FFUF Techniques

Master FFUF for directory bruteforcing, parameter fuzzing, subdomain discovery, and more.

7 Categories37 CommandsCopy Ready

Commands will automatically replace example.com with your target domain

Phases

Phase 1

Installation

2 commands

1Debian/Ubuntu installation

apt install ffuf

2Install via Go (cross-platform)

go install github.com/ffuf/ffuf@latest

Phase 2

Basic Commands

7 commands

1#1 Directory bruteforce - find hidden directories/files

ffuf -u https://example.com/FUZZ -w wordlist.txt

2#2 POST request fuzzing

ffuf -w wordlist.txt -u https://example.com/FUZZ -X POST

3#3 Case insensitive with colored output

ffuf -u https://example.com/FUZZ -w wordlist.txt -ic -c

4#4 File extension fuzzing

ffuf -u https://example.com/indexFUZZ -w wordlist.txt -e .php,.asp,.bak,.db

5#5 Recursive fuzzing (scan multiple directory levels)

ffuf -u https://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3

6#6 Filter status codes (exclude 404 and 500)

ffuf -w wordlist.txt -u https://example.com/FUZZ -fc 404,500

7#7 Multi wordlist fuzzing

ffuf -u https://example.com/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2

Phase 3

Subdomain & VHost

2 commands

1#1 Subdomain fuzzing - discover hidden subdomains

ffuf -w subdomains.txt -u https://FUZZ.example.com/

2#2 Virtual host fuzzing via Host header

ffuf -w vhosts.txt -u https://example.com/ -H "Host: FUZZ.example.com"

Phase 4

Parameter Fuzzing

4 commands

1#1 GET parameter fuzzing - find hidden parameters

ffuf -w wordlist.txt -u https://example.com/page.php?FUZZ=value

2#2 POST parameter fuzzing

ffuf -w wordlist.txt -u https://example.com/api -X POST -d 'FUZZ=value'

3#3 Login bruteforce - attack password field

ffuf -w passwordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://example.com/login

4#4 PUT request fuzzing with cookies

ffuf -w wordlist.txt -X PUT -u https://example.com/FUZZ -b 'session=abcdef'

Phase 5

Advanced Methods

8 commands

1#1 Clusterbomb mode - test all username/password combinations

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode clusterbomb

2#2 Clusterbomb with custom request file

ffuf -request req.txt -request-proto http -mode clusterbomb -w usernames.txt:HFUZZ -w passwords.txt:WFUZZ

3#3 Pitchfork mode - paired wordlist fuzzing

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode pitchfork

4#4 Authenticated fuzzing with cookies

ffuf -b "SESSIONID=abcd1234; USER=admin" -w wordlist.txt -u https://example.com/FUZZ

5#5 Route through Burp Suite proxy

ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://example.com/FUZZ

6#6 Custom header fuzzing

ffuf -w headers.txt -u https://example.com/ -H "X-Custom-Header: FUZZ"

7#7 Custom User-Agent to bypass restrictions

ffuf -u "https://example.com/FUZZ" -w wordlist.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

8#8 Rate limiting - control request rate (50 req/sec, 50 threads)

ffuf -w wordlist.txt -u https://example.com/FUZZ -rate 50 -t 50

Phase 6

Output Options

4 commands

1#1 Save results as HTML

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.html -of html

2#2 Save results as JSON

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.json -of json

3#3 Save results as CSV

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv

4#4 Save in all formats (html, json, csv, ecsv)

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all

Phase 7

Quick Reference

10 commands

1Replace with wordlist entries during fuzzing

FUZZ = Placeholder for wordlist value

2Specify the wordlist file to use

-w = Wordlist file path

3The URL to fuzz (include FUZZ placeholder)

-u = Target URL

4Specify the HTTP method to use

-X = HTTP method (GET, POST, PUT, etc.)

5Add custom HTTP headers (e.g., Host, User-Agent)

-H = Custom header

6Exclude specific HTTP status codes from results

-fc = Filter status codes (exclude)

7Exclude responses with specific size

-fs = Filter by size (exclude)

8Add cookies for authenticated fuzzing

-b = Cookie data

9Save results to specified file

-o = Output file

10Route traffic through proxy (e.g., Burp Suite)

-x = Proxy URL

Tools

Tools & Resources

FFUF GitHub

Official FFUF repository and documentation

SecLists

Comprehensive wordlist collection for fuzzing

CoffinXP Payloads

Custom payload and wordlist collection

FFUF GitHub Wiki

Official wiki with examples and tutorials

FFUF Techniques

Master FFUF for directory bruteforcing, parameter fuzzing, subdomain discovery, and more.

