Scroll to navigation

ffuf(1) User Commands ffuf(1)

NAME

ffuf - Fast web fuzzer written in Go

SYNOPSIS



     ffuf [options]

DESCRIPTION

ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

OPTIONS

HTTP OPTIONS

Header "Name: Value", separated by colon. Multiple -H flags are accepted.
HTTP method to use (default: GET)
Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
POST data
Do not fetch the response content. (default: false)
Follow redirects (default: false)
Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) -recursion-depth Maximum recursion depth. (default: false)
Maximum recursion depth. (default: 0)
Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
Replay matched requests using this proxy.
Target TLS SNI, does not support FUZZ keyword.
HTTP request timeout in seconds. (default: 10)
Target URL
HTTP Proxy URL

GENERAL OPTIONS

Show version information. (default: false)
Automatically calibrate filtering options (default: false)
Custom auto-calibration string. Can be used multiple times. Implies -ac
Colorize output. (default: false)
Maximum running time in seconds. (default: 0)
Maximum running time in seconds per job. (default: 0)
Disable the interactive console functionality (default: false)
Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
Rate of requests per second (default: 0)
Do not print additional information (silent mode) (default: false)
Stop on all error cases. Implies -sf and -se. (default: false)
Stop on spurious errors (default: false)
Stop when > 95% of responses return 403 Forbidden (default: false)
Number of concurrent threads. (default: 40)
Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS

Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
Match amount of lines in response
Match regexp
Match HTTP response size
Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
Match amount of words in response

FILTER OPTIONS

Filter HTTP status codes from response. Comma separated list of codes and ranges
Filter by amount of lines in response. Comma separated list of line counts and ranges
Filter regexp
Filter HTTP response size. Comma separated list of sizes and ranges
Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS

DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
Comma separated list of extensions. Extends FUZZ keyword.
Ignore wordlist comments (default: false)
Command producing the input. --input-num is required when using this input method. Overrides -w.
Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
Shell to be used for running command
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
File containing the raw http request
Protocol to use along with raw request (default: https)
Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS

Write all of the internal logging to the specified file.
Write output to file
Directory path to store matched results to.
Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
Don't create the output file if we don't have results (default: false)

INTERACTIVE MODE

available commands:
(re)configure status code filter.
(re)configure line count filter.
(re)configure word count filter.
(re)configure size filter.
show recursive job queue.
delete a recursion job in the queue.
advance to the next queued recursion job.
restart and resume the current ffuf job.
resume current ffuf job (or: ENTER).
show results for the current job.
save current matches to a file.
show help menu.

EXAMPLE USAGE

Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output.

https://example.org/FUZZ -mc all -fs 42 -c -v

Fuzz Host-header, match HTTP 200 responses.

https://example.org/ -H "Host: FUZZ" -mc 200

Fuzz POST JSON data. Match all responses not containing text "error".

https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.

https://example.org/?PARAM=VAL -mr "VAL" -c

More information and examples: https://github.com/ffuf/ffuf

NOTE

In INTERACTIVE MODE, filters can be reconfigured, queue managed and the current state saved to disk.

When (re)configuring the filters, they get applied posthumously and all the false positive matches from memory that would have been filtered out by the newly added filters get deleted.

The new state of matches can be printed out with a command show that will print out all the matches as like they would have been found by ffuf.

As "negative" matches are not stored to memory, relaxing the filters cannot unfortunately bring back the lost matches. For this kind of scenario, the user is able to use the command restart, which resets the state and starts the current job from the beginning.

AUTHOR

This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos <pedro@loami.eng.br> for the Debian project (but may be used by others).

Mar 2022 ffuf 1.4.0