__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

ffuf Cheatsheet

← Back to cheatsheets

← Home

ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's highly flexible for directory discovery, parameter fuzzing, virtual host discovery, and more.

Basic Usage

  • ffuf -u <url>/FUZZ -w <wordlist> - Basic directory fuzzing
  • FUZZ keyword marks where wordlist entries are inserted

Input Options

  • -u - Target URL with FUZZ keyword
  • -w - Wordlist file (can use multiple: -w list1:KEYWORD1 -w list2:KEYWORD2)
  • -X - HTTP method (default GET)
  • -d - POST data
  • -H - Header (can use multiple)
  • -b - Cookie data

Matcher Options (Show Results)

  • -mc - Match HTTP status codes (default 200,204,301,302,307,401,403,405)
  • -ml - Match response line count
  • -mr - Match regex pattern
  • -ms - Match response size
  • -mw - Match word count
  • -mt - Match response time (milliseconds)

Filter Options (Hide Results)

  • -fc - Filter HTTP status codes
  • -fl - Filter by line count
  • -fr - Filter by regex
  • -fs - Filter by response size
  • -fw - Filter by word count
  • -ft - Filter by response time

Output Options

  • -o - Output file
  • -of - Output format (json, ejson, html, md, csv, all)
  • -od - Output directory for matched results
  • -v - Verbose output
  • -s - Silent mode (no banner)
  • -c - Colorize output

Performance Options

  • -t - Threads (default 40)
  • -p - Delay between requests (seconds, e.g., 0.1)
  • -rate - Requests per second
  • -timeout - Request timeout (default 10)

Other Options

  • -r - Follow redirects
  • -recursion - Enable recursion
  • -recursion-depth - Max recursion depth
  • -e - Extension list (.php,.html,.txt)
  • -ic - Ignore wordlist comments
  • -ac - Autocalibrate filtering
  • -x - Proxy URL
  • -replay-proxy - Send matches through proxy

Common Examples

Directory Discovery

ffuf -u http://example.com/FUZZ -w wordlist.txt

Basic directory brute forcing.

With Extensions

ffuf -u http://example.com/FUZZ -w wordlist.txt -e .php,.html,.txt

Add extensions to each word.

Filter by Size

ffuf -u http://example.com/FUZZ -w wordlist.txt -fs 4242

Hide responses of specific size.

POST Parameter Fuzzing

ffuf -u http://example.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt

Fuzz POST parameters.

Header Fuzzing

ffuf -u http://example.com -H "X-Custom-Header: FUZZ" -w wordlist.txt

Fuzz header values.

Virtual Host Discovery

ffuf -u http://example.com -H "Host: FUZZ.example.com" -w subdomains.txt -fs 4242

Find virtual hosts.

GET Parameter Fuzzing

ffuf -u "http://example.com/page?id=FUZZ" -w numbers.txt

Fuzz GET parameters.

Multiple Wordlists

ffuf -u http://example.com/FOLDER/FILE -w dirs.txt:FOLDER -w files.txt:FILE

Use multiple wordlists with keywords.

Autocalibrate

ffuf -u http://example.com/FUZZ -w wordlist.txt -ac

Automatically calibrate filters.

With Proxy

ffuf -u http://example.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

Route through Burp Suite.

Rate Limited

ffuf -u http://example.com/FUZZ -w wordlist.txt -rate 50

Limit to 50 requests/second.

Recursive

ffuf -u http://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

Recurse into found directories.

Tips

  • Use -ac for auto-calibration on unknown targets
  • Filter by size (-fs) when pages return custom 404s
  • Use -replay-proxy to send only matches through Burp
  • Multiple FUZZ keywords enable complex fuzzing
  • Faster than gobuster for most use cases
  • Use -e for extension fuzzing
  • Match on response time (-mt) can find blind vulns
  • Always get authorization before scanning

← Back to cheatsheets

← Home