Discover hidden content, endpoints, and vulnerabilities with the fastest web fuzzer around
What is FFUF?
FFUF (Fast Web Fuzzer) is an open-source web fuzzing tool written in Go. At its core, it's simple: it takes a wordlist (a list of potential directory names, files, or other values) and rapidly tests each entry against a target URL to see which ones exist.
But don't let its simplicity fool you. Its speed, thanks to Go's concurrency model, and its vast array of options for filtering, matching, and automating make it an indispensable tool in the toolkit of pentesters, security researchers, and developers alike.
Why FFUF Over Other Tools? (Like Gobuster/Dirbuster)
- Blazing Speed: Go's goroutines allow it to handle a massive number of concurrent requests
- Precision Filtering: Easily filter out responses by size, words, lines, or status codes
- Versatility: Fuzz any part of an HTTP request: headers, POST data, and parameters
- Simple Syntax: The command structure is intuitive and easy to remember
Installation
Getting FFUF on your system is straightforward.
On Kali Linux / Parrot OS:
sudo apt update && sudo apt install ffuf
Using Go:
go install github.com/ffuf/ffuf/v2@latest
Pre-compiled Binaries:
Download the latest version for your OS from the Official Releases page.
Using Docker:
docker run -it --rm ghcr.io/ffuf/ffuf
Check your installation:
ffuf --help
The Core Concept: FUZZ
The magic of ffuf lies in the keyword FUZZ. This is a placeholder that tells the tool where to inject the values from your wordlist.
- Want to fuzz directories? Use
https://target.com/FUZZ
- Want to fuzz a parameter? Use
https://target.com/search?q=FUZZ
- Want to fuzz a header? Use
-H "X-API-Key: FUZZ"
ffuf will replace FUZZ with each entry in your specified wordlist.
Your First Ffuzz: Basic Directory Bruteforcing
Let's start with the most common use case: finding hidden directories and files.
Command:
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://testphp.vulnweb.com/FUZZ
-w /path/to/wordlist.txt: The -w flag specifies the path to your wordlist.-u http://target.com/FUZZ: The -u flag specifies the target URL, including the FUZZ keyword.
Understanding the Output:
You'll see a table showing each request. The key columns are:
| Column |
Description |
Status |
The HTTP response code (e.g., 200, 403, 302) |
Size |
The size of the response in bytes |
Words |
The number of words in the response body |
Lines |
The number of lines in the response body |
Result |
The value from the wordlist that was used |
Filtering: The Key to Useful Results
A 200 response for /images is very different from a 200 for /admin. We need to filter out the noise. The most common way is to filter by size.
1. Run a calibration request first
Fuzz a known nonexistent path to see what a "false" response looks like (e.g., a 404 page).
ffuf -w wordlist.txt -u http://site.com/FUZZ -mc 404
Note the size of the typical 404 response.
2. Now, filter out that size
Use the -fs (filter size) flag.
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://testphp.vulnweb.com/FUZZ -fs 986
This command hides all responses that are 986 bytes in size, dramatically cleaning up your results and revealing the truly interesting endpoints.
Common Filtering/Matching Flags:
| Flag |
Description |
-fc 404,500 |
Filter out specific HTTP status codes |
-mc 200,301,302 |
Show only specific HTTP status codes ("match codes") |
-fs 123,456 |
Filter out specific response sizes |
-fw 55 |
Filter out responses containing a specific number of words |
-fl 10 |
Filter out responses containing a specific number of lines |
Pro Tip: Always use filters. It's the difference between a messy output and a laser-focused list of valuable targets.
Beyond Directories: Advanced Fuzzing Techniques
1. Fuzzing File Extensions
Find files with specific extensions by using two wordlists.
ffuf -w wordlist.txt:NAMES -w extensions.txt:EXT -u http://site.com/NAMESEXT
You need a wordlist for filenames (NAMES) and a wordlist for extensions (EXT). The placeholder NAMESEXT combines them.
