FFUF cheat sheet for penetration testers

ffuf (short for "Fuzz Faster U Fool") is a powerful and fast web fuzzer written in Go programming language.

# FFUF: Directory Scanning

# Basic directory scan with wordlist

ffuf -w /path/to/wordlist.txt -u http://target/FUZZ

# Recursively scan directories with 2XX status codes only

ffuf -w /path/to/wordlist.txt -u http://target/FUZZ/FUZZ -recursion -recursion-depth 2 -mc 200

# FFUF: Virtual Host Scanning

# Scan virtual hosts with wordlist

ffuf -w /path/to/wordlist.txt -u http://FUZZ.target/ -H "Host: FUZZ.target"

# FFUF: LFI Fuzzing

# Basic LFI fuzzing with ../

ffuf -w /path/to/wordlist.txt -u http://target/file.php?file=../../FUZZ

# Advanced LFI fuzzing with nullbyte (%00) termination

ffuf -w /path/to/wordlist.txt -u "http://target/file.php?file=../FUZZ%00"

# FFUF: Extension Fuzzing

# Fuzzing file extensions with custom wordlist

ffuf -w /path/to/wordlist.txt -u http://target/file.FUZZ

# Fuzzing multiple extensions at once

ffuf -w /path/to/extensions.txt -u http://target/file.FUZZ

# FFUF: Page Fuzzing

# Fuzzing parameter values on a specific page

ffuf -w /path/to/wordlist.txt -u http://target/page.php?id=FUZZ

# Advanced page fuzzing with cookies and headers

ffuf -w /path/to/wordlist.txt -u http://target/page.php -b "cookie1=value1; cookie2=value2" -H "Authorization: Bearer FUZZ"

# General Tips:

# -w : Specifies the wordlist file

# -u : Specifies the target URL with FUZZ as the placeholder

# -mc : Match only specified HTTP status codes (e.g., -mc 200,404)

# -recursion : Enable directory recursion

# -recursion-depth : Set recursion depth level

# -H : Set custom header (e.g., Host for virtual host scanning)

# -b : Set custom cookies for requests

# %00 : Nullbyte termination for LFI fuzzing