ffuf Cheatsheet
Type: Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing
Installation
sudo apt install ffuf
# or
go install github.com/ffuf/ffuf/v2@latest
Core Concept
FUZZ is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body.
ffuf -u http://<ip>/FUZZ -w wordlist.txt
Multiple keywords are supported by naming them with -w wordlist:KEYWORD:
ffuf -u http://<ip>/FUZZ -w wordlist1.txt -w params.txt:PARAM
Common Flags
| Flag | Description |
|---|---|
-u <url> |
Target URL (include FUZZ) |
-w <wordlist> |
Wordlist (use wordlist:KEYWORD for named) |
-H <header> |
Add/fuzz header (repeatable) |
-X <method> |
HTTP method (default: GET) |
-d <data> |
POST data body |
-b <cookie> |
Cookie string |
-r |
Follow redirects |
-k |
Skip TLS verification |
-t <n> |
Threads (default: 40) |
-p <delay> |
Delay between requests (e.g. 0.1, 0.5-1.5) |
-rate <n> |
Max requests per second |
-timeout <n> |
Request timeout in seconds |
-mc <codes> |
Match status codes (default: 200-299,301,302,307,401,403,405,500) |
-ms <size> |
Match response size |
-mw <words> |
Match word count |
-ml <lines> |
Match line count |
-mr <regex> |
Match regex in response body |
-fc <codes> |
Filter status codes |
-fs <size> |
Filter response size |
-fw <words> |
Filter word count |
-fl <lines> |
Filter line count |
-fr <regex> |
Filter regex in response body |
-ac |
Auto-calibrate filters (detects and removes false positives) |
-o <file> |
Output file |
-of <fmt> |
Output format: json, ejson, html, md, csv, all |
-v |
Verbose (show redirects, full URL) |
-s |
Silent — only results |
-c |
Colorize output |
-recursion |
Enable recursive fuzzing |
-recursion-depth <n> |
Recursion depth |
-e <exts> |
File extensions (e.g. php,html,txt) |
-ic |
Ignore wordlist comments |
-input-cmd <cmd> |
Use command output as input instead of wordlist |
Directory & File Fuzzing
# Basic directory scan
ffuf -u http://<ip>/FUZZ -w wordlist.txt
# With file extensions
ffuf -u http://<ip>/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak
# Filter 404s
ffuf -u http://<ip>/FUZZ -w wordlist.txt -fc 404
# Match only 200
ffuf -u http://<ip>/FUZZ -w wordlist.txt -mc 200
# Auto-calibrate (removes false positives automatically)
ffuf -u http://<ip>/FUZZ -w wordlist.txt -ac
# Recursive scanning
ffuf -u http://<ip>/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -e .php
# Filter by response size (remove noise)
ffuf -u http://<ip>/FUZZ -w wordlist.txt -fs 4242
Virtual Host Discovery (Host Header Fuzzing)
# Basic vhost fuzzing
ffuf -u http://<ip> -H "Host: FUZZ.example.com" -w wordlist.txt
# Filter default response size
ffuf -u http://<ip> -H "Host: FUZZ.example.com" \
-w wordlist.txt \
-fs <default_size>
# Auto-calibrate to remove default response
ffuf -u http://<ip> -H "Host: FUZZ.example.com" \
-w wordlist.txt \
-ac
# HTTPS
ffuf -u https://<ip> -H "Host: FUZZ.example.com" \
-w wordlist.txt \
-k -fs <default_size>
Parameter Fuzzing
# GET parameter discovery
ffuf -u "http://<ip>/page?FUZZ=value" -w wordlist.txt -fc 404
# GET parameter value fuzzing
ffuf -u "http://<ip>/page?id=FUZZ" -w numbers.txt
# POST parameter fuzzing
ffuf -u http://<ip>/login \
-X POST \
-d "username=admin&password=FUZZ" \
-w wordlist.txt \
-fc 401
# POST body with JSON
ffuf -u http://<ip>/api/login \
-X POST \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"FUZZ"}' \
-w wordlist.txt
Multiple Wordlists (Clusterbomb / Pitchfork)
# Two keywords — try all combinations (clusterbomb)
ffuf -u http://<ip>/FUZZ/W2 \
-w wordlist.txt:FUZZ \
-w extensions.txt:W2
# Username + password combinations
ffuf -u http://<ip>/login \
-X POST \
-d "user=USER&pass=PASS" \
-w users.txt:USER \
-w passwords.txt:PASS \
-fc 401
Fuzzing with Proxy (Burp Suite)
ffuf -u http://<ip>/FUZZ -w wordlist.txt \
-x http://127.0.0.1:8080 -k
Output
# Save to file (markdown)
ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.md -of md
# Save as JSON
ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.json -of json
# Save all formats
ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results -of all
Recommended Wordlists
# Directories
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
# Virtual hosts / subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
# Parameters
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# Passwords
/usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt
Example Full Runs
# Directory + extension scan
ffuf -u http://example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-e .php,.html,.txt,.bak \
-ac -c -v \
-t 50 \
-o ffuf_dir.json -of json
# Virtual host discovery
ffuf -u http://example.com \
-H "Host: FUZZ.example.com" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-ac -c \
-t 50 \
-o ffuf_vhost.json -of json