loading
loading
Fuzzing
A fast web fuzzer written in Go.
overview
ffuf-od is the folder-output build of ffuf, the fast web fuzzer written in Go. You give it a target URL with a FUZZ keyword and a wordlist, and it replaces the keyword with every entry, fires the requests concurrently, and reports which ones come back interesting. The same engine drives directory and file discovery, parameter fuzzing, virtual-host enumeration, and raw request replay.
What makes ffuf practical at scale is its matcher and filter set. You decide what counts as a hit by status code, response size, word count, line count, regexp, or response time, and you do the same in reverse to drop noise. Autocalibration learns a target's baseline of false positives, recursion walks into discovered directories, and rate and thread controls keep a run inside what the host tolerates.
On Trickest this variant writes its results to a folder, so each run drops structured output files that downstream nodes can read. Feed it a host list and a wordlist, point FUZZ at the path or a header, and chain the folder into parsing, reporting, or a follow-on scan. Use ffuf-multi-od when you need several FUZZ keywords combined across multiple wordlists.
source github.com/ffuf/ffuf
use cases
Point FUZZ at the path, load a content-discovery wordlist, and match on status codes to surface hidden directories, backup files, and admin endpoints a crawler never links to.
Fuzz query or POST parameter names against a known endpoint and filter by response size so reflected or behavior-changing parameters stand out from the baseline.
Put FUZZ in the Host header against a single IP, then filter out the default response size to reveal name-based virtual hosts served from the same address.
Enable autocalibration so ffuf learns the target's wildcard and error baseline, then recurse into discovered directories to map a content tree in one run.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Target URL, with the FUZZ keyword where payloads are injected. |
| wordlist | FILE | -w | Wordlist file path and optional keyword, separated by a colon. |
| extensions | STRING | -e | Comma-separated extensions that extend the FUZZ keyword. |
| match-status-codes | STRING | -mc | HTTP status codes to treat as hits, or "all" for everything. |
| filter-status-codes | STRING | -fc | HTTP status codes to drop from the results. |
| recursion | BOOLEAN | -recursion | Scan recursively into matched directories ending in FUZZ. |
| threads | STRING | -t | Number of concurrent threads (default 40). |
| rate | STRING | -rate | Rate of requests per second (default 0, unlimited). |
Showing key inputs. ffuf-od exposes 67 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | Do not encode URI (default: false) |
| sni | STRING | -sni | Target TLS SNI, does not support FUZZ keyword |
| url | STRING | -u | Target URL |
| json | BOOLEAN | -json | JSON output, printing newline-delimited JSON records (default: false) |
| mode | STRING | -mode | Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb) |
| rate | STRING | -rate | Rate of requests per second (default: 0) |
| delay | STRING | -p | Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0" |
| http2 | BOOLEAN | -http2 | Use HTTP2 protocol (default: false) |
| config | FILE | -config | Load configuration from a file |
| header | STRING | -H | Header `"Name: Value"`, separated by colon |
| search | STRING | -search | Search for a FFUFHASH payload from ffuf history |
| silent | BOOLEAN | -s | Do not print additional information (silent mode) (default: false) |
| maxtime | STRING | -maxtime | Maximum running time in seconds for entire process. (default: 0) |
| request | FILE | -request | File containing the raw http request |
| threads | STRING | -t | Number of concurrent threads. (default: 40) |
| timeout | STRING | -timeout | HTTP request timeout in seconds. (default: 10) |
| verbose | BOOLEAN | -v | Verbose output, printing full URL and redirect location (if any) with the results. (default: false) |
| encoders | STRING | -enc | Encoders for keywords, eg. 'FUZZ:urlencode b64encode' |
| scrapers | STRING | -scrapers | Active scraper groups (default: all) |
| wordlist | FILE | -w | Wordlist file path and (optional) keyword separated by colon. |
| input-cmd | STRING | -input-cmd | Command producing the input. --input-num is required when using this input method. Overrides -w. |
| input-num | STRING | -input-num | Number of inputs to test. Used in conjunction with --input-cmd. (default: 100) |
| post-data | STRING | -d | POST data |
| recursion | BOOLEAN | -recursion | Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) |
| client-key | FILE | -ck | Client key for authentication. Client certificate needs to be defined as well for this to work |
| extensions | STRING | -e | Comma separated list of extensions. Extends FUZZ keyword. |
| match-time | STRING | -mt | Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| client-cert | FILE | -cc | Client cert for authentication. Client key needs to be defined as well for this to work |
| cookie-data | STRING | -b | Cookie data |
