​ffuf (Fuzz Faster U Fool)

ffuf is a fast and flexible web fuzzing tool written in Go. It is primarily used by security professionals and bug bounty hunters to discover hidden content, such as directories, files, virtual hosts, and parameters, by automatically injecting a large number of inputs (from a wordlist) and analyzing the server's responses.

Basic Subdomain Enumeration

This command is used to discover subdomains of a target website. It fuzzes the Host header, trying different subdomain prefixes and checking which ones resolve to a valid host. The -fs <size> filter is crucial here; it hides responses of a specific size (usually the size of the error page returned for non-existent subdomains).

ffuf -ic -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://targetsite.com -H 'Host: FUZZ.targetsite.com' -t 50 -fs <size>

Common Usage

Basic fuzzing of a URL path

ffuf -u http://example.com/FUZZ

Fuzz with a specific wordlist

ffuf -u http://example.com/FUZZ -w wordlist.txt

Fuzz with a specific wordlist, automatically ignoring any comments in the wordlist

ffuf -u http://example.com/FUZZ -w wordlist.txt -ic

Colorize the output for better readability

ffuf -u http://example.com/FUZZ -w wordlist.txt -c

Filter results by status code (e.g., 200)

ffuf -u http://example.com/FUZZ -w wordlist.txt -mc 200

Filter results by matching a regex pattern

ffuf -u http://example.com/FUZZ -w wordlist.txt -mr "Welcome"

Add extensions to each wordlist entry

ffuf -u http://example.com/FUZZ -w wordlist.txt -e .php,.html

Set the number of threads (e.g., 50) for faster fuzzing

ffuf -u http://example.com/FUZZ -w wordlist.txt -t 50

Use a proxy for requests

ffuf -u http://example.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

Fuzz page parameters

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

Fuzz LFI payloads

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzz webroot path

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

Fuzz server configurations

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

Tags

ffuf

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-09-15