DOKK / manpages / debian 12 / ffuf / ffuf.1.en
ffuf(1) User Commands ffuf(1)

ffuf - Fast web fuzzer written in Go


ffuf [options]

ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

HTTP OPTIONS:

Header "Name: Value", separated by colon. Multiple -H flags are accepted.
HTTP method to use (default: GET)
Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
POST data
Follow redirects (default: false)
Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) -recursion-depth Maximum recursion depth. (default: 0)
Replay matched requests using this proxy.
HTTP request timeout in seconds. (default: 10)
Target URL
HTTP Proxy URL

GENERAL OPTIONS:

Show version information. (default: false)
Automatically calibrate filtering options (default: false)
Custom auto-calibration string. Can be used multiple times. Implies -ac
Colorize output. (default: false)
Maximum running time in seconds. (default: 0)
Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
Do not print additional information (silent mode) (default: false)
Stop on all error cases. Implies -sf and -se. (default: false)
Stop on spurious errors (default: false)
Stop when > 95% of responses return 403 Forbidden (default: false)
Number of concurrent threads. (default: 40)
Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS:

Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
Match amount of lines in response
Match regexp
Match HTTP response size
Match amount of words in response

FILTER OPTIONS:

Filter HTTP status codes from response. Comma separated list of codes and ranges
Filter by amount of lines in response. Comma separated list of line counts and ranges
Filter regexp
Filter HTTP response size. Comma separated list of sizes and ranges
Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS:

DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
Comma separated list of extensions. Extends FUZZ keyword.
Ignore wordlist comments (default: false)
Command producing the input. --input-num is required when using this input method. Overrides -w.
Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
File containing the raw http request
Protocol to use along with raw request (default: https)
Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:

Write all of the internal logging to the specified file.
Write output to file
Directory path to store matched results to.
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json)

Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

More information and examples: https://github.com/ffuf/ffuf

This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos <pedro@loami.eng.br> for the Debian project (but may be used by others).

May 2020 ffuf 1.0.2