Mastering ffuf: A Web Fuzzing Deep Dive
ffuf (Fuzz Faster U Fool) is one of the most versatile tools in a web tester's arsenal. Let's go beyond basic directory busting and explore advanced techniques.
Basic Syntax Refresher
ffuf -u https://target.com/FUZZ -w wordlist.txt
The FUZZ keyword is replaced by each word in your wordlist.
Advanced Filtering
The key to effective fuzzing is filtering out noise. ffuf offers multiple options:
Filter by Response Code
# Only show 200, 301, 302 responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302
# Hide 404s and 403s
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404,403
Filter by Response Size
# Hide responses of exactly 1234 bytes (common for custom 404 pages)
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Hide responses with 50 words (useful for word-based 404s)
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 50
Filter by Response Time
# Only show responses faster than 500ms
ffuf -u https://target.com/FUZZ -w wordlist.txt -ft '<500'
Multiple Fuzzing Positions
Subdomain Enumeration
ffuf -u https://FUZZ.target.com -w subdomains.txt -H "Host: FUZZ.target.com"
Parameter Discovery
# GET parameters
ffuf -u "https://target.com/api?FUZZ=test" -w params.txt
# POST parameters
ffuf -u https://target.com/login -X POST -d "FUZZ=test" -w params.txt
Multi-Position Fuzzing
# Username and password bruteforce
ffuf -u https://target.com/login -X POST \
-d "user=USERFUZZ&pass=PASSFUZZ" \
-w users.txt:USERFUZZ \
-w passwords.txt:PASSFUZZ \
-fc 401
Custom Wordlists
Creating Targeted Wordlists
CeWL for site-specific words:
cewl https://target.com -d 2 -m 5 -w custom_wordlist.txt
Combining Wordlists
# Merge and deduplicate
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt
Wordlist Recommendations
| Purpose | Wordlist |
|---|---|
| Directories | raft-medium-directories.txt |
| Files | raft-medium-files.txt |
| API endpoints | api-endpoints.txt |
| Subdomains | subdomains-top1million-5000.txt |
| Parameters | burp-parameter-names.txt |
Extension Fuzzing
# Fuzz extensions
ffuf -u https://target.com/admin.FUZZ -w extensions.txt
# Directory + extension combo
ffuf -u https://target.com/FUZZ.EXT \
-w directories.txt:FUZZ \
-w extensions.txt:EXT
Output and Reporting
# JSON output for further processing
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# HTML report
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.html -of html
Real-World Workflow
Here's my typical approach for a new target:
# 1. Quick directory check
ffuf -u https://target.com/FUZZ -w raft-medium-directories.txt -fc 404
# 2. Subdomain enumeration
ffuf -u https://FUZZ.target.com -w subdomains-top1million-5000.txt -fc 404
# 3. API discovery
ffuf -u https://target.com/api/FUZZ -w api-endpoints.txt -mc 200,301,403
# 4. Parameter fuzzing on interesting endpoints
ffuf -u "https://target.com/api/users?FUZZ=1" -w burp-parameter-names.txt -fs 0
Pro Tips
- Tune your rate β Use
-rate 100to avoid overwhelming targets - Auto-calibrate β Use
-acfor automatic response filtering - Recursion β Use
-recursion -recursion-depth 2carefully - Color output β Use
-cfor colored output (easier to read) - Silent mode β Use
-sfor scripting/pipelines
Conclusion
ffuf's power is in its flexibility. Master filtering and multi-position fuzzing, and you'll uncover findings that scanners miss.
Want hands-on training in web application testing? Contact m1k3@msquarellc.net