Ffuf Cheatsheet

fuff Cheatsheet

About fuff

Ffuf (Fuzz Faster U Fool) is a high-speed web fuzzer written in Go, designed for web application security testing and discovery.

Commmon Snippets

ffuf -c -w $wordlist -u $url/FUZZ -t $threads -v                     # Directorios
ffuf -c -w $wordlist -u $url -t $threads -v                          # Parámetros GET
ffuf -c -w $wordlist -u $url -X POST -d "$post_data" -t $threads -v  # Formularios POST
ffuf -c -w $wordlist -u FUZZ.$domain -t $threads -v                  # Subdominios

Installation
Basic Usage
Filtering Options
Wordlist Management
Advanced Features
Common Use Cases
Output Options
Performance Tuning

# Download latest release from GitHub
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

git clone https://github.com/ffuf/ffuf
cd ffuf
go get
go build

Basic Usage

Core Syntax

# Basic directory fuzzing
ffuf -w wordlist.txt -u http://target.com/FUZZ

# Multiple parameters
ffuf -w users.txt:USER -w pass.txt:PASS -u http://target.com/login.php

Common Parameters

-w      # Wordlist and keyword
-u      # Target URL
-H      # Header
-X      # HTTP method (GET/POST/PUT/PATCH)
-d      # POST data
-t      # Number of threads

Filtering Options

Response Filters

# Filter by status code
-fc 404,403     # Filter HTTP status codes
-fs 1234        # Filter response size
-fl 24          # Filter by response line count
-fw 374         # Filter by response word count
-ft 2.4s        # Filter by response time

# Match filters (opposite of filter)
-mc 200,301     # Match status codes
-ms 1234        # Match response size
-ml 24          # Match line count
-mr "text"      # Match regex in response

Advanced Filtering

# Combining filters
ffuf -w wordlist.txt \
  -u https://target.com/FUZZ \
  -mc 200 \
  -fs 1234 \
  -fr "Not Found"

# Custom matchers
-mr "admin|login"    # Match responses containing regex
-mh "User-Agent"     # Match specific headers

Common Use Cases

Directory Discovery

# Basic directory scanning
ffuf -w /path/to/wordlist.txt \
  -u https://target.com/FUZZ \
  -mc 200,301,302,403

# With file extensions
ffuf -w wordlist.txt \
  -e .php,.html,.txt \
  -u https://target.com/FUZZ

Virtual Host Discovery

# Subdomain enumeration
ffuf -w subdomains.txt \
  -u https://FUZZ.target.com \
  -H "Host: FUZZ.target.com" \
  -mc 200,301,302

Parameter Fuzzing

# GET parameters
ffuf -w params.txt \
  -u https://target.com/api?FUZZ=value

# POST parameters
ffuf -w params.txt \
  -X POST \
  -d "FUZZ=value" \
  -u https://target.com/api

Advanced Features

Authentication

# Basic auth
-H "Authorization: Basic BASE64_CREDENTIALS"

# Bearer token
-H "Authorization: Bearer YOUR_TOKEN"

# Cookie
-H "Cookie: session=123456"

Custom Matchers and Filters

# Custom regex matcher
-mr "admin|dashboard"

# Size filter with tolerance
-fs 1234 -fs-tolerance 100

# Time-based filtering
-ft 2.4s

Output Options

Output Formats

# JSON output
-o output.json -of json

# HTML report
-o report.html -of html

# Markdown output
-o notes.md -of md

# CSV format
-o results.csv -of csv

Verbosity Levels

-v          # Verbose output
-silent     # Silent mode

Performance Tuning

Threading Configuration

# Adjust number of threads
-t 50

# Rate limiting
-rate 100

Request Optimization

# Auto-calibration
-ac

# Delay between requests
-p 0.1

Memory Management

# Stop after matches
-max-time 300
-stop-on-error