Ffuf

ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

General Usage

ffuf -u http://10.10.10.10/FUZZ -w raft-large-words.txt

ffuf -u http://10.10.10.10 -H "Host: FUZZ.domain" -w raft-large-words.txt

ffuf -u http://10.10.10.10/FUZZ -e .php,.bak,.asp -w raft-large-words.txt

ffuf -u http://10.10.10.10/FUZZ -recursion -w raft-large-words.txt

ffuf -u http://10.10.10.10/FUZZ -recursion -recursion-depth 1 -w raft-large-words.txt

ffuf -u http://10.10.10.10/FUZZ -x http://127.0.0.1:8080 -w raft-large-words.txt

Filters & Matchers

Ignore 403 & 404 status code from the response.

ffuf -u http://10.10.10.10/FUZZ -fc 404,403 -w raft-large-words.txt

Match with status code 200.

ffuf -u http://10.10.10.10/FUZZ -mc 200 -w raft-large-words.txt

Ignore responses with 38 lines.

ffuf -u http://10.10.10.10/FUZZ -fl 38 -w raft-large-words.txt

Match with responses that have 24 lines.

ffuf -u http://10.10.10.10/FUZZ -ml 24 -w raft-large-words.txt

Ignores responses that have a size of 500 characters.

ffuf -u http://10.10.10.10/FUZZ -fs 500 -w raft-large-words.txt

Match with responses that have a size of 33 characters.

ffuf -u http://10.10.10.10/FUZZ -ms 33 -w raft-large-words.txt

Ignore responses with 55 words.

ffuf -u http://10.10.10.10/FUZZ -fw 55 -w raft-large-words.txt

Match with responses that have 22 words.

ffuf -u http://10.10.10.10/FUZZ -mw 22 -w raft-large-words.txt

Ignores responses that contain the word "template".

ffuf -u http://10.10.10.10/FUZZ -fr "template" -w raft-large-words.txt

Match with responses that contain the word "password".

ffuf -u http://10.10.10.10/FUZZ -mr "password" -w raft-large-words.txt

Input

ffuf -request login.req -request-proto http -w raft-large-words.txt

Output

ffuf -u http://10.10.10.10/FUZZ -o ffuf.txt -w raft-large-words.txt

Save the output to a csv file (json, ejson, html, md, csv, ecsv).

ffuf -u http://10.10.10.10/FUZZ -of csv -o ffuf.csv -w raft-large-words.txt

Store each request and response in the ffuf-output folder.

ffuf -u http://10.10.10.10/FUZZ -od ffuf-output -w raft-large-words.txt

Write all of the internal logging to the debug.txt file.

ffuf -u http://10.10.10.10/FUZZ -debug-log debug.txt -w raft-large-words.txt

References

PreviousNmap NextFTP

Last updated 2 years ago