ToolsFebruary 9, 20261 min readby 0xt0pus

ffuf

Fast web fuzzer for directory discovery, virtual host enumeration, and parameter fuzzing

#web#directory-bruteforce#fuzzing

FFUF

Description

FFUF (Fuzz Faster U Fool) is a fast web fuzzer used for directory brute forcing, subdomain enumeration, parameter fuzzing, and SSRF port scanning. It supports using Burp Suite request files for advanced fuzzing.

Usage 1: Directory Brute Forcing

Fuzz directories on a web server with file extensions.

Command:

ffuf -u http://hutch.offsec:5985/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e html,php,txt,aspx

Usage 2: Fuzzing Special Characters

Save a Burp request file and fuzz for special characters. Add FUZZ where you want to inject.

Command:

ffuf -request req.txt -request-proto http -w /opt/SecLists/Fuzzing/special-chars.txt

Command (Match specific size):

ffuf -request req.txt -request-proto http -w /opt/SecLists/Fuzzing/special-chars.txt -ms 0

Usage 3: SSRF Port Scanning

Use FFUF with sequential numbers to scan internal ports for SSRF.

Command:

ffuf -request req.txt -request-proto http -w <(seq 1 65535) -fr "1630734277837_ebe62757b6e0.jpeg"

Command (Filter by size):

ffuf -request req.txt -request-proto http -w <(seq 1 65535) -fs 131400,131406,131412,131418

Usage 4: Subdomain Enumeration

Fuzz for subdomains using Host header.

Command:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomainstop100000.txt:FUZZ -u http://board.htb/ -H 'Host: FUZZ.board.htb' -fs 15949

Usage 5: Fuzzing with Burp Request and Match Status Code

Command:

ffuf -request burp.req -request-proto http -w nums.txt -mc 200