| filter-mode | STRING | -fmode | Filter set operator. Either of: and, or (default: or) |
| filter-time | STRING | -ft | Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| http-method | STRING | -X | HTTP method to use (default: GET) |
| ignore-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| input-shell | STRING | -input-shell | Shell to be used for running command |
| match-lines | STRING | -ml | Match amount of lines in response |
| match-words | STRING | -mw | Match amount of words in response |
| maxtime-job | STRING | -maxtime-job | Maximum running time in seconds per job. (default: 0) |
| scraperfile | FILE | -scraperfile | Custom scraper file path |
| color-output | BOOLEAN | -c | Colorize output |
| filter-lines | STRING | -fl | Filter by amount of lines in response. Comma separated list of line counts and ranges |
| filter-words | STRING | -fw | Filter by amount of words in response. Comma separated list of word counts and ranges |
| match-regexp | STRING | -mr | Match regexp |
| matcher-mode | STRING | -mmode | Matcher set operator. Either of: and, or (default: or) |
| replay-proxy | STRING | -replay-proxy | Replay matched requests using this proxy. |
| filter-regexp | STRING | -fr | Filter regexp |
| output-format | STRING | -of | Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) |
| request-proto | STRING | -request-proto | Protocol to use along with raw request (default: https) |
| http-proxy-url | STRING | -x | Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 |
| autocalibration | BOOLEAN | -ac | Automatically calibrate filtering options (default: false) |
| recursion-depth | STRING | -recursion-depth | Maximum recursion depth. (default: 0) |
| follow-redirects | BOOLEAN | -r | Follow redirects (default: false) |
| stop-on-forbidden | BOOLEAN | -sf | Stop when > 95% of responses return 403 Forbidden (default: false) |
| match-status-codes | STRING | -mc | Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403 |
| recursion-strategy | STRING | -recursion-strategy | Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default) |
| stop-on-all-errors | BOOLEAN | -sa | Stop on all error cases. Implies -sf and -se. (default: false) |
| filter-status-codes | STRING | -fc | Filter HTTP status codes from response. Comma separated list of codes and ranges |
| match-response-size | STRING | -ms | Match HTTP response size |
| filter-response-size | STRING | -fs | Filter HTTP response size. Comma separated list of sizes and ranges |
| host-autocalibration | BOOLEAN | -ach | Per host autocalibration (default: false) |
| custom-autocalibration | STRING | -acc | Custom auto-calibration string. Can be used multiple times. Implies -ac |
| output-skip-empty-file | BOOLEAN | -or | Don't create the output file if we don't have results (default: false) |
| autocalibration-keyword | STRING | -ack | Autocalibration keyword (default: FUZZ) |
| stop-on-spurious-errors | BOOLEAN | -se | Stop on spurious errors (default: false) |
| autocalibration-strategy | STRING | -acs | Custom auto-calibration strategies. Can be used multiple times. Implies -ac |
| dont-fetch-response-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| ignore-wordlist-comments | BOOLEAN | -ic | Ignore wordlist comments (default: false) |
| dirsearch-wordlist-compatibility-mode | BOOLEAN | -D | DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false) |
example
# content discovery: match live codes, drop 404s, recurse into hitsffuf -u https://example.com/FUZZ -w /wordlists/content.txt -e .php,.bak -mc 200,301,302 -fc 404 -recursion -t 40 :: URL : https://example.com/FUZZ :: Wordlist : FUZZ: /wordlists/content.txt :: Matcher : Response status: 200,301,302________________________________________________admin [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 42ms].git/config [Status: 200, Size: 92, Words: 4, Lines: 3, Duration: 55ms]backup [Status: 200, Size: 1042, Words: 40, Lines: 12, Duration: 39ms]login [Status: 200, Size: 4213, Words: 812, Lines: 96, Duration: 51ms]robots.txt [Status: 200, Size: 118, Words: 5, Lines: 4, Duration: 33ms]:: Progress: [4746/4746] :: Job [1/1] :: 902 req/sec :: Duration: [0:00:05] :: Errors: 0 ::guidance
Reach for ffuf-od when you need fast, filter-driven HTTP fuzzing and want the results written to a folder for downstream nodes. For several FUZZ keywords across multiple wordlists use ffuf-multi-od, and for brute forcing one payload across many hosts to dodge WAF bans use crithit.
Same engine with multi-wordlist modes (clusterbomb, pitchfork) for combining several FUZZ keywords.
Python web fuzzer with similar matchers. ffuf is faster and the more common pipeline choice.
Tests one wordlist item across many hosts at a time to avoid low-limit WAF bans.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go, packaged for virtual host discovery.
Fastest recursive HTTP fuzzer, like a Ferrari.
A target URL and a wordlist feed ffuf-od, which fuzzes the FUZZ keyword across every entry and writes the matched paths to a results folder.
Facts on this page come from the live Trickest tool library.