loading
loading
Fuzzing
A fast web fuzzer written in Go.
overview
ffuf replaces a FUZZ keyword in a request with each line of a wordlist and records the response, which makes it one general engine for content, parameter, and virtual-host discovery. Put FUZZ in the path to brute-force directories and files, in the query string or POST body to find hidden parameters, or in the Host header to enumerate vhosts behind one IP.
What keeps it fast without drowning you in noise is matching and filtering. Keep responses by status with -mc (or -mc all), then cut decoys by size (-fs), words (-fw), lines (-fl), status (-fc), or regex (-fr); -fmode and -mmode set whether those rules combine with and or or. Autocalibration (-ac) can learn the noise filters for you, -recursion with -recursion-depth walks into directories it finds, and -mode clusterbomb or pitchfork drives several wordlists at once.
On Trickest, ffuf is a Fuzzing node that takes a target URL and a wordlist and writes a folder and a file. Add -json or -of json and the discovered paths, parameters, or hosts become a structured set the next node can promote to a live table and probe or test.
source github.com/ffuf/ffuf
use cases
Fuzz a path with a content wordlist to surface admin panels, backups, and endpoints that are not linked anywhere.
Fuzz the query string or POST body to reveal undocumented parameters worth testing for injection and access-control flaws.
Fuzz the Host header against one IP to find vhosts that do not appear in DNS.
Use clusterbomb or pitchfork mode with several wordlists to fuzz more than one FUZZ keyword in the same request.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Target URL, with FUZZ marking where each wordlist entry is injected. |
| wordlist | FILE | -w | Wordlist file path and optional keyword, separated by a colon (path:KEYWORD). |
| match-status-codes | STRING | -mc | Match HTTP status codes, or "all" (default 200,204,301,302,307,401,403). |
| filter-status-codes | STRING | -fc | Filter out responses by status code; comma-separated codes and ranges. |
| filter-response-size | STRING | -fs | Filter out responses by size; comma-separated sizes and ranges. |
| filter-words | STRING | -fw | Filter out responses by word count; comma-separated counts and ranges. |
| recursion | BOOLEAN | -recursion | Recurse into discovered directories (the URL must end in FUZZ). |
| extensions | STRING | -e | Comma-separated extensions that extend the FUZZ keyword (.php,.bak). |
| threads | STRING | -t | Number of concurrent threads (default 40). |
Showing key inputs. ffuf exposes 68 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Target URL, with FUZZ where the wordlist is injected. |
| wordlist | FILE | -w | Wordlist file path and optional keyword, separated by a colon. |
| mode | STRING | -mode | Multi-wordlist mode: clusterbomb, pitchfork, sniper (default clusterbomb). |
| extensions | STRING | -e | Comma-separated list of extensions that extend the FUZZ keyword. |
| match-status-codes | STRING | -mc | Match HTTP status codes, or "all" (default 200,204,301,302,307,401,403). |
| match-response-size | STRING | -ms | Match HTTP response size. |
| match-words | STRING | -mw | Match a number of words in the response. |
| match-lines | STRING | -ml | Match a number of lines in the response. |
| match-regexp | STRING | -mr | Match a regexp against the response. |
| match-time | STRING | -mt | Match milliseconds to the first response byte, e.g. >100 or <100. |
| matcher-mode | STRING | -mmode | Matcher set operator: and, or (default or). |
| filter-status-codes | STRING | -fc | Filter HTTP status codes; comma-separated list of codes and ranges. |
| filter-response-size | STRING | -fs | Filter by response size; comma-separated list of sizes and ranges. |
| filter-words | STRING | -fw | Filter by word count; comma-separated list of counts and ranges. |
| filter-lines | STRING | -fl | Filter by line count; comma-separated list of counts and ranges. |
| filter-regexp | STRING | -fr | Filter by a regexp against the response. |
| filter-time | STRING | -ft | Filter by milliseconds to the first response byte, e.g. >100 or <100. |
| filter-mode | STRING | -fmode | Filter set operator: and, or (default or). |
| autocalibration | BOOLEAN | -ac | Automatically calibrate filtering options (default false). |
| host-autocalibration | BOOLEAN | -ach | Per-host autocalibration (default false). |
| custom-autocalibration | STRING | -acc | Custom auto-calibration string; can be repeated, implies -ac. |
| autocalibration-strategy | STRING | -acs | Custom auto-calibration strategy; can be repeated, implies -ac. |
| autocalibration-keyword | STRING | -ack | Autocalibration keyword (default FUZZ). |
| recursion | BOOLEAN | -recursion | Scan recursively; only FUZZ is supported and the URL must end in it (default false). |
| recursion-depth | STRING | -recursion-depth | Maximum recursion depth (default 0, unlimited). |
| recursion-strategy | STRING | -recursion-strategy | Recursion strategy: default (redirect-based) or greedy (default default). |
| threads | STRING | -t | Number of concurrent threads (default 40). |
