FFUF Techniques
Master FFUF for directory bruteforcing, parameter fuzzing, subdomain discovery, and more.
30+ Commands6 CategoriesCopy Ready
Commands will auto-replace example.com with your target
Phase 1
Installation
1Debian/Ubuntu installation
apt install ffuf2Install via Go (cross-platform)
go install github.com/ffuf/ffuf@latestPhase 2
Basic Commands
1#1 Directory bruteforce - find hidden directories/files
ffuf -u https://example.com/FUZZ -w wordlist.txt2#2 POST request fuzzing
ffuf -w wordlist.txt -u https://example.com/FUZZ -X POST3#3 Case insensitive with colored output
ffuf -u https://example.com/FUZZ -w wordlist.txt -ic -c4#4 File extension fuzzing
ffuf -u https://example.com/indexFUZZ -w wordlist.txt -e .php,.asp,.bak,.db5#5 Recursive fuzzing (scan multiple directory levels)
ffuf -u https://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 36#6 Filter status codes (exclude 404 and 500)
ffuf -w wordlist.txt -u https://example.com/FUZZ -fc 404,5007#7 Multi wordlist fuzzing
ffuf -u https://example.com/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2Phase 3
Subdomain & VHost
1#1 Subdomain fuzzing - discover hidden subdomains
ffuf -w subdomains.txt -u https://FUZZ.example.com/2#2 Virtual host fuzzing via Host header
ffuf -w vhosts.txt -u https://example.com/ -H "Host: FUZZ.example.com"Phase 4
Parameter Fuzzing
1#1 GET parameter fuzzing - find hidden parameters
ffuf -w wordlist.txt -u https://example.com/page.php?FUZZ=value2#2 POST parameter fuzzing
ffuf -w wordlist.txt -u https://example.com/api -X POST -d 'FUZZ=value'3#3 Login bruteforce - attack password field
ffuf -w passwordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://example.com/login4#4 PUT request fuzzing with cookies
ffuf -w wordlist.txt -X PUT -u https://example.com/FUZZ -b 'session=abcdef'Phase 5
Advanced Methods
1#1 Clusterbomb mode - test all username/password combinations
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode clusterbomb2#2 Clusterbomb with custom request file
ffuf -request req.txt -request-proto http -mode clusterbomb -w usernames.txt:HFUZZ -w passwords.txt:WFUZZ3#3 Pitchfork mode - paired wordlist fuzzing
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS -mode pitchfork4#4 Authenticated fuzzing with cookies
ffuf -b "SESSIONID=abcd1234; USER=admin" -w wordlist.txt -u https://example.com/FUZZ5#5 Route through Burp Suite proxy
ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://example.com/FUZZ6#6 Custom header fuzzing
ffuf -w headers.txt -u https://example.com/ -H "X-Custom-Header: FUZZ"7#7 Custom User-Agent to bypass restrictions
ffuf -u "https://example.com/FUZZ" -w wordlist.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"8#8 Rate limiting - control request rate (50 req/sec, 50 threads)
ffuf -w wordlist.txt -u https://example.com/FUZZ -rate 50 -t 50Phase 6
Output Options
1#1 Save results as HTML
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.html -of html2#2 Save results as JSON
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.json -of json3#3 Save results as CSV
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv4#4 Save in all formats (html, json, csv, ecsv)
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of allPhase 7
Quick Reference
1Replace with wordlist entries during fuzzing
FUZZ = Placeholder for wordlist value2Specify the wordlist file to use
-w = Wordlist file path3The URL to fuzz (include FUZZ placeholder)
-u = Target URL4Specify the HTTP method to use
-X = HTTP method (GET, POST, PUT, etc.)5Add custom HTTP headers (e.g., Host, User-Agent)
-H = Custom header6Exclude specific HTTP status codes from results
-fc = Filter status codes (exclude)7Exclude responses with specific size
-fs = Filter by size (exclude)8Add cookies for authenticated fuzzing
-b = Cookie data9Save results to specified file
-o = Output file10Route traffic through proxy (e.g., Burp Suite)
-x = Proxy URLTools