Example extensions.txt:
.txt
.php
.bak
.old
.zip
2. Fuzzing GET/POST Parameters
Find hidden parameters that could be vulnerable to SQLi, XSS, or SSRF.
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://testphp.vulnweb.com/artists.php?FUZZ=test -fs 986
3. Fuzzing HTTP Headers
Find hidden headers or fuzz for Host header poisoning.
ffuf -w headers.txt -u http://testphp.vulnweb.com/ -H "FUZZ: custom_value" -mc all
4. Fuzzing POST Data
Bruteforce login forms or fuzz API endpoints.
ffuf -w usernames.txt -X POST -d "username=FUZZ&password=randompass" -u http://target.com/login.php -mc all -fs 1234
5. Virtual Host Discovery
Discover subdomains by fuzzing the Host header. This is great for finding dev/staging sites.
ffuf -w subdomains.txt -u http://target.com/ -H "Host: FUZZ.target.com" -mc all -fs 0
Mastering FFUF: Pro Tips and Tricks
1. Rate Limiting (-rate)
Be a good internet citizen and don't overwhelm servers. Limit the number of requests per second.
ffuf -w wordlist.txt -u http://target.com/FUZZ -rate 50
2. Recursive Fuzzing (-recursion)
Find directories within the directories you've already found. Use -recursion-depth to control how deep it goes.
ffuf -w wordlist.txt -u http://target.com/FUZZ -recursion -recursion-depth 2
3. Using Proxies (-x)
Route your traffic through Burp Suite or OWASP ZAP to analyze requests and responses in detail.
ffuf -w wordlist.txt -u http://target.com/FUZZ -x http://127.0.0.1:8080
4. Saving Output (-o)
Save your results for later analysis in various formats: JSON, CSV, HTML, MD, or EJSON.
ffuf -w wordlist.txt -u http://target.com/FUZZ -o results.json -of json
5. Auto-Calibration (-ac)
Let ffuf automatically find and apply a filter for you by making a few calibration requests to a default path (like /notexist123).
ffuf -w wordlist.txt -u http://target.com/FUZZ -ac
Essential Wordlists
A fuzzer is only as good as its wordlist. Here are the gold standards:
- SecLists: The mother of all wordlists. Contains lists for directories, passwords, parameters, subdomains, and more. A must-have.
SecLists on GitHub
- DirBuster's Wordlists: Classic lists included in Kali Linux (
/usr/share/wordlists/dirb/).
- AssetNote's Wordlists: High-quality, curated commercial wordlists (they have a free tier).
AssetNote Community Wordlists
Start with: SecLists/Discovery/Web-Content/common.txt or directory-list-2.3-medium.txt.
Putting It All Together: A Real-World Example
Let's imagine we're testing example.com.
1. Discover directories and files:
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://example.com/FUZZ -ac -mc 200,301,302,403 -o initial_scan.json
2. We find /admin/. Now, let's fuzz inside it:
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://example.com/admin/FUZZ -ac -mc 200 -fs 0
3. We find /admin/login.php. Let's fuzz its parameters:
ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://example.com/admin/login.php?FUZZ=test -ac -mc 200
4. We find a user parameter. Let's fuzz for valid usernames:
ffuf -w /opt/SecLists/Usernames/Names/names.txt -u https://example.com/admin/login.php?user=FUZZ -ac -mc 200 -fw 20
This iterative process can quickly uncover an entire attack surface.
Conclusion
ffuf is more than just a directory bruteforcer; it's a rapid-firing engine for discovery. Its speed and flexibility allow you to map out hidden corners of a web application with precision and efficiency. By mastering the basics of filtering and then exploring its advanced features for fuzzing every part of an HTTP request, you elevate your reconnaissance from simple scanning to a true art form.
Now fire up your terminal, grab a good wordlist, and start FUZZing!
Further Reading & Resources:
Disclaimer: Always ensure you have explicit permission to test your target websites. Unauthorized testing is illegal and unethical. Use these skills responsibly.
Happy Hunting!
