LinuxCommandLibrary

ffuf

Subdomain and directory discovery tool.

TLDR

Discover directories using a [w]ordlist on a target [u]rl with [c]olorized and [v]erbose output

$ ffuf -w [path/to/wordlist] -u [https://target/FUZZ] -c -v
copy


Fuzz host-[H]eaders with a host file on a target website and [m]atch HTTP 200 [c]ode responses
$ ffuf -w [hosts.txt] -u [https://example.org] -H "[Host: FUZZ]" -mc [200]
copy


Discover directories using a [w]ordlist on a target website with a max individual job time of 60 seconds and recursion discovery depth of 2 levels
$ ffuf -w [path/to/wordlist] -u [https://target/FUZZ] -maxtime-job [60] -recursion -recursion-depth [2]
copy


Fuzz GET parameter on a target website and [f]ilter out message [s]ize response of 4242 bytes
$ ffuf -w [path/to/param_names.txt] -u [https://target/script.php?FUZZ=test_value] -fs [4242]
copy


Fuzz POST method with POST [d]ata of password on a target website and [f]ilter out HTTP response [c]ode 401
$ ffuf -w [path/to/postdata.txt] -X [POST] -d "[username=admin\&password=FUZZ]" -u [https://target/login.php] -fc [401]
copy


Discover subdomains using a subdomain list on a target website
$ ffuf -w [subdomains.txt] -u [https://website.com] -H "[Host: FUZZ.website.com]"
copy

SYNOPSIS

     ffuf [options]

DESCRIPTION

ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

OPTIONS

HTTP OPTIONS:

-H

Header "Name: Value", separated by colon. Multiple -H flags are accepted.

-X

HTTP method to use (default: GET)

-b

Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.

-d

POST data

-r

Follow redirects (default: false)

-recursion

Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) -recursion-depth Maximum recursion depth. (default: 0)

-replay-proxy

Replay matched requests using this proxy.

-timeout

HTTP request timeout in seconds. (default: 10)

-u

Target URL

-x

HTTP Proxy URL

GENERAL OPTIONS:

-V

Show version information. (default: false)

-ac

Automatically calibrate filtering options (default: false)

-acc

Custom auto-calibration string. Can be used multiple times. Implies -ac

-c

Colorize output. (default: false)

-maxtime

Maximum running time in seconds. (default: 0)

-p

Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"

-s

Do not print additional information (silent mode) (default: false)

-sa

Stop on all error cases. Implies -sf and -se. (default: false)

-se

Stop on spurious errors (default: false)

-sf

Stop when > 95% of responses return 403 Forbidden (default: false)

-t

Number of concurrent threads. (default: 40)

-v

Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS:

-mc

Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)

-ml

Match amount of lines in response

-mr

Match regexp

-ms

Match HTTP response size

-mw

Match amount of words in response

FILTER OPTIONS:

-fc

Filter HTTP status codes from response. Comma separated list of codes and ranges

-fl

Filter by amount of lines in response. Comma separated list of line counts and ranges

-fr

Filter regexp

-fs

Filter HTTP response size. Comma separated list of sizes and ranges

-fw

Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS:

-D

DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)

-e

Comma separated list of extensions. Extends FUZZ keyword.

-ic

Ignore wordlist comments (default: false)

-input-cmd

Command producing the input. --input-num is required when using this input method. Overrides -w.

-input-num

Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)

-mode

Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)

-request

File containing the raw http request

-request-proto

Protocol to use along with raw request (default: https)

-w

Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:

-debug-log

Write all of the internal logging to the specified file.

-o

Write output to file

-od

Directory path to store matched results to.

-of

Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json)

EXAMPLE USAGE:

Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

More information and examples: https://github.com/ffuf/ffuf

AUTHOR

This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos <pedro@loami.eng.br> for the Debian project (but may be used by others).

Copied to clipboard