0xnhl

ffuf

/ Update
2 min read

FFUF (Fuzz Faster U Fool) is a fast, open-source web fuzzing tool used to discover hidden directories, files, subdomains, and parameters. It works by systematically sending payloads from a wordlist to a target URL, substituting a specific keyword (usually FUZZ) and monitoring the responses.

Usage#

ffuf -w path/to/wordlist.txt -u http://target.com/FUZZ
plaintext

1. Basic Directory and File Discovery#

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://example.com
plaintext

2. Finding Specific File Extensions#

To search only for specific file types (e.g., .php, .html, .txt), append the extension after the FUZZ keyword.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://example.com
plaintext

3. Fuzzing GET Parameters#

Discover hidden parameters in a URL by placing the FUZZ keyword in the parameter name.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://example.com
plaintext

4. Fuzzing POST Data (Login Forms)#

Send data via a POST request using the -X and -d flags.

ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials.txt -u http://example.com -X POST -d "username=admin&password=FUZZ"
plaintext

5. Fuzzing Subdomains#

Substitute the FUZZ keyword at the beginning of the URL (assuming you have mapped the domain in your /etc/hosts file or own the domain).

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://example.com
plaintext

Filtering and Matching Output#

By default, ffuf can generate a lot of noise. Use matching and filtering flags to clean up the output:

  • -mc: Match HTTP status codes (e.g., -mc 200,301,302)
  • -fc: Filter/hide HTTP status codes (e.g., -fc 403)
  • -fs: Filter responses by a specific file size in bytes (useful for hiding default “404 Not Found” pages).

For full documentation, tips, and configurations, visit the official ffuf GitHub Repository.

ffuf
https://nahil.xyz/vault/tools/ffuf/
Author Nahil Rasheed
Published at July 1, 2025
Disclaimer This content is provided strictly for educational purposes only.