loading
loading
Fuzzing
A fast web fuzzer written in Go, packaged for virtual host discovery.
overview
ffuf-virtual-hosts is an ffuf packaging tuned for virtual-host discovery: it fuzzes the Host header against a target URL so names that resolve to the same IP but serve different sites surface as distinct responses.
Wordlist-driven Host values, status and size filters, and rate limits keep the scan practical on shared hosting and reverse proxies where a generic path fuzz would miss name-based sites.
Place it after you know an IP or apex URL and before content discovery on each confirmed vhost, so the rest of the workflow runs against every site the IP actually serves.
source github.com/ffuf/ffuf
use cases
Fuzz the Host header against a live target so internal apps, staging sites, and admin panels that share its IP but never resolve in DNS show up as real hits.
Apply -mc / -fs filters, or -ac autocalibration, so the server's catch-all response for unknown hosts is dropped and only genuine vhosts remain.
Feed a hosts file so the fuzzer works through every target in turn, expanding vhost discovery from a single IP to a whole probed surface in one run.
Emit -json so the found virtual hosts become a structured set an HTTP prober or vulnerability scanner can pick up as its next input.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | Do not encode URI (default: false) |
| sni | STRING | -sni | Target TLS SNI, does not support FUZZ keyword |
| json | BOOLEAN | -json | JSON output, printing newline-delimited JSON records (default: false) |
| mode | STRING | -mode | Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb) |
| rate | STRING | -rate | Rate of requests per second (default: 0) |
| delay | STRING | -p | Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0" |
| http2 | BOOLEAN | -http2 | Use HTTP2 protocol (default: false) |
Showing key inputs. ffuf-virtual-hosts exposes 67 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | Do not encode URI (default: false) |
| sni | STRING | -sni | Target TLS SNI, does not support FUZZ keyword |
| json | BOOLEAN | -json | JSON output, printing newline-delimited JSON records (default: false) |
| mode | STRING | -mode | Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb) |
| rate | STRING | -rate | Rate of requests per second (default: 0) |
| urls | FILE | · | List of target URLs |
| delay | STRING | -p | Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0" |
| hosts | FILE | · | List of hosts |
| http2 | BOOLEAN | -http2 | Use HTTP2 protocol (default: false) |
| config | FILE | -config | Load configuration from a file |
| header | STRING | -H | Header `"Name: Value"`, separated by colon |
| search | STRING | -search | Search for a FFUFHASH payload from ffuf history |
| silent | BOOLEAN | -s | Do not print additional information (silent mode) (default: false) |
| maxtime | STRING | -maxtime | Maximum running time in seconds for entire process. (default: 0) |
| request | FILE | -request | File containing the raw http request |
| threads | STRING | -t | Number of concurrent threads. (default: 40) |
| timeout | STRING | -timeout | HTTP request timeout in seconds. (default: 10) |
| verbose | BOOLEAN | -v | Verbose output, printing full URL and redirect location (if any) with the results. (default: false) |
| encoders | STRING | -enc | Encoders for keywords, eg. 'FUZZ:urlencode b64encode' |
| scrapers | STRING | -scrapers | Active scraper groups (default: all) |
| input-cmd | STRING | -input-cmd | Command producing the input. --input-num is required when using this input method. Overrides -w. |
| input-num | STRING | -input-num | Number of inputs to test. Used in conjunction with --input-cmd. (default: 100) |
| post-data | STRING | -d | POST data |
| recursion | BOOLEAN | -recursion | Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) |
| client-key | FILE | -ck | Client key for authentication. Client certificate needs to be defined as well for this to work |
| extensions | STRING | -e | Comma separated list of extensions. Extends FUZZ keyword. |
| match-time | STRING | -mt | Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| client-cert | FILE | -cc | Client cert for authentication. Client key needs to be defined as well for this to work |
| cookie-data | STRING | -b | Cookie data |
| filter-mode | STRING | -fmode | Filter set operator. Either of: and, or (default: or) |
| filter-time | STRING | -ft | Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100 |
| http-method | STRING | -X | HTTP method to use (default: GET) |
