🚀 ffuf - The Fast Web Fuzzer Cheat Sheet

A comprehensive guide to ffuf (Fuzz Faster U Fool), an exceptionally fast and versatile web fuzzer written in Go. This tool is essential for web application security testing, capable of discovering hidden directories, files, parameters, and virtual hosts.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have explicit permission before testing any target.

---

📚 Table of Contents

1. Installation
2. Basic Usage
3. Directory and File Fuzzing
4. Parameter Fuzzing
5. Header Fuzzing
6. Subdomain Fuzzing
7. Filtering and Matching
8. Output and Reporting
9. Advanced Techniques
10. Automation Scripts
11. Integration with Other Tools
12. Performance Optimization
13. Troubleshooting
14. Best Practices

---

🔧 Installation

Via Go

# Install via Go
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

Via Package Manager

# Ubuntu/Debian
sudo apt update && sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h

Manual Installation

# Download latest release (example for v2.1.0)
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf

Via Docker

# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

---

🧭 Basic Usage

Command Structure

# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Basic Examples

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

---

📁 Directory and File Fuzzing

Basic Directory Fuzzing

# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Advanced Directory Options

# Increase threads for speed
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests (for stealth)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion to explore subdirectories
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

File Extension Fuzzing

# Fuzz file extensions for a known file
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Create a common web extensions list
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Fuzz for backup files
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

---

⚙️ Parameter Fuzzing

GET Parameter Fuzzing

# Basic GET parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Using a parameter name wordlist
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

POST Parameter Fuzzing

# POST data fuzzing (e.g., password brute-force)
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
  -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt \
  -X POST -d '{"username":"admin","password":"FUZZ"}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS \
  -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Parameter Value Fuzzing

# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

---

🎩 Header Fuzzing

Basic Header Fuzzing

# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing (e.g., API keys)
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

HTTP Method & Host Header Fuzzing

# HTTP method fuzzing
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

---

🌐 Subdomain Fuzzing

Subdomain enumeration is typically done by fuzzing the Host header against the web server's IP address or main domain.

Basic Subdomain Fuzzing

# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -k

# Filter by response size to find valid hosts
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Advanced Subdomain Techniques

# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

---

🧠 Filtering and Matching

Filtering is crucial for reducing noise and focusing on relevant results.

Filter Type	Flag	Example	Description
Status Code	-mc	-mc 200,301,302	Match specific status codes
	-fc	-fc 404,403	Filter out specific status codes
Response Size	-fs	-fs 1234	Filter by specific response size
	-ms	-ms 5678	Match specific response size
Response Words	-fw	-fw 100	Filter by number of words in response
	-mw	-mw 50-100	Match a range of word counts
Response Lines	-fl	-fl 10	Filter by number of lines in response
Response Text	-fr	-fr "Not Found"	Filter responses containing text
	-mr	-mr "Welcome"	Match responses containing text
Regex	-fr	-fr "Error.*404"	Filter using a regex pattern

---

📄 Output and Reporting

Output Formats

# Save to a plain text file
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.txt

# Save to JSON format (recommended for parsing)
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json

# Save to CSV format (good for spreadsheets)
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv

# Save to HTML format (good for reports)
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html

Verbose Output

# Verbose mode (show all requests)
ffuf -u http://target.com/FUZZ -w wordlist.txt -v

# Silent mode (only show results)
ffuf -u http://target.com/FUZZ -w wordlist.txt -s

# Color output (highlight results)
ffuf -u http://target.com/FUZZ -w wordlist.txt -c

---

⚡ Advanced Techniques

Rate Limiting and Stealth

# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 1 -p 2

# Random delay between requests
ffuf -u http://target.com/FUZZ -w wordlist.txt -p 1-3

# Custom timeout for slow servers
ffuf -u http://target.com/FUZZ -w wordlist.txt -timeout 30

Proxy and SSL Options

# Use a proxy (e.g., Burp Suite, ZAP)
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

# Skip SSL certificate verification
ffuf -u https://target.com/FUZZ -w wordlist.txt -k

# Use a custom CA certificate
ffuf -u https://target.com/FUZZ -w wordlist.txt -cert cert.pem

Authentication

# Basic Authentication
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Basic $(echo -n 'user:pass' | base64)"

# Cookie-based Authentication
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "PHPSESSID=abc123; auth=token"

# Bearer Token (for APIs)
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer <YOUR_TOKEN>"

---

📝 Automation Scripts

Comprehensive Web Fuzzing Script

This script performs multiple types of fuzzing and saves the results to a time-stamped directory.

#!/bin/bash
# save as comprehensive_fuzz.sh

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json -s

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json -s

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -o "$OUTPUT_DIR/parameters.json" -of json -s

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=${BASH_REMATCH[1]}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -o "$OUTPUT_DIR/subdomains.json" -of json -s
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"

---

🔗 Integration with Other Tools

Burp Suite Integration

# Use Burp Suite as a proxy to route all ffuf traffic through it for analysis
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

# Export Burp findings to a wordlist
# In Burp: Target > Site map > Right-click > Copy URLs
# Then process the URLs to create a custom wordlist

Nuclei Integration

# First, run ffuf to find live endpoints
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302 -o found_endpoints.json -of json -s

# Extract URLs from ffuf's JSON output
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run Nuclei on the discovered URLs for vulnerability scanning
nuclei -l found_urls.txt -t /path/to/nuclei-templates/

---

⚙️ Performance Optimization

Threading and Speed

# Optimal thread count (start with 40-100, adjust based on target)
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 50

# Adjust timeout for slow servers to prevent false negatives
ffuf -u http://target.com/FUZZ -w wordlist.txt -timeout 10

# Silent mode for better performance (no UI updates)
ffuf -u http://target.com/FUZZ -w wordlist.txt -s

---

🛠️ Troubleshooting

Issue	Solution
SSL Certificate Error	Use the -k flag to skip SSL verification. ffuf -u https://... -k
Connection Timeouts	Increase the timeout value with -timeout <seconds>.
Getting Rate-Limited	Reduce threads (-t 1), increase delay (-p 2), or use a proxy (-x).
DNS Resolution Issues	Fuzz the IP directly and specify the Host header. ffuf -u http://IP/FUZZ -H "Host: domain.com"
Debugging Requests	Use verbose mode -v to see all requests and responses.

# Example of a single request test for debugging
ffuf -u http://target.com/test -w <(echo "test") -v

---