ffuf — Content Discovery | Tools

Description

ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's the go-to tool for directory discovery, virtual host enumeration, parameter fuzzing, and more. Highly configurable with filters, matchers, and multiple wordlist support.

Installation

BASH

go install github.com/ffuf/ffuf/v2@latest

Basic Usage

                        BASH
                        
                            # Directory fuzzing
ffuf -u https://target.com/FUZZ -w wordlist.txt

# With file extensions
ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.js,.txt

# Filter 404 responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404

# Match specific status codes
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302

Advanced Usage

                        BASH
                        
                    

                            # Parameter fuzzing (GET)
ffuf -u "https://target.com/page?FUZZ=value" -w params.txt

# Parameter value fuzzing (POST)
ffuf -u https://target.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt

# Header fuzzing
ffuf -u https://target.com -H "X-Custom: FUZZ" -w wordlist.txt

# Multiple wordlists (clusterbomb)
ffuf -u "https://target.com/FUZZ1/FUZZ2" -w wordlist1.txt:FUZZ1 -w wordlist2.txt:FUZZ2

# Virtual host discovery
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 1234

# Recursive scanning
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

# Filter by response size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234

# Filter by word count
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 42

# With cookies/authentication
ffuf -u https://target.com/FUZZ -w wordlist.txt -b "session=abc123"

# Rate limiting
ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 100 -t 50

# Auto-calibration (automatic filtering)
ffuf -u https://target.com/FUZZ -w wordlist.txt -ac

# Output formats
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
                        

Common Workflows

                        BASH
                        
                            # Content discovery with auto-calibration
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac -t 100

# API endpoint discovery
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301

# Subdomain brute force via vhost
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac

# Mass directory fuzzing on multiple hosts
cat alive.txt | xargs -I {} ffuf -u {}/FUZZ -w wordlist.txt -mc 200 -t 50