Getting started

Knowledge hub

Tutorials

Concepts

ffuf

GitHub

There are three versions of ffuf available in the Trickest library. Each one is packaged a little differently to be suitable and more convenient for a particular use case and usage pattern.

ffuf

Trickest

This is the base version ffuf. You can use it to fuzz any part of a URL with a wordlist. Use the FUZZ placeholder to define the location where the words of the wordlist will be inserted (e.g. https://trickest.io/FUZZ to fuzz for directories.)

Basic Usage Examples

Basic directory brute-force

Pass your target to the target-url parameter with the FUZZ placeholder added as a path, and pass the wordlist to the wordlist parameter to fuzz directories.

Fuzz directories with ffuf

Directory brute-force under a known path.

Add the FUZZ placeholder at any point in the URL, such as within a subdirectory to fuzz at this location.

Fuzz directories within a subdirectory with ffuf

GET parameter brute-force

Add the FUZZ placeholder as a parameter to brute force for inputs.

Fuzz parameters with ffuf

POST parameter brute-force

Pass POST to the method input, and add the FUZZ placeholder to the data string input to brute force POST parameters.

Fuzz POST data with ffuf

Parameter value brute-force

Add the FUZZ keyword as a value of any GET or POST parameter to brute force its value.

Fuzz parameter values with ffuf

Header brute-force

Add the FUZZ placeholder to the header string input to brute force headers.

Fuzz headers with ffuf

Virtual host brute-force

Add the FUZZ placeholder to the header input as a value of the Host header to brute force virtual hosts.

Fuzz virtual hosts with ffuf

Improvements

Filter results

By default, ffuf will output all of the results it finds. However, you can use certain inputs to filter out unwanted results. Some options you can use to do this include:

  • filter-http-status-code-from-response
  • filter-http-response-size
  • filter-by-amount-of-lines
  • filter-by-amount-of-words
  • filter-regexp
  • filter-time

If you use more than filtering criteria, use the filter-mode input to specify the filter set operator (either and or or; default: or)

Filter ffuf results

Match results

Use these inputs to only write results to the output if they match certain criteria. They work in the same way as filtering options.

  • match-http-status-code-from-response
  • match-http-response-size
  • match-by-amount-of-lines
  • match-by-amount-of-words
  • match-time
  • match-regexp

If you use more than filtering criteria, use the matcher-mode input to specify the filter set operator (either and or or; default: or)

Match ffuf results

Auto-calibrate filtering options

Use the calibrate-filtering-options boolean flag to let ffuf decide how to filter for unique results.

Auto-calibrate ffuf's filtering options

Increase/decrease thread count

The default number of threads for ffuf is 40. Use the number-of-concurrent-threads input to change this number.

Increasing the number of threads can speed up the execution while decreasing the number of threads can make the scan less aggressive.

Change the number of ffuf threads

Add delay

Use the delay-between-requests input to set either a specific delay between requests or a random delay within a range (in seconds.

Set a delay between ffuf requests

Set a maximum run time

Use the max-run-time-for-process input (in seconds)

Set a maximum run time for ffuf

Scan recursively

Use the scan-recursively input.

You can further configure the recursion behavior using these inputs:

  • max-run-time-for-job: Control the time (in seconds) that ffuf will spend on each job (not the entire process). A new job is created when ffuf detects a new subdirectory.
  • recursion-depth
  • recursion-strategy: Use greedy to recurse on all matches

Scan recursively with ffuf

Output to a different format

By default, ffuf will write results as a JSON file with the scan results inside the results sub-object.

...
    "results": [
        {
            "input": {
                "FUZZ": "admin"
            },
            "position": 1,
            "status": 301,
            "length": 226,
            "words": 9,
            "lines": 7,
            "content-type": "text/html; charset=UTF-8",
            "redirectlocation": "https://trickest.io/admin",
            "duration": 67233959,
            "resultfile": "",
            "url": "https://trickest.io/admin",
            "host": "trickest.io"
        }
    ],
...

Use the output-format input to chage it to ejson, html, md, csv, or ecsv.

Change ffuf's output format

ffuf-multi

Trickest

ffuf-multi is packaged slightly differently to ffuf to make it easier to fuzz multiple hosts. It is equivalent to this command

ffuf -u HOST/WORD -w hosts.txt:HOST -w wordlist.txt:WORD

Most of the improvements that apply to ffuf will apply to ffuf-multi. However, if you decide to automatically calibrate filtering results, it will be useful to use host-auto-calibration instead of the default calibrate-filtering-options and experiment with different calibration options such as auto-calibration-strategy and auto-calibration-keyword.

ffuf-od

Trickest

ffuf-od works similarly to the base ffuf except it saves the HTTP responses of each match and writes them to a folder. Most of the improvements that apply to ffuf will apply to ffuf-od.

{% code title=“example output file” %}

GET /admin HTTP/1.1
Host: trickest.io
User-Agent: Fuzz Faster U Fool v1.5.0
Accept-Encoding: gzip

---- ↑ Request ---- Response ↓ ----
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Fri, 32 Oct 2099 13:33:37 GMT
Server: nginx

<h1>Admin</h1>

{% endcode %}

Notable Workflows

Similar Tools

  • dirsearch
  • wfuzz
  • gobuster
  • meg
  • crithit
  • kiterunner
  • fuzzuli
  • vhostscan
  • arjun
  • x8