ffuf Web Fuzzer Cheatsheet

Complete ffuf reference for directory fuzzing, parameter discovery, vhost enumeration, and filter tuning. (27 payloads)

Directory & File Fuzzing

(5)

ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Basic directory fuzzing with SecLists common wordlist

ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak

Fuzz with file extensions

ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

Recursive directory fuzzing (2 levels deep)

ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Large directory wordlist from SecLists

ffuf -u http://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt

API endpoint discovery

Parameter Fuzzing

(5)

ffuf -u "http://target.com/page?FUZZ=value" -w params.txt

Fuzz GET parameter names

ffuf -u "http://target.com/page?id=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

Fuzz parameter value for LFI

ffuf -u http://target.com/page -X POST -d "FUZZ=value" -w params.txt

Fuzz POST parameter names

ffuf -u http://target.com/page -X POST -d "user=FUZZ" -w usernames.txt

Fuzz POST parameter value (username enumeration)

ffuf -u "http://target.com/page?id=FUZZ" -w numbers.txt -mr "admin"

Match response containing "admin" string

Virtual Host Discovery

(3)

ffuf -u http://10.10.10.10 -H "Host: FUZZ.target.com" -w subdomains.txt

VHost fuzzing via Host header

ffuf -u http://10.10.10.10 -H "Host: FUZZ.target.com" -w subdomains.txt -fs 0,4242

VHost fuzzing — filter by response size

ffuf -u http://FUZZ.target.com -w subdomains.txt

Subdomain fuzzing via URL (requires DNS wildcard handling)

Filtering & Matching

(6)

ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404

-fc: filter by HTTP status code (hide 404s)

ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 4242

-fs: filter by response size (hide default error size)

ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 10

-fw: filter by word count

ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 0

-fl: filter by line count

ffuf -u http://target.com/FUZZ -w wordlist.txt -fr "Not Found"

-fr: filter by regex match in response

ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,302,403

-mc: match only specific status codes

Authentication & Headers

(4)

ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Cookie: session=abc123"

Add authentication cookie

ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer eyJ..."

Add Bearer token

ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

Proxy through Burp Suite

ffuf -u http://target.com/FUZZ -w wordlist.txt -H "User-Agent: Mozilla/5.0"

Custom User-Agent

Speed & Output

(4)

ffuf -u http://target.com/FUZZ -w wordlist.txt -t 100

Use 100 concurrent threads (default: 40)

ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100

Limit to 100 requests/second

ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json

Save results as JSON

ffuf -u http://target.com/FUZZ -w wordlist.txt -c -v

Colorized verbose output

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Local File Inclusion SSRF

Related Cheat Sheets

XSS Cheat Sheet SQLMap Injection Cheatsheet Gobuster Directory Fuzzing Cheatsheet

$loading...