7 Categories37 CommandsCopy Ready

Commands will automatically replace example.com with your target domain

Phases

Phase 1

Installation

2 commands

1Debian/Ubuntu installation

apt install ffuf

2Install via Go (cross-platform)

go install github.com/ffuf/ffuf@latest

Phase 2

Basic Commands

7 commands

1#1 Directory bruteforce - find hidden directories/files

ffuf -u https://example.com/FUZZ -w wordlist.txt

2#2 POST request fuzzing

ffuf -w wordlist.txt -u https://example.com/FUZZ -X POST

3#3 Case insensitive with colored output

ffuf -u https://example.com/FUZZ -w wordlist.txt -ic -c

4#4 File extension fuzzing

ffuf -u https://example.com/indexFUZZ -w wordlist.txt -e .php,.asp,.bak,.db

5#5 Recursive fuzzing (scan multiple directory levels)

ffuf -u https://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3

6#6 Filter status codes (exclude 404 and 500)

ffuf -w wordlist.txt -u https://example.com/FUZZ -fc 404,500

7#7 Multi wordlist fuzzing

ffuf -u https://example.com/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2

Phase 3

Subdomain & VHost

2 commands

1#1 Subdomain fuzzing - discover hidden subdomains

ffuf -w subdomains.txt -u https://FUZZ.example.com/

2#2 Virtual host fuzzing via Host header

ffuf -w vhosts.txt -u https://example.com/ -H "Host: FUZZ.example.com"

Phase 4

Parameter Fuzzing

4 commands

1#1 GET parameter fuzzing - find hidden parameters

ffuf -w wordlist.txt -u https://example.com/page.php?FUZZ=value

2#2 POST parameter fuzzing

ffuf -w wordlist.txt -u https://example.com/api -X POST -d 'FUZZ=value'

3#3 Login bruteforce - attack password field

ffuf -w passwordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://example.com/login

4#4 PUT request fuzzing with cookies

ffuf -w wordlist.txt -X PUT -u https://example.com/FUZZ -b 'session=abcdef'

Phase 5

Advanced Methods

8 commands

1#1 Clusterbomb mode - test all username/password combinations

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode clusterbomb

2#2 Clusterbomb with custom request file

ffuf -request req.txt -request-proto http -mode clusterbomb -w usernames.txt:HFUZZ -w passwords.txt:WFUZZ

3#3 Pitchfork mode - paired wordlist fuzzing

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode pitchfork

4#4 Authenticated fuzzing with cookies

ffuf -b "SESSIONID=abcd1234; USER=admin" -w wordlist.txt -u https://example.com/FUZZ

5#5 Route through Burp Suite proxy

ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://example.com/FUZZ

6#6 Custom header fuzzing

ffuf -w headers.txt -u https://example.com/ -H "X-Custom-Header: FUZZ"

7#7 Custom User-Agent to bypass restrictions

ffuf -u "https://example.com/FUZZ" -w wordlist.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

8#8 Rate limiting - control request rate (50 req/sec, 50 threads)

ffuf -w wordlist.txt -u https://example.com/FUZZ -rate 50 -t 50

Phase 6

Output Options

4 commands

1#1 Save results as HTML

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.html -of html

2#2 Save results as JSON

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.json -of json

3#3 Save results as CSV

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv

4#4 Save in all formats (html, json, csv, ecsv)

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all

Phase 7

Quick Reference

10 commands

1Replace with wordlist entries during fuzzing

FUZZ = Placeholder for wordlist value

2Specify the wordlist file to use

-w = Wordlist file path

3The URL to fuzz (include FUZZ placeholder)

-u = Target URL

4Specify the HTTP method to use

-X = HTTP method (GET, POST, PUT, etc.)

5Add custom HTTP headers (e.g., Host, User-Agent)

-H = Custom header

6Exclude specific HTTP status codes from results

-fc = Filter status codes (exclude)

7Exclude responses with specific size

-fs = Filter by size (exclude)

8Add cookies for authenticated fuzzing

-b = Cookie data

9Save results to specified file

-o = Output file

10Route traffic through proxy (e.g., Burp Suite)

-x = Proxy URL

Tools

Tools & Resources

FFUF GitHub

Official FFUF repository and documentation

SecLists

Comprehensive wordlist collection for fuzzing

CoffinXP Payloads

Custom payload and wordlist collection

FFUF GitHub Wiki

Official wiki with examples and tutorials