_DIR/subdomains.json" -of json
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"

API Endpoint Fuzzing Script

bash
#!/bin/bash

API_BASE=$1
OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    exit 1
fi

echo "[+] Fuzzing API endpoints for $API_BASE"

# API version fuzzing
echo "[+] API version fuzzing..."
ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

# Common API endpoints
echo "[+] Common API endpoints..."
ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

# HTTP methods fuzzing
echo "[+] HTTP methods fuzzing..."
ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete."

Parameter Brute Force Script

bash
#!/bin/bash

TARGET_URL=$1
PARAM_NAME=$2
WORDLIST=$3

if [ -z "$TARGET_URL" ] || [ -z "$PARAM_NAME" ] || [ -z "$WORDLIST" ]; then
    echo "Usage: $0 <target_url> <parameter_name> <wordlist>"
    exit 1
fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

# GET parameter brute force
ffuf -u "$TARGET_URL?$PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

# POST parameter brute force
ffuf -u $TARGET_URL -w $WORDLIST -X POST -d "$PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete."

Integration with Other Tools

Burp Suite Integration

bash
# Use Burp as proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Nuclei Integration

bash
# Run ffuf first, then nuclei on found endpoints
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

# Extract URLs from ffuf results
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run nuclei on found URLs
nuclei -l found_urls.txt -t /path/to/nuclei-templates/

Nmap Integration

bash
# Discover web services first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract hosts and ports, then fuzz
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt | awk '{print $2}' | while read host; do
    ffuf -u "http://$host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
done

Performance Optimization

Threading and Speed

bash
# Optimal thread count (usually 40-100)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Adjust timeout for slow servers
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

# Silent mode for better performance
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

Memory Management

bash
# For large wordlists, use streaming
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

# Monitor memory usage
watch -n 1 'ps aux | grep ffuf'

Troubleshooting

Common Issues

bash
# SSL certificate issues
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

# Rate limiting
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# DNS resolution issues
ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com"

Debug Mode

bash
# Verbose output for debugging
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Test single request
ffuf -u http://target.com/test -w <(echo "test") -v

Best Practices

Fuzzing Strategy

  1. Start with common wordlists: Use small, targeted wordlists first
  2. Use appropriate filters: Filter out noise to focus on interesting results
  3. Technology-specific fuzzing: Use relevant wordlists for the target technology
  4. Recursive fuzzing: Fuzz found directories for deeper enumeration
  5. Parameter discovery: Don't forget to fuzz for hidden parameters

Stealth Considerations

bash
# Slow and stealthy fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

# Random user agent
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)"

Resources

This cheat sheet provides a comprehensive reference for using ffuf. Always ensure you have proper authorization before conducting web application security testing.