ffuf
A cheatsheet for ffuf, a tool automating web fuzzing tasks, including subdomain discovery, directory enumeration, and virtual host fuzzing.
Author: BobBuilder
Core Options
-u http://<target_ip>:<port>/FUZZ # Target URL with FUZZ keyword
-w <wordlist>:<keyword> # Wordlist for keyword substitution
-o <output_file> # Save output to file
-X <method> # HTTP method (GET, POST, etc.)
-d <data> # POST data
-H "Header: Value" # Custom HTTP headers
-b "cookie1=value1; cookie2=value2" # Cookies
-mc <status_codes> # Match response codes (e.g., 200,403)
-ms <size> # Match response size
-fc <status_codes> # Filter response codes
-fs <size> # Filter response size
-recursion # Enable recursive discovery
-recursion-depth <n> # Set recursion depth
-e .php,.html # File extensions for recursion
-t <threads> # Number of concurrent threads
-v # Verbose output
-c # Colorized output
VHost Fuzzing
ffuf -u http://<domain>/ -H "Host: FUZZ.<domain>" -w /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs <size>
Subdomain Fuzzing
ffuf -w /opt/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.<domain>/
Directory Fuzzing
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<target_ip>:<port>/FUZZ
Extension Discovery
ffuf -w /opt/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://<target_ip>:<port>/path/indexFUZZ
Use index.FUZZ if extensions in wordlist include dot.
Page Fuzzing (Known Extension)
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<target_ip>:<port>/path/FUZZ.php