.\" Text automatically generated by txt2man .TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands" .SH NAME \fBffuf \fP- Fast web fuzzer written in Go \fB .SH SYNOPSIS .nf .fam C \fBffuf\fP [\fBoptions\fP] .fam T .fi .fam T .fi .SH DESCRIPTION \fBffuf\fP is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing. .RE .SH OPTIONS .PP HTTP OPTIONS: .RS .TP .B \fB-H\fP Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted. .TP .B \fB-X\fP HTTP method to use (default: GET) .TP .B \fB-b\fP Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality. .TP .B \fB-d\fP POST data .TP .B \fB-r\fP Follow redirects (default: false) .TP .B \fB-recursion\fP Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false) \fB-recursion-depth\fP Maximum recursion depth. (default: 0) .TP .B \fB-replay-proxy\fP Replay matched requests using this proxy. .TP .B \fB-timeout\fP HTTP request timeout in seconds. (default: 10) .TP .B \fB-u\fP Target URL .TP .B \fB-x\fP HTTP Proxy URL .RE .PP GENERAL OPTIONS: .RS .TP .B \fB-V\fP Show version information. (default: false) .TP .B \fB-ac\fP Automatically calibrate filtering options (default: false) .TP .B \fB-acc\fP Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP .TP .B \fB-c\fP Colorize output. (default: false) .TP .B \fB-maxtime\fP Maximum running time in seconds. (default: 0) .TP .B \fB-p\fP Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0" .TP .B \fB-s\fP Do not print additional information (silent mode) (default: false) .TP .B \fB-sa\fP Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false) .TP .B \fB-se\fP Stop on spurious errors (default: false) .TP .B \fB-sf\fP Stop when > 95% of responses return 403 Forbidden (default: false) .TP .B \fB-t\fP Number of concurrent threads. (default: 40) .TP .B \fB-v\fP Verbose output, printing full URL and redirect location (if any) with the results. (default: false) .RE .PP MATCHER OPTIONS: .RS .TP .B \fB-mc\fP Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403) .TP .B \fB-ml\fP Match amount of lines in response .TP .B \fB-mr\fP Match regexp .TP .B \fB-ms\fP Match HTTP response size .TP .B \fB-mw\fP Match amount of words in response .RE .PP FILTER OPTIONS: .RS .TP .B \fB-fc\fP Filter HTTP status codes from response. Comma separated list of codes and ranges .TP .B \fB-fl\fP Filter by amount of lines in response. Comma separated list of line counts and ranges .TP .B \fB-fr\fP Filter regexp .TP .B \fB-fs\fP Filter HTTP response size. Comma separated list of sizes and ranges .TP .B \fB-fw\fP Filter by amount of words in response. Comma separated list of word counts and ranges .RE .PP INPUT OPTIONS: .RS .TP .B \fB-D\fP DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false) .TP .B \fB-e\fP Comma separated list of extensions. Extends FUZZ keyword. .TP .B \fB-ic\fP Ignore wordlist comments (default: false) .TP .B \fB-input-cmd\fP Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP. .TP .B \fB-input-num\fP Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100) .TP .B \fB-mode\fP Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb) .TP .B \fB-request\fP File containing the raw http request .TP .B \fB-request-proto\fP Protocol to use along with raw request (default: https) .TP .B \fB-w\fP Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD' .RE .PP OUTPUT OPTIONS: .RS .TP .B \fB-debug-log\fP Write all of the internal logging to the specified file. .TP .B \fB-o\fP Write output to file .TP .B \fB-od\fP Directory path to store matched results to. .TP .B \fB-of\fP Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) .RE .PP .SH EXAMPLE USAGE: Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. \fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP .RS .PP Fuzz Host-header, match HTTP 200 responses. \fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200 .PP Fuzz POST JSON data. Match all responses not containing text "error". \fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \ \fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error" .PP Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. \fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP .PP More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP .PP .SH AUTHOR This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos for the Debian project (but may be used by others).