loading
loading
Fuzzing
A fast web fuzzer written in Go, wired to run across a list of target URLs.
overview
ffuf-multi wraps the ffuf web fuzzer so one wordlist runs against every URL in a target list inside a single node. It keeps ffuf's match and filter controls (-mc, -fc, -fs, -fw) while removing the need to loop hosts yourself.
Autocalibration (-ac), extensions (-e), recursion, and thread or rate limits behave like upstream ffuf. That means the same filtering habits from single-target fuzzing apply when you scale across an estate of live sites.
On Trickest the Fuzzing node takes a urls file and a wordlist and writes combined hits as a file and a folder. Use ffuf when you need a single URL with FUZZ placed freely in the request.
source github.com/ffuf/ffuf
use cases
Feed live URLs and a path wordlist so every host is fuzzed with the same dictionary in one run.
Use -mc / -fc and -fs so only interesting status codes and response sizes survive into the result set.
Enable -ac so ffuf learns baseline responses per job and filters soft-404 style noise automatically.
Pass -e php,asp,aspx,js when hunting backup or script files alongside path words.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| urls | FILE | · | List of target URLs to fuzz. |
| wordlist | FILE | · | Wordlist file used for FUZZ. |
| match-status-codes | STRING | -mc | Match HTTP status codes, or all (default 200,204,301,302,307,401,403). |
| filter-status-codes | STRING | -fc | Filter HTTP status codes from the response. |
| threads | STRING | -t | Number of concurrent threads (default 40). |
| autocalibration | BOOLEAN | -ac | Automatically calibrate filtering options. |
| extensions | STRING | -e | Comma-separated extensions that extend the FUZZ keyword. |
| recursion | BOOLEAN | -recursion | Scan recursively when the URL ends with FUZZ. |
Showing key inputs. ffuf-multi exposes 68 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | Do not encode URI (default: false) |
| sni | STRING | -sni | Target TLS SNI, does not support FUZZ keyword |
| json | BOOLEAN | -json | JSON output, printing newline-delimited JSON records (default: false) |
| mode | STRING | -mode | Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb) |
| rate | STRING | -rate | Rate of requests per second (default: 0) |
| urls | FILE | · | List of target URLs |
| delay | STRING | -p | Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0" |
| http2 | BOOLEAN | -http2 | Use HTTP2 protocol (default: false) |
| config | FILE | -config | Load configuration from a file |
| header | STRING | -H | Header `"Name: Value"`, separated by colon |
| search | STRING | -search | Search for a FFUFHASH payload from ffuf history |
| silent | BOOLEAN | -s | Do not print additional information (silent mode) (default: false) |
| maxtime | STRING | -maxtime | Maximum running time in seconds for entire process. (default: 0) |
| request | FILE | -request | File containing the raw http request |
| threads | STRING | -t | Number of concurrent threads. (default: 40) |
| timeout | STRING | -timeout | HTTP request timeout in seconds. (default: 10) |
| verbose | BOOLEAN | -v | Verbose output, printing full URL and redirect location (if any) with the results. (default: false) |
| encoders | STRING | -enc | Encoders for keywords, eg. 'FUZZ:urlencode b64encode' |
| scrapers | STRING | -scrapers | Active scraper groups (default: all) |
| wordlist | FILE | · | Wordlist file |
| input-cmd | STRING | -input-cmd | Command producing the input. --input-num is required when using this input method. Overrides -w. |
| input-num | STRING | -input-num | Number of inputs to test. Used in conjunction with --input-cmd. (default: 100) |
| post-data | STRING | -d | POST data |
| recursion | BOOLEAN | -recursion | Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) |
| client-key | FILE | -ck | Client key for authentication. Client certificate needs to be defined as well for this to work |
| extensions | STRING | -e | Comma separated list of extensions. Extends FUZZ keyword. |
| match-time | STRING | -mt | Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| client-cert | FILE | -cc | Client cert for authentication. Client key needs to be defined as well for this to work |
| cookie-data | STRING | -b | Cookie data |
| filter-mode | STRING | -fmode | Filter set operator. Either of: and, or (default: or) |
| filter-time | STRING | -ft | Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| header-file | FILE | -header-file | Header `"Name: Value"`, separated by a newline |
| http-method | STRING | -X | HTTP method to use (default: GET) |
