Ultimate Ffuf Cheat Sheet
Ultimate Ffuf Cheat Sheet
The fastest web fuzzer. Master the "FUZZ" keyword.
1. Basic Fuzzing
Ffuf works by replacing the keyword FUZZ in your command with words from your list.
Directory Fuzzing
The most common usage. Find hidden directories.
Multiple Wordlists (Clusterbomb)
You can define multiple variables (FUZZ, W2, etc.).
Colors & Verbosity
-c enables color output. -v prints the full URL of matches.
2. Matchers (mc) & Filters (fc)
By default, Ffuf matches 200, 204, 301, 302, 307, 401, 403. You often need to filter noise.
Filter Status Codes (-fc)
Hide 404 Not Found and 403 Forbidden responses.
Filter by Response Size (-fs)
Crucial for VHosts. If every failure is 1234 bytes, filter that size out.
Match Specific Codes (-mc)
Only show me 200 OK responses.
Auto-Calibration (-ac)
Pro Tip: Use -ac to let Ffuf automatically detect and hide "generic" error responses.
3. Recursion & Extensions
Recursive Fuzzing
If a directory is found, automatically fuzz inside it. (e.g., found /admin/, start fuzzing /admin/FUZZ).
File Extensions (-e)
Append extensions to every word in the list.
4. Parameters & POST Data
GET Parameter Fuzzing
Find hidden parameters like ?debug=true or ?id=1.
POST Data Fuzzing
Brute force forms or JSON APIs. Use -d for data and -X POST.
5. VHost & Header Fuzzing
Subdomain / VHost Discovery
Fuzz the Host header. Use -fs to hide the default page size.
Header Fuzzing
Fuzz headers to find internal routing headers (like X-Forwarded-For).
6. Request File (Advanced)
Instead of typing complex commands, save a raw HTTP request from Burp Suite to a file and tell Ffuf where to fuzz.
1. Save Request
Save to req.txt. Put FUZZ where you want to inject.
POST /login HTTP/1.1
Host: target.com
Content-Type: application/json
{"username": "admin", "password": "FUZZ"}
Post a Comment