| rate | STRING | -rate | Rate of requests per second (default 0, unlimited). |
| delay | STRING | -p | Seconds of delay between requests, or a range, e.g. 0.1 or 0.1-2.0. |
| timeout | STRING | -timeout | HTTP request timeout in seconds (default 10). |
| maxtime | STRING | -maxtime | Maximum running time in seconds for the entire process (default 0). |
| maxtime-job | STRING | -maxtime-job | Maximum running time in seconds per job (default 0). |
| header | STRING | -H | Header "Name: Value", separated by a colon. |
| header-file | FILE | -header-file | Headers "Name: Value", one per newline. |
| http-method | STRING | -X | HTTP method to use (default GET). |
| post-data | STRING | -d | POST data. |
| cookie-data | STRING | -b | Cookie data. |
| request | FILE | -request | File containing the raw HTTP request to fuzz. |
| request-proto | STRING | -request-proto | Protocol to use with a raw request (default https). |
| raw | BOOLEAN | -raw | Do not encode the URI (default false). |
| http2 | BOOLEAN | -http2 | Use the HTTP/2 protocol (default false). |
| sni | STRING | -sni | Target TLS SNI; does not support the FUZZ keyword. |
| follow-redirects | BOOLEAN | -r | Follow redirects (default false). |
| http-proxy-url | STRING | -x | Proxy URL (SOCKS5 or HTTP), e.g. http://127.0.0.1:8080. |
| replay-proxy | STRING | -replay-proxy | Replay matched requests through this proxy. |
| client-cert | FILE | -cc | Client cert for authentication; requires a client key. |
| client-key | FILE | -ck | Client key for authentication; requires a client certificate. |
| encoders | STRING | -enc | Encoders for keywords, e.g. FUZZ:urlencode b64encode. |
| input-cmd | STRING | -input-cmd | Command producing the input; requires -input-num and overrides -w. |
| input-num | STRING | -input-num | Number of inputs to test, used with -input-cmd (default 100). |
| input-shell | STRING | -input-shell | Shell used for running the input command. |
| ignore-wordlist-comments | BOOLEAN | -ic | Ignore wordlist comments (default false). |
| dirsearch-wordlist-compatibility-mode | BOOLEAN | -D | DirSearch wordlist compatibility mode; used with -e (default false). |
| json | BOOLEAN | -json | JSON output, printing newline-delimited JSON records (default false). |
| output-format | STRING | -of | Output file format: json, ejson, html, md, csv, ecsv (default json). |
| output-skip-empty-file | BOOLEAN | -or | Do not create the output file when there are no results (default false). |
| silent | BOOLEAN | -s | Silent mode; do not print additional information (default false). |
| verbose | BOOLEAN | -v | Verbose output, printing the full URL and any redirect location (default false). |
| color-output | BOOLEAN | -c | Colorize the output. |
| ignore-body | BOOLEAN | -ignore-body | Do not fetch the response content (default false). |
| dont-fetch-response-body | BOOLEAN | -ignore-body | Do not fetch the response content (default false). |
| stop-on-forbidden | BOOLEAN | -sf | Stop when over 95% of responses return 403 Forbidden (default false). |
| stop-on-spurious-errors | BOOLEAN | -se | Stop on spurious errors (default false). |
| stop-on-all-errors | BOOLEAN | -sa | Stop on all error cases; implies -sf and -se (default false). |
| scrapers | STRING | -scrapers | Active scraper groups (default all). |
| scraperfile | FILE | -scraperfile | Custom scraper file path. |
| search | STRING | -search | Search for a FFUFHASH payload from ffuf history. |
| config | FILE | -config | Load configuration from a file. |
example
# fuzz for hidden paths, match every code, drop 4242-byte decoy responsesffuf -u https://example.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -mc all -fs 4242 -e .php,.html \ -recursion -recursion-depth 2 -t 40 \ -o results.json -of json :: Method : GET :: URL : https://example.com/FUZZ :: Wordlist : FUZZ: raft-medium-directories.txt :: Matcher : Response status: all :: Filter : Response size: 4242________________________________________________ admin [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 44ms]login [Status: 200, Size: 2011, Words: 213, Lines: 61, Duration: 91ms].git/HEAD [Status: 200, Size: 23, Words: 2, Lines: 1, Duration: 63ms]backup [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 38ms]:: Progress: [30000/30000] :: Job [1/1] :: 980 req/sec :: Duration: [0:00:31] :: Errors: 0 ::guidance
Use ffuf to discover content, parameters, or vhosts on a host you already know is live. Filter responses by status, size, or words to cut noise. To run one wordlist across many URLs, use ffuf-multi; for recursive defaults, feroxbuster.
Recursive content discovery with smart defaults. ffuf is the more general FUZZ engine.
Simple, fast directory brute-forcing. ffuf adds richer filtering and parameter or vhost modes.
Same engine wired to fuzz one wordlist across a list of target URLs in one run.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
Fastest recursive HTTP fuzzer, like a Ferrari.
A target and a wordlist feed ffuf, which fuzzes the request and writes the discovered paths as a queryable output.
Facts on this page come from the live Trickest tool library.