FFUF β
TIP
FFUF (Fuzz Faster U Fool) is a fast web fuzzer written in Go, used for discovering hidden files, directories, and parameters.
π Official Resources β
π Common Commands β
| Task | Command |
|---|---|
| Directory brute-forcing | ffuf -u https://target.com/FUZZ -w wordlist.txt |
| Virtual host fuzzing | ffuf -u https://FUZZ.target.com -w wordlist.txt -H "Host: FUZZ.target.com" |
| Parameter fuzzing | ffuf -u https://target.com/page.php?param=FUZZ -w wordlist.txt |
π·οΈ Useful Flags β
| Flag | Description |
|---|---|
-u | Target URL (FUZZ keyword is required) |
-w | Wordlist file |
-t | Number of concurrent threads |
-mc | Match HTTP status codes (e.g., -mc 200,204) |
-fc | Filter HTTP status codes |
-H | Add custom header |
-o | Output file |
-of | Output file format (e.g., json, html) |
WARNING
Always have permission before fuzzing a website with FFUF. Unauthorized testing is illegal and unethical.
π Resources β
π HTB CTF Go-To Command β
A common FFUF command for directory brute-forcing in HTB CTFs:
bash
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 404 -o ffuf_results.txt-u: Target URL (replace with the actual target IP)-w: Wordlist path-fc 404: Filter out 404 responses-o: Output results to a file