πŸš€ ffuf - Fast Web Fuzzer

Lightning-fast web fuzzing tool written in Go for content discovery and testing

πŸ“‹ Overview

ffuf (Fuzz Faster U Fool) is a fast web fuzzer designed for discovering hidden content, testing parameters, and fuzzing various parts of web applications. Written in Go, it’s incredibly fast and supports multiple fuzzing modes including directory brute-forcing, parameter fuzzing, and virtual host discovery.

Key Features:

πŸ› οΈ Installation

On Kali Linux

sudo apt update
sudo apt install ffuf -y

Using Go

go install github.com/ffuf/ffuf@latest

From Source

git clone https://github.com/ffuf/ffuf
cd ffuf
go build
sudo mv ffuf /usr/local/bin/

Verify Installation

ffuf -V

πŸ“š Basic Usage

Directory Discovery

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With file extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak

# Recursive fuzzing
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

Parameter Fuzzing

# GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w params.txt

# POST parameter fuzzing
ffuf -u http://target.com/login -w params.txt -X POST -d "FUZZ=test"

# Multiple parameters
ffuf -u http://target.com/api?param1=FUZZ1&param2=FUZZ2 -w wordlist.txt:FUZZ1,FUZZ2

Virtual Host Discovery

# Subdomain/vhost fuzzing
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt

# Filter by size
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 1234

🎯 Advanced Techniques

Filtering Results

# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404,403

# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234

# Filter by word count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 100

# Filter by line count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 50

# Filter by regex
ffuf -u http://target.com/FUZZ -w wordlist.txt -fr "error"

Matching Specific Results

# Match specific status codes
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301

# Match by size
ffuf -u http://target.com/FUZZ -w wordlist.txt -ms 1234

# Match by words
ffuf -u http://target.com/FUZZ -w wordlist.txt -mw 100

Speed and Performance

# Increase threads (default 40)
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w wordlist.txt -p 0.5

# Rate limiting (requests per second)
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100

Authentication

# Basic authentication
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Basic dXNlcjpwYXNz"

# Cookie-based auth
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123"

# Custom headers
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "X-Custom-Header: value"

πŸ’‘ Real-World Scenarios

Scenario 1: Admin Panel Discovery

# Search for admin interfaces
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/admin-panels.txt \
     -mc 200,301,302 -fc 404 -c

Scenario 2: API Endpoint Discovery

# Find API endpoints
ffuf -u http://target.com/api/FUZZ -w api-endpoints.txt \
     -H "Authorization: Bearer token" \
     -mc 200,201 -c

Scenario 3: Backup File Discovery

# Find backup files
ffuf -u http://target.com/FUZZ -w wordlist.txt \
     -e .bak,.old,.backup,.zip,.tar.gz \
     -fc 404 -c

Scenario 4: Parameter Fuzzing for SQLi

# Fuzz parameters looking for SQL injection
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt \
     -mr "error|sql|mysql|syntax" -c

Scenario 5: Multi-Wordlist Fuzzing

# Use multiple wordlists
ffuf -u http://target.com/FUZZ1/FUZZ2 \
     -w dirs.txt:FUZZ1 \
     -w files.txt:FUZZ2 \
     -mc 200 -c

πŸŽ“ Output and Reporting

Save Results

# JSON output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv

# HTML report
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html

# All formats
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results -of all

Silent and Verbose Modes

# Silent mode (only show results)
ffuf -u http://target.com/FUZZ -w wordlist.txt -s

# Verbose mode (show all details)
ffuf -u http://target.com/FUZZ -w wordlist.txt -v

πŸ”§ Configuration File

Create a config file ~/.ffufrc:

[http]
    headers = ["User-Agent: ffuf"]
    
[general]
    colors = true
    delay = 0
    maxtime = 0
    maxtime-job = 0
    quiet = false
    rate = 0
    stopon403 = false
    stopon429 = false
    stoponerrors = false
    threads = 40
    verbose = false

[output]
    debuglog = ""
    outputdirectory = ""
    outputformat = "json"

🚨 Tips and Best Practices

Performance Optimization

# Fast scan with auto-calibration
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac -t 100

# Smart filtering (auto-detect false positives)
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac

Common Wordlists

# SecLists (must have)
git clone https://github.com/danielmiessler/SecLists.git

# Common wordlists locations
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/

Combining with Other Tools

# Pipe to other tools
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200 -s | \
     awk '{print $1}' | \
     httpx -silent

# Use with Burp Suite
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

⚠️ Common Pitfalls

  1. WAF Detection: Use delays and custom headers to avoid WAF blocking
  2. Rate Limiting: Respect rate limits with -rate flag
  3. False Positives: Use auto-calibration -ac or manual filtering
  4. Large Wordlists: Start with smaller lists, then expand
  5. Network Issues: Use -timeout to handle slow responses

πŸ“– Learning Resources

ffuf is a powerful tool for security testing. Always ensure you have:

πŸ”— Related Tools

Fast fuzzing for faster findings. Use responsibly and ethically.