Skip to main content

FFUF

"FFUF has drastically improved my workflow for discovering hidden endpoints and directories. Its speed and ease of use are unmatched." - NahamSec

What is the purpose of FFUF?

FFUF (Fuzz Faster U Fool) is an open-source web fuzzing tool which is a web fuzzer or a web application security testing tool. It's used for discovering hidden files and directories on web servers by employing brute-force techniques.

Here are the primary uses of FFUF:

  • Directory and File Discovery: FFUF can find the hidden directories and files on a web server by brute-forces againts common names and extensions automatically.

  • Endpoint Enumeration: FFUF can be used to perform application endpoint enumeration, sometimes revealing hidden API routes or functionality.

  • Custom Fuzzing: FFUF tool provides to users can specifically define their own word lists and fuzz parameters and gain advantages against their targets.

  • Integration with Other Tools: The FFUF tool is an easy-to-integrate tool that can be used in any scenario where brute force can be used. A customised brute-force support with unique word lists and fuzzing parameters provides great advantages in real-life scenarios.

  • Performance and Speed: FFUF is an efficient tool with multiple concurrent requests and high performance. One of the reasons for its high performance is the Go language in which it is written.

Core Features

  • Directory and File Fuzzing
  • Virtual Host Fuzzing
  • Customizable Payloads
  • Recursive Fuzzing
  • Filter and Output Options
  • Performance Optimization
  • Multiple HTTP Methods Support
  • URL Encoding

Data sources

  • Payload Lists
  • Target URLs
  • HTTP Responses
  • Status Codes
  • Response Content

Common Ffuf Commands

1. Start a Basic Directory Scan

  • This command is for finding target's hidden files that are not explicitly listed on the web server. It performs a simple scan with a specialised wordlist.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt

2. Specify HTTP Method

  • This command makes special requests to HTTP methods to be used during the fuzzing process. HTTP methods such as POST, PUT, DELETE are common requests used with this command.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -X POST

3. Set Custom Headers

  • This command is used to customise HTTP headers to test the application's authentication mechanisms or other applications that require other HTTP headers.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -H "Authorization: Bearer token"

4. Display Only Successful Responses

  • This command selects only the responses returning 200 HTTP status code and filters the other outputs to be useful for the user.
ffuf -u http://example.com/FUZZ -w wordlist.txt -mc 200

5. Use Multiple Wordlists

  • This command allows the use of multiple special word lists when finding hidden resources. The more word lists used to attack the resource to be brute-forced, the more likely we are to find unknown directories or files.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist1.txt:/path/to/wordlist2.txt

6. Output Results to a File

  • This command writes the output of the fuzzing operation with FFUF to a specified file in ".json" format. This command is very useful if saving the output requires later access.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -o output.json

7. Enable Verbose Mode

  • This command provides more detailed access to the output displayed according to the requests made. This feature usually contributes to debugging.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -v

8. Limit the Number of Concurrent Requests

  • This command prevents the server from overloading by limiting the number of simultaneous requests to the server. In addition, FFUF can make it difficult for systems such as IDS/IPS to detect the user performing the fuzzing process and make the brute force attack appear as a natural attempt by the target systems.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -p 10

9. Test for Specific Status Codes

  • This command filters results as HTTP status code in the output of the Fuzzing process. It allows filtering more than one status code. It is useful for identifying resources with specific access controls or error states.
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -fc 403,404

10. Help and Usage Information

  • This command displays the help menu and usage information for FFUF.
ffuf -h
  • Alternative usage:
ffuf --help

Output Examples of FFUF Commands

CommandExample UsageFunctionOutput Example
URL to Fuzzffuf -u http://target.com/FUZZSpecifies the target URL with FUZZ as a placeholder.Target: http://target.com/admin
Wordlistffuf -w /path/to/wordlist.txtSpecifies the wordlist to use for fuzzing.Using wordlist: /path/to/wordlist.txt
Use Multiple Wordlistsffuf -w /path/to/wordlist1.txt:/path/to/wordlist2.txtAllows multiple wordlists for fuzzing.Found: /login/
HTTP Methodffuf -X POSTSpecifies the HTTP method for fuzzing.POST /api/login
Custom HTTP Headersffuf -H "Authorization: Bearer token"Sets custom HTTP headers for the request.Authorization header sent
Custom User-Agentffuf -H "User-Agent: CustomAgent"Specifies a custom User-Agent header.User-Agent: CustomAgent
Use Proxyffuf -x http://proxy:8080Sends requests through a specified proxy.Proxy: http://proxy:8080
Follow Redirectsffuf -rFollows HTTP redirects during fuzzing.Following redirects
Set Delay Between Requestsffuf -d 2Sets a delay in seconds between each request.Request delay: 2 seconds
Limit Concurrent Requestsffuf -p 10Limits the number of concurrent requests.10 concurrent requests in progress
Timeoutffuf -t 60Sets the request timeout in seconds.Timeout set to 60 seconds
Match HTTP Status Codesffuf -mc 200Filters results to show only specific HTTP status codes.200: /home/
Filter HTTP Status Codesffuf -fc 404Filters out results with specific HTTP status codes.200: /secret.php
Filter by Content Sizeffuf -fs 4242Filters results based on content size.Filtered: 4242 bytes
Filter by Line Countffuf -fl 42Filters results based on the number of lines.Filtered: 42 lines
Filter by Word Countffuf -fw 1337Filters results based on the number of words.Filtered: 1337 words
Filter by Regexffuf -fr "regex"Filters results based on a regex pattern.Filtered: regex match
Auto-calibrationffuf -acAutomatically calibrates filters based on baseline requests.Auto-calibration complete
Auto-calibration Strategyffuf -acs modeSets the auto-calibration strategy (e.g., basic, advanced).Auto-calibration strategy: basic
Enable Recursive Modeffuf -recursionEnables recursive scanning within discovered directories.Discovered: /admin/login/
Recursion Depthffuf -recursion-depth 2Sets the maximum recursion depth.Recursion depth set to 2
Stop on First Matchffuf -sfStops the fuzzing process after the first match is found.Stopped after first match: /admin
Stop on Spelling Errorffuf -ssStops fuzzing on spelling errors.Stopped on spelling error
Ignore Wordlist Commentsffuf -ignore-wordlist-commentsIgnores lines starting with # in the wordlist.Comments ignored in wordlist
Verbose Modeffuf -vEnables verbose output during fuzzing.Request: /FUZZ sent, response: 200
Quiet Modeffuf -sSuppresses the banner and only prints results.Quiet mode enabled
Color Outputffuf -cEnables colorized output in the terminal.Colorized output
Show All Status Codesffuf -ac-allDisplays all HTTP status codes, including non-200 responses.Displayed all HTTP status codes
Output to Fileffuf -o output.jsonOutputs results to a specified file.Results saved to output.json
Output Formatffuf -of jsonSpecifies the output format (e.g., json, ejson, html, md, csv).Output format: json
Input from Fileffuf -input-cmd "cat input.txt"Reads input from a file instead of standard input.Input read from file