logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

ffuf - Fast web fuzzer written in Go

Contents

Author

       This  manual  page  was  written  based  on  the  author's  README  by  Pedro  Loami  Barbosa  dos Santos
       <pedro@loami.eng.br> for the Debian project (but may be used by others).

ffuf 1.4.0                                          Mar 2022                                             ffuf(1)

Description

ffuf  is  a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery
       (without DNS records) and GET and POST parameter fuzzing.

Example Usage

       Fuzz file paths from wordlist.txt, match all  responses  but  filter  out  those  with  content-size  42.
       Colored, verbose output.

              ffuf-w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c-v

       Fuzz Host-header, match HTTP 200 responses.

              ffuf-w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

       Fuzz POST JSON data. Match all responses not containing text "error".

              ffuf-w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d
              '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

       Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.

              ffuf-w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

       More information and examples: https://github.com/ffuf/ffuf

Name

ffuf - Fast web fuzzer written in Go

Note

       In INTERACTIVEMODE, filters can be reconfigured, queue managed and the current state saved to disk.

       When  (re)configuring  the filters, they get applied posthumously and all the false positive matches from
       memory that would have been filtered out by the newly added filters get deleted.

       The new state of matches can be printed out with a command show that will print out all  the  matches  as
       like they would have been found by ffuf.

       As  "negative" matches are not stored to memory, relaxing the filters cannot unfortunately bring back the
       lost matches. For this kind of scenario, the user is able to use the command restart,  which  resets  the
       state and starts the current job from the beginning.

Options

       HTTP OPTIONS

              -H     Header "Name: Value", separated by colon. Multiple -H flags are accepted.

              -X     HTTP method to use (default: GET)

              -b     Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.

              -d     POST data

              -ignore-body
                     Do not fetch the response content. (default: false)

              -r     Follow redirects (default: false)

              -recursion
                     Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it.  (default:
                     false) -recursion-depth Maximum recursion depth. (default: false)

              -recursion-depth
                     Maximum recursion depth. (default: 0)

              -recursion-strategy
                     Recursion  strategy: "default" for a redirect based, and "greedy" to recurse on all matches
                     (default: default)

              -replay-proxy
                     Replay matched requests using this proxy.

              -sni   Target TLS SNI, does not support FUZZ keyword.

              -timeout
                     HTTP request timeout in seconds. (default: 10)

              -u     Target URL

              -x     HTTP Proxy URL

       GENERAL OPTIONS

              -V     Show version information. (default: false)

              -ac    Automatically calibrate filtering options (default: false)

              -acc   Custom auto-calibration string. Can be used multiple times. Implies -ac-c     Colorize output. (default: false)

              -maxtime
                     Maximum running time in seconds. (default: 0)

              -maxtime-job
                     Maximum running time in seconds per job. (default: 0)

              -noninteractive
                     Disable the interactive console functionality (default: false)

              -p     Seconds of 'delay' between requests, or a range of  random  delay.  For  example  "0.1"  or
                     "0.1-2.0"

              -rate  Rate of requests per second (default: 0)

              -s     Do not print additional information (silent mode) (default: false)

              -sa    Stop on all error cases. Implies -sf and -se. (default: false)

              -se    Stop on spurious errors (default: false)

              -sf    Stop when > 95% of responses return 403 Forbidden (default: false)

              -t     Number of concurrent threads. (default: 40)

              -v     Verbose  output,  printing  full  URL  and  redirect  location  (if  any) with the results.
                     (default: false)

       MATCHER OPTIONS

              -mc    Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)

              -ml    Match amount of lines in response

              -mr    Match regexp

              -ms    Match HTTP response size

              -mt    Match how many milliseconds to the first response byte, either greater or  less  than.  EG:
                     >100 or <100

              -mw    Match amount of words in response

       FILTER OPTIONS

              -fc    Filter HTTP status codes from response. Comma separated list of codes and ranges

              -fl    Filter by amount of lines in response. Comma separated list of line counts and ranges

              -fr    Filter regexp

              -fs    Filter HTTP response size. Comma separated list of sizes and ranges

              -ft    Filter  by  number of milliseconds to the first response byte, either greater or less than.
                     EG: >100 or <100

              -fw    Filter by amount of words in response. Comma separated list of word counts and ranges

       INPUT OPTIONS

              -D     DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)

              -e     Comma separated list of extensions. Extends FUZZ keyword.

              -ic    Ignore wordlist comments (default: false)

              -input-cmd
                     Command producing the  input.  --input-num  is  required  when  using  this  input  method.
                     Overrides -w.

              -input-num
                     Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)

              -input-shell
                     Shell to be used for running command

              -mode  Multi-wordlist   operation   mode.   Available   modes:  clusterbomb,  pitchfork  (default:
                     clusterbomb)

              -request
                     File containing the raw http request

              -request-proto
                     Protocol to use along with raw request (default: https)

              -w     Wordlist   file    path    and    (optional)    keyword    separated    by    colon.    eg.
                     '/path/to/wordlist:KEYWORD'

       OUTPUT OPTIONS

              -debug-log
                     Write all of the internal logging to the specified file.

              -o     Write output to file

              -od    Directory path to store matched results to.

              -of    Output  file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all
                     formats) (default: json)

              -or    Don't create the output file if we don't have results (default: false)

       INTERACTIVE MODE
              available commands:

              fc[value]
                     (re)configure status code filter.

              fl[value]
                     (re)configure line count filter.

              fw[value]
                     (re)configure word count filter.

              fs[value]
                     (re)configure size filter.

              queueshow
                     show recursive job queue.

              queuedel[number]
                     delete a recursion job in the queue.

              queueskip
                     advance to the next queued recursion job.

              restart
                     restart and resume the current ffuf job.

              resume resume current ffuf job (or: ENTER).

              show   show results for the current job.

              savejson[filename]
                     save current matches to a file.

              help   show help menu.

Synopsis

ffuf [options]

See Also

Man Pages
defaults Man Pages
Man Pages
false Man Pages
Installerpedia
ffuf/ffuf Installerpedia
Filters
Filters PNG Icons
Match
Match PNG Icons
Man Pages
Furl::Response Man Pages
Http
Http PNG Icons
Man Pages
afl Man Pages
Man Pages
options Man Pages
← View User commands Category← Back to File management🙏  Credits & Acknowledgments