| ignore-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| input-shell | STRING | -input-shell | Shell to be used for running command |
| match-lines | STRING | -ml | Match amount of lines in response |
| match-words | STRING | -mw | Match amount of words in response |
| maxtime-job | STRING | -maxtime-job | Maximum running time in seconds per job. (default: 0) |
| scraperfile | FILE | -scraperfile | Custom scraper file path |
| color-output | BOOLEAN | -c | Colorize output |
| filter-lines | STRING | -fl | Filter by amount of lines in response. Comma separated list of line counts and ranges |
| filter-words | STRING | -fw | Filter by amount of words in response. Comma separated list of word counts and ranges |
| match-regexp | STRING | -mr | Match regexp |
| matcher-mode | STRING | -mmode | Matcher set operator. Either of: and, or (default: or) |
| replay-proxy | STRING | -replay-proxy | Replay matched requests using this proxy. |
| filter-regexp | STRING | -fr | Filter regexp |
| output-format | STRING | -of | Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) |
| request-proto | STRING | -request-proto | Protocol to use along with raw request (default: https) |
| http-proxy-url | STRING | -x | Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 |
| autocalibration | BOOLEAN | -ac | Automatically calibrate filtering options (default: false) |
| recursion-depth | STRING | -recursion-depth | Maximum recursion depth. (default: 0) |
| follow-redirects | BOOLEAN | -r | Follow redirects (default: false) |
| stop-on-forbidden | BOOLEAN | -sf | Stop when > 95% of responses return 403 Forbidden (default: false) |
| match-status-codes | STRING | -mc | Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403 |
| recursion-strategy | STRING | -recursion-strategy | Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default) |
| stop-on-all-errors | BOOLEAN | -sa | Stop on all error cases. Implies -sf and -se. (default: false) |
| filter-status-codes | STRING | -fc | Filter HTTP status codes from response. Comma separated list of codes and ranges |
| match-response-size | STRING | -ms | Match HTTP response size |
| filter-response-size | STRING | -fs | Filter HTTP response size. Comma separated list of sizes and ranges |
| host-autocalibration | BOOLEAN | -ach | Per host autocalibration (default: false) |
| custom-autocalibration | STRING | -acc | Custom auto-calibration string. Can be used multiple times. Implies -ac |
| output-skip-empty-file | BOOLEAN | -or | Don't create the output file if we don't have results (default: false) |
| autocalibration-keyword | STRING | -ack | Autocalibration keyword (default: FUZZ) |
| stop-on-spurious-errors | BOOLEAN | -se | Stop on spurious errors (default: false) |
| autocalibration-strategy | STRING | -acs | Custom auto-calibration strategies. Can be used multiple times. Implies -ac |
| dont-fetch-response-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| ignore-wordlist-comments | BOOLEAN | -ic | Ignore wordlist comments (default: false) |
| dirsearch-wordlist-compatibility-mode | BOOLEAN | -D | DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false) |
example
# ffuf-multi: same engine as ffuf, looped over urls.txtffuf -w wordlist.txt -u https://example.com/FUZZ -mc 200,301,403 -fc 404 -ac -t 40 -e php,htmlhttps://example.com/admin [Status: 301, Size: 178]https://example.com/login [Status: 200, Size: 4521]https://example.com/api [Status: 200, Size: 89]https://example.com/backup [Status: 403, Size: 112]https://api.example.com/v1 [Status: 200, Size: 204]https://www.example.com/.git/HEAD [Status: 200, Size: 23]https://staging.example.com/debug [Status: 200, Size: 912]https://198.51.100.40/server-status [Status: 403, Size: 156]guidance
Use ffuf-multi when you want to fuzz one wordlist across many live URLs in a single node. For a single target with FUZZ placed anywhere in the request, use ffuf; for recursive defaults on one host, feroxbuster.
The single-target form, with FUZZ placed anywhere in the request. ffuf-multi loops it over a URL list.
Recursive content discovery with smart defaults across a URL list. A more opinionated alternative.
Python content scanner with built-in wordlists. ffuf-multi is the faster Go engine for bulk fuzzing.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
Fastest recursive HTTP fuzzer, like a Ferrari.
A URL list and a wordlist feed ffuf-multi, which fuzzes every host in turn and writes the combined discovered paths as a queryable output.
Facts on this page come from the live Trickest tool library.