🧠FFUF Cheat Sheet
🔹 Basic Usage
Show Commands
ffuf -u http://target/FUZZ -w wordlist.txtu: Target URL with placeholderw: Wordlist file path
🔹 Directory & File Discovery
Dir & File Scan Options
Simple Dir Bruteforce
ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txtRecursive Scan
ffuf -u http://target/FUZZ -w wordlist.txt -recursionFile Extension Scan
ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.html,.txtCustom Headers
ffuf -u http://target/FUZZ -w wordlist.txt -H "Host: vhost.target"
🔹 Sub-Domain Discovery
Sub-Domain
ffuf -w wordlist.txt:FUZZ -u [https://FUZZ.hackthebox.eu/](https://fuzz.hackthebox.eu/)
🔹 VHost Discovery
VHost
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: [FUZZ.academy.htb](http://fuzz.academy.htb/)' -fs xxx
🔹 Parameter Fuzzing
GET & POST Fuzzing
GET Parameter
ffuf -u "http://target/page.php?FUZZ=value" -w params.txtPOST Parameter
ffuf -u http://target -X POST -d "username=FUZZ&password=test" -w usernames.txt
🔹 Authentication
Cookie & Auth Injection
Cookie Injection
ffuf -u http://target/FUZZ -w wordlist.txt -H "Cookie: session=xyz"Basic Auth
ffuf -u http://target/FUZZ -w wordlist.txt -H "Authorization: Basic "
🔹 Filtering Results
Filter Settings
By Status Code
fc 404 # Hide 404sBy Response Size
fs 1234 # Hide size 1234By Regex
mr "password|flag"
🔹 Advanced Usage
Multi-Fuzzing & Rate Controls
Multiple Fuzzing Points
ffuf -u http://target/FUZZ/page/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2ZRate Limiting
- rate 50
-delay 0.2
Timeout
- timeout 5
📦 Recommended Wordlists
| Purpose | Example Path |
|---|---|
| Directories | /usr/share/wordlists/dirb/common.txt |
| Files | SecLists/Discovery/Web-Content/raft-small-files.txt |
| Parameters | SecLists/Discovery/Web-Content/burp-params.txt |
| Extensions | .php, .txt, .bak, .old |
🧠Tactical Tips
- Use
ffuf -mode batchfor cleaner logs - Always filter results with
fcorfsto reduce noise - Combine
ffufscans withBurp Suite,nmap, and manual inspection