{"id":120,"date":"2026-03-20T21:35:44","date_gmt":"2026-03-20T21:35:44","guid":{"rendered":"https:\/\/zerotoghost.com\/?p=120"},"modified":"2026-03-20T21:35:44","modified_gmt":"2026-03-20T21:35:44","slug":"cheat-sheet-series-ffuf","status":"publish","type":"post","link":"https:\/\/zerotoghost.com\/?p=120","title":{"rendered":"Cheat Sheet Series: Ffuf"},"content":{"rendered":"\n

Fuzzing with Ffuf<\/h3>\n\n\n\n

Github: https:\/\/github.com\/ffuf\/ffuf<\/a><\/p>\n\n\n\n

In a word full of web-fuzzing tools, everyone has a favorite and mine happens to be Ffuf. It might not be as robust as some competitors, but it just freaking works really well and I like the clean output. Here’s some of the common commands you might need in a pinch:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n-w Directory\/Wordlist\/Lives\/in.txt -u https:\/\/URL.YOU.ARE.Fuzzing\/FUZZ<\/a> -rate 2<\/code><\/pre>\n\n\n\n
Put ‘FUZZ’ where you are fuzzing. Example: https:\/\/FUZZ.domian.com (subdirectories), https:\/\/domian.com\/FUZZ (endpoints), <\/p>\n\n\n\n
-rate 2,3etc slow it dowwwwwn<\/p>\n\n\n\n
-u http:\/\/FUZZ.ab.com<\/a> for subdirectory busting<\/p>\n\n\n\n
-output : can use -o, -of (format- html, json etc) | tee<\/p>\n\n\n\n
-s silent : do not clog up terminal<\/p>\n\n\n\n
-fs filter by size : ignore responses size XYZ, ex: -fs 606<\/p>\n\n\n\n
-mc match code : only return responses with code specified, ex: -mc 200<\/p>\n\n\n\n
-fc filter by code: ignore responses with code, ex: -fc 302 <\/p>\n\n\n\n
Fuzzing Headers<\/h3>\n\n\n\n
Get Parameters:<\/p>\n\n\n\n
ffuf -w \/path\/to\/paramnames.txt -u https:\/\/target\/script.php?FUZZ=test_value -fs 4242<\/code><\/pre>\n\n\n\n
POST Data:<\/p>\n\n\n\n
ffuf -w \/path\/to\/postdata.txt -X POST -d \"username=admin\\&password=FUZZ\" -u https:\/\/target\/login.php -fc 401<\/code><\/pre>\n\n\n\n
More Fuff Tags<\/h3>\n\n\n\n
Fuzz Faster U Fool – v2.1.0<\/p>\n\n\n\n
HTTP OPTIONS:
-H Header \"Name: Value\"<\/code>, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data \"NAME1=VALUE1; NAME2=VALUE2\"<\/code> for copy as curl functionality.
-cc Client cert for authentication. Client key needs to be defined as well for this to work
-ck Client key for authentication. Client certificate needs to be defined as well for this to work
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-raw Do not encode URI (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: “default” for a redirect based, and “greedy” to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http:\/\/127.0.0.1:8080 or socks5:\/\/127.0.0.1:8080<\/p>\n\n\n\n
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Custom auto-calibration strategies. Can be used multiple times. Implies -ac
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of delay<\/code> between requests, or a range of random delay. For example “0.1” or “0.1-2.0”
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)<\/p>\n\n\n\n
MATCHER OPTIONS:
-mc Match HTTP status codes, or “all” for everything. (default: 200-299,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response<\/p>\n\n\n\n
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges<\/p>\n\n\n\n
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-enc Encoders for keywords, eg. ‘FUZZ:urlencode b64encode’
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. –input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with –input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. ‘\/path\/to\/wordlist:KEYWORD’<\/p>\n\n\n\n
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, ‘all’ for all formats) (default: json)
-or Don’t create the output file if we don’t have results (default: false)<\/p>\n\n\n\n
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https:\/\/example.org\/FUZZ -mc all -fs 42 -c -v<\/p>\n\n\n\n
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https:\/\/example.org\/ -H “Host: FUZZ” -mc 200<\/p>\n\n\n\n
Fuzz POST JSON data. Match all responses not containing text “error”.
ffuf -w entries.txt -u https:\/\/example.org\/ -X POST -H “Content-Type: application\/json” \\
-d ‘{“name”: “FUZZ”, “anotherkey”: “anothervalue”}’ -fr “error”<\/p>\n\n\n\n
Fuzz multiple locations. Match only responses reflecting the value of “VAL” keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https:\/\/example.org\/?PARAM=VAL -mr “VAL” -c<\/p>\n\n\n\n
More information and examples: https:\/\/github.com\/ffuf\/ffuf<\/p>\n","protected":false},"excerpt":{"rendered":"
Fuzzing with Ffuf Github: https:\/\/github.com\/ffuf\/ffuf In a word full of web-fuzzing tools, everyone has a favorite and mine happens to be Ffuf. It might not be as robust as some competitors, but it just freaking works really well and I like the clean output. Here’s some of the common commands…<\/p>\n","protected":false},"author":1,"featured_media":121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[6,7],"class_list":["post-120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cheat-sheets","tag-ffuf","tag-fuzzing"],"_links":{"self":[{"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":2,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":123,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions\/123"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=\/wp\/v2\/media\/121"}],"wp:attachment":[{"href":"https:\/\/zerotoghost.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerotoghost.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}