provocativo_
back to the arsenal
// arsenal·Web AppSecBeginnerFOSS

ffuf/fuhf/

Fuzz Faster U Fool — Joohoi's blazing-fast Go web fuzzer.

Web AppSec

$ ffuf --help

ffuf

// what it is

Description

ffuf reads a wordlist + a URL with a `FUZZ` keyword and blasts requests. Handles path, parameter, header, and POST-body fuzzing. The bug-bounty community's go-to since 2019.

// use cases

What people use it for

  • Discover hidden parameters
  • Brute-force directories and files
  • Fuzz request bodies / headers for IDORs

// commands

The commands you'll type

Directory brute

$ ffuf -u https://target/FUZZ -w wordlist.txt -mc 200,403

POST body fuzz

$ ffuf -u https://target/login -X POST -d 'user=admin&pass=FUZZ' -w pass.txt -fc 401

Header fuzz

$ ffuf -u https://target -H 'X-Forwarded-For: FUZZ' -w ips.txt

// facts

category
Web AppSec
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Beginner

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Freemium
LIN·WIN·MAC
open entry →
Web AppSecBeginner

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecBeginner

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS
LIN·WIN·MAC
open entry →