ffuf Schneller Web Fuzzer Cheat Sheet

Would you like me to continue with the next section (Overview)? Here’s a preview of the translation for the Overview section:

Überblick

ffuf (Fuzz Faster U Fool) ist ein schneller Web Fuzzer, der in Go geschrieben wurde. Er ist als vielseitiges Werkzeug für Webanwendungssicherheitstests konzipiert und kann Verzeichnisse, Dateien, Parameter, Header und mehr fuzzen. ffuf ist bekannt für seine Geschwindigkeit, Flexibilität und umfangreichen Filtermöglichkeiten.

⚠️ Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen vorgesehen. Stellen Sie sicher, dass Sie eine entsprechende Autorisierung haben, bevor Sie es gegen ein Ziel einsetzen.

Would you like me to proceed with translating the rest of the document?```bash

Install via Go

go install github.com/ffuf/ffuf/v2@latest

Verify installation

ffuf -V

### Package Manager Installation
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h

Manual Installation

# Download latest release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf

Docker Installation

# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

Basic Usage

Command Structure

# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Basic Examples

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

Directory and File Fuzzing

Basic Directory Fuzzing

# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Advanced Directory Options

# Increase threads
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

File Extension Fuzzing

# Fuzz file extensions
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Common web extensions
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Backup file extensions
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

Parameter Fuzzing

GET Parameter Fuzzing

# Basic GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

POST Parameter Fuzzing

# POST data fuzzing
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Parameter Value Fuzzing

# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

Header Fuzzing

Basic Header Fuzzing

# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

HTTP Method Fuzzing

# HTTP method fuzzing
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Create methods wordlist
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt

Host Header Fuzzing

# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

Subdomain Fuzzing

Basic Subdomain Fuzzing

# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# Filter by response size
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Advanced Subdomain Techniques

# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

Filtering and Matching

Response Code Filtering

# Match specific status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

# Filter out status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

# Match successful responses
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299

Response Size Filtering

# Filter by response size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

# Filter by size range
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

# Match specific size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678
```### Filterung von Antwortinhalten
```bash
# Filter by response words
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

# Match specific word count
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

# Filter by response lines
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10
```### Filterung von Antworttext
```bash
# Filter responses containing specific text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

# Match responses containing text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

# Filter using regex
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404"
```## Ausgabe und Berichterstattung
```bash
# Save to file
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

# HTML output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html
```### Ausgabeformate
```bash
# Verbose mode
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

# Color output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c
```### Ausführliche Ausgabe
```bash
# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# Random delay
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

# Custom timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30
```## Fortgeschrittene Techniken
```bash
# Use proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Skip SSL verification
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Custom CA certificate
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem
```### Ratenbegrenzung und Stealth
```bash
# Basic authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass'|base64)"

# Cookie authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

# Bearer token
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
```### Proxy- und SSL-Optionen
```bash
# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > combined.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt
```### Authentifizierung
```bash
# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# Parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Subdomain wordlists
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt
```## Wortlistenverwaltung
```bash
#!/bin/bash

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "$OUTPUT_DIR/parameters.json" -of json

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=$\\\\{BASH_REMATCH[1]\\\\}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -fs 0 -o "$OUTPUT_DIR/subdomains.json" -of json
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"
```### Erstellen benutzerdefinierter Wortlisten
```bash
#!/bin/bash

API_BASE=$1
OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    exit 1
fi

echo "[+] Fuzzing API endpoints for $API_BASE"

# API version fuzzing
echo "[+] API version fuzzing..."
ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

# Common API endpoints
echo "[+] Common API endpoints..."
ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

# HTTP methods fuzzing
echo "[+] HTTP methods fuzzing..."
ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete."
```### Beliebte Wortlisten
```bash
#!/bin/bash

TARGET_URL=$1
PARAM_NAME=$2
WORDLIST=$3

if [ -z "$TARGET_URL" ]||[ -z "$PARAM_NAME" ]||[ -z "$WORDLIST" ]; then
    echo "Usage: $0 <target_url> <parameter_name> <wordlist>"
    exit 1
fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

# GET parameter brute force
ffuf -u "$TARGET_URL?$PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

# POST parameter brute force
ffuf -u $TARGET_URL -w $WORDLIST -X POST -d "$PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete."
```## Automatisierungsskripte
```bash
# Use Burp as proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist
```### Umfassendes Web-Fuzzing-Skript
```bash
# Run ffuf first, then nuclei on found endpoints
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

# Extract URLs from ffuf results
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run nuclei on found URLs
nuclei -l found_urls.txt -t /path/to/nuclei-templates/
```### API-Endpoint-Fuzzing-Skript
```bash
# Discover web services first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract hosts and ports, then fuzz
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt|awk '\\\\{print $2\\\\}'|while read host; do
    ffuf -u "http://$host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
done
```### Parameter-Brute-Force-Skript
```bash
# Optimal thread count (usually 40-100)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Adjust timeout for slow servers
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

# Silent mode for better performance
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s
```## Integration mit anderen Tools
```bash
# For large wordlists, use streaming
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

# Monitor memory usage
watch -n 1 'ps aux|grep ffuf'
```### Burp Suite Integration
```bash
# SSL certificate issues
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

# Rate limiting
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# DNS resolution issues
ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com"
```### Nuclei Integration
```bash
# Verbose output for debugging
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Test single request
ffuf -u http://target.com/test -w <(echo "test") -v
```### Nmap Integration
```bash
# Slow and stealthy fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

# Random user agent
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)"
```## Ressourcen
https://github.com/ffuf/ffuf- [ffuf GitHub Repository](https://github.com/danielmiessler/SecLists)https://owasp.org/www-project-web-security-testing-guide/- [SecLists Wortlisten](https://owasp.org/www-community/Fuzzing)