ENNAENNA

ffuf Cheat Sheet

Fast web fuzzer for directory discovery, virtual host enumeration, and parameter brute-forcing. Covers filtering, matching, recursion, and integration with wordlists.

View ffuf tool page

Directory Brute-Forcing

Fuzz directories using the raft medium wordlist

$ ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

Fuzz with file extensions appended to each word

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.js,.txt

Look for backup files while filtering out 403 responses

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -e .bak,.old,.swp -fc 403

Fuzz directories with an authentication header

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"

Virtual Host Discovery

Discover virtual hosts by fuzzing the Host header, filter empty responses

$ ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 0

Vhost discovery against an IP, match only 200 status codes

$ ffuf -u http://10.10.10.10 -H "Host: FUZZ.target.com" -w subdomains.txt -mc 200

Filter responses by line count to remove default pages

$ ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fl 10

Parameter Fuzzing

Discover hidden GET parameters by filtering default response size

$ ffuf -u https://target.com/page?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 4242

Fuzz JSON POST body parameter names

$ ffuf -u https://target.com/api -X POST -d '{"FUZZ":"value"}' -H "Content-Type: application/json" -w params.txt

Brute-force numeric parameter values matching 200 responses

$ ffuf -u https://target.com/page?id=FUZZ -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -mc 200

Clusterbomb attack with two wordlists on separate parameters

$ ffuf -u https://target.com/page -X POST -d "user=FUZZ&pass=FUZZ2" -w users.txt:FUZZ -w passes.txt:FUZZ2 -fc 401

Filters & Matchers

Match only specific HTTP status codes

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302

Filter out responses of a specific byte size

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234

Filter by word count to remove uniform error pages

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 42

Filter responses matching a regex pattern in the body

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -fr "not found|error"

Auto-calibrate filters based on initial response analysis

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -ac

Recursion & Output

Recursively fuzz discovered directories up to 3 levels deep

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3

Save results as JSON for programmatic processing

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json

Run with 100 threads capped at 500 requests per second

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100 -rate 500

Verbose CSV output including redirect locations

$ ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv -v

More Cheat Sheets

Nmap Cheat Sheet

6 sections

Hashcat Cheat Sheet

5 sections

SQLMap Cheat Sheet

5 sections

Nuclei Cheat Sheet

5 sections

Subfinder Cheat Sheet

4 sections

Metasploit Cheat Sheet

5 sections