| ignore-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| input-shell | STRING | -input-shell | Shell to be used for running command |
| match-lines | STRING | -ml | Match amount of lines in response |
| match-words | STRING | -mw | Match amount of words in response |
| maxtime-job | STRING | -maxtime-job | Maximum running time in seconds per job. (default: 0) |
| scraperfile | FILE | -scraperfile | Custom scraper file path |
| color-output | BOOLEAN | -c | Colorize output |
| filter-lines | STRING | -fl | Filter by amount of lines in response. Comma separated list of line counts and ranges |
| filter-words | STRING | -fw | Filter by amount of words in response. Comma separated list of word counts and ranges |
| match-regexp | STRING | -mr | Match regexp |
| matcher-mode | STRING | -mmode | Matcher set operator. Either of: and, or (default: or) |
| replay-proxy | STRING | -replay-proxy | Replay matched requests using this proxy. |
| filter-regexp | STRING | -fr | Filter regexp |
| output-format | STRING | -of | Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) |
| request-proto | STRING | -request-proto | Protocol to use along with raw request (default: https) |
| http-proxy-url | STRING | -x | Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 |
| autocalibration | BOOLEAN | -ac | Automatically calibrate filtering options (default: false) |
| recursion-depth | STRING | -recursion-depth | Maximum recursion depth. (default: 0) |
| follow-redirects | BOOLEAN | -r | Follow redirects (default: false) |
| stop-on-forbidden | BOOLEAN | -sf | Stop when > 95% of responses return 403 Forbidden (default: false) |
| match-status-codes | STRING | -mc | Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403 |
| recursion-strategy | STRING | -recursion-strategy | Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default) |
| stop-on-all-errors | BOOLEAN | -sa | Stop on all error cases. Implies -sf and -se. (default: false) |
| filter-status-codes | STRING | -fc | Filter HTTP status codes from response. Comma separated list of codes and ranges |
| match-response-size | STRING | -ms | Match HTTP response size |
| filter-response-size | STRING | -fs | Filter HTTP response size. Comma separated list of sizes and ranges |
| host-autocalibration | BOOLEAN | -ach | Per host autocalibration (default: false) |
| custom-autocalibration | STRING | -acc | Custom auto-calibration string. Can be used multiple times. Implies -ac |
| output-skip-empty-file | BOOLEAN | -or | Don't create the output file if we don't have results (default: false) |
| autocalibration-keyword | STRING | -ack | Autocalibration keyword (default: FUZZ) |
| stop-on-spurious-errors | BOOLEAN | -se | Stop on spurious errors (default: false) |
| autocalibration-strategy | STRING | -acs | Custom auto-calibration strategies. Can be used multiple times. Implies -ac |
| dont-fetch-response-body | BOOLEAN | -ignore-body | Do not fetch the response content. (default: false) |
| ignore-wordlist-comments | BOOLEAN | -ic | Ignore wordlist comments (default: false) |
| dirsearch-wordlist-compatibility-mode | BOOLEAN | -D | DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false) |
example
# ffuf-virtual-hosts: Host-header fuzz against a shared originffuf -u https://198.51.100.10/ -w vhosts.txt -H 'Host: FUZZ.example.com' -mc 200,301,302 -fc 404 -rate 50api.example.com [Status: 200, Size: 4821]dev.example.com [Status: 302, Size: 178]staging.example.com [Status: 200, Size: 9102]admin.example.com [Status: 401, Size: 412]www.example.com [Status: 200, Size: 15440]mail.example.com [Status: 301, Size: 0]guidance
Use ffuf-virtual-hosts when you have a live IP or host and want to find the sites it serves by Host header rather than by DNS name. For directory and file content discovery on a single URL, use ffuf; to fuzz one wordlist across many URLs, use ffuf-multi.
The general single-target fuzzer with FUZZ placed anywhere. ffuf-virtual-hosts pins the FUZZ to the Host header.
Runs one wordlist across a list of URLs for content discovery. A bulk sibling, not vhost-focused.
Older Python web fuzzer that can also fuzz headers. ffuf is the faster Go engine for this job.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
Fastest recursive HTTP fuzzer, like a Ferrari.
A hosts file and a vhost wordlist feed ffuf-virtual-hosts, which fuzzes the Host header against each target and writes the discovered virtual hosts as a queryable output.
Facts on this page come from the live Trickest tool library.