Fuzz Faster U Fool: A fast web fuzzer written in Go.
https://github.com/ffuf/ffuf| Installer Source| Releases (json) (tab)
To update or switch versions, run webi ffuf@stable (or @v2, @beta, etc).
Files
These are the files / directories that are created and/or modified with this install:
~/.config/envman/PATH.env
~/.local/bin/ffuf
Cheat Sheet
ffufis a powerful web fuzzer written in Go. With a range of functionalities and fast performance, it's a must-have tool for penetration testers and security researchers.
Rotate through wordlists to discover and report exposed URLs, domains, etc.
# fuff -w <list>[:VAR] -u 'https://<target>/<VAR>'
fuff -w ./fuzz-Bo0oM.txt -u 'https://ffuf.io.fi/FUZZ
fuff \
-w ./fuzz-Bo0oM.txt:'FUZZ_PATH' \
-w ./subdomains-top1million-5000.txt:'FUZZ_SUB' \
-u 'https://FUZZ_SUB.ffuf.io.fi/FUZZ_PATH'
How to get ffuf wordlists
| Download | Source | Desc |
|---|---|---|
| onelistforallmicro.txt | OneListForAll | Words, Paths, Files |
| fuzz-Bo0oM.txt | SecLists/Fuzzing | Words, Paths, Files |
| subdomains-top1million-5000.txt | SecLists/.../DNS | Common Subdomains |
| burp-parameter-names.txt | SecLists/.../Web-Content | HTTP Query Params |
| urls-wordpress-3.3.1.txt | SecLists/.../URLs | WordPress v3 Paths |
These were pulled from the resources mentioned in ffuf wiki: Wordlistt Resources:
How to Discover Exposed Content
For typical directory discovery:
ffuf -w ./onelistforallmicro.txt:'FUZZ' -u https://example.com/FUZZ
How to check for Domain Fronting (VHost Discovery)
Assuming a default virtualhost response size:
ffuf \
-w ./subdomains-top1million-5000.txt:'SUB' \
-u https://example.com \
-H "Host: SUB.example.com" \
-fs 4242
How to Fuzz GET Parameters
For fuzzing GET parameter names:
ffuf \
-w ./burp-parameter-names.txt:'KEY' \
-u https://example.com/script.php?KEY=test_value \
-fs 4242