← All Cheatsheets
web-pentest

FFUF — Fast Web Fuzzer

FFUF (Fuzz Faster U Fool) — high-speed web fuzzer for directories, parameters, subdomains, and more.

10 views Apr 2026 lazyhackers
Directory & File Fuzzing (8)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Basic directory fuzzing
dirs basic
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.bak
Fuzz with multiple file extensions
dirs extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
Match specific response codes
dirs filter
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404
Filter out 404 responses
dirs filter
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234
Filter by response size
dirs filter
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 10
Filter by word count in response
dirs filter
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 100
Set 100 concurrent threads
dirs speed
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
Recursive directory fuzzing
dirs recursive
Subdomain & VHost Fuzzing (3)
ffuf -u http://FUZZ.target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Subdomain enumeration
subdomain dns
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fc 302
Virtual host (vhost) fuzzing
vhost subdomain
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 1234
Vhost fuzzing filtering by size
vhost
Parameter & Value Fuzzing (5)
ffuf -u "http://target.com/page?FUZZ=value" -w params.txt
Fuzz GET parameter names
params get
ffuf -u "http://target.com/page?id=FUZZ" -w /usr/share/seclists/Fuzzing/numbers.txt
Fuzz GET parameter values (IDOR)
params idor
ffuf -u http://target.com/login -X POST -d "username=FUZZ&password=pass" -w users.txt -mc 302
POST parameter fuzzing (username enum)
post auth
ffuf -u http://target.com/login -X POST -d "user=admin&pass=FUZZ" -w /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt -mc 302
Password brute force via POST
post bruteforce auth
ffuf -u http://target.com/page?id=FUZZ -w list.txt -H "Cookie: session=TOKEN"
Fuzz with authentication cookie
params auth cookie
Authentication & Headers (4)
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"
Fuzz with Bearer token
auth header
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Cookie: session=abc123"
Fuzz with session cookie
auth cookie
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=TOKEN;csrftoken=CSRF"
Set cookies via -b flag
auth cookie
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080
Proxy through Burp Suite
proxy burp
Output & Advanced (5)
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json
Save output as JSON
output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html
Save output as HTML report
output
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac
Auto-calibrate filter (smart baseline)
filter auto
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100
Limit requests per second
speed rate
ffuf -u http://target.com/W1/FUZZ -w wordlist1.txt:W1 -w wordlist2.txt:FUZZ
Multi-wordlist fuzzing with named positions
advanced multi