FFUF Web Fuzzing

Guidance for using ffuf (Fuzz Faster U Fool) effectively during authorized penetration testing.

Prerequisites

ffuf must be installed: brew install ffuf (macOS) or go install github.com/ffuf/ffuf/v2@latest

When to Use

• Running directory, file, or subdomain discovery against web targets

• Fuzzing API endpoints, parameters, or POST data

• Authenticated fuzzing with raw HTTP requests

• Analyzing ffuf JSON output for anomalies and interesting findings

• Building fuzzing strategies (wordlist selection, filtering, rate limiting)

• IDOR testing with authenticated sessions

When NOT to Use

• Target system is not in scope or authorization is unclear

• Passive reconnaissance is more appropriate (use OSINT tools instead)

• The target is a production system and rate limiting hasn't been configured

• You need a full vulnerability scanner (use Burp Suite, Nuclei, etc.)

• Testing for logic flaws that require multi-step interaction

Rationalizations to Reject

• "Auto-calibration is optional" -- -ac is mandatory. Without it, results are buried in false positives and analysis is wasted effort.

• "More threads = faster results" -- Hammering a target with -t 200 triggers WAFs, gets you blocked, and may crash staging environments. Start with -t 10 -rate 2 for production targets.

• "I'll filter later" -- Set up filtering before the scan. Running a 220k wordlist without filters and then trying to grep through the noise is backwards.

• "The default wordlist is fine" -- Wordlist selection is the most important decision. A generic wordlist misses technology-specific paths. See references/wordlists.md.

• "Raw requests are too much work" -- For authenticated fuzzing, --request req.txt is simpler and more reliable than chaining -H and -b flags. Capture once, fuzz many times.

Critical Rules

• Always use -ac (auto-calibration) unless you have a specific, documented reason not to

• Always save output with -o results.json for later analysis

• Rate limit production targets with -rate and -t flags

• Use --request for auth -- raw request files beat command-line header chains

• Confirm authorization first -- before running any scan, verify the user has written permission for the target. Ask if unclear.

Core Concepts

The FUZZ Keyword

In URL path

ffuf -w wordlist.txt -u https://target.com/FUZZ -ac

In headers

ffuf -w wordlist.txt -u https://target.com -H "Host: FUZZ.target.com" -ac

In POST body

ffuf -w wordlist.txt -X POST -d "user=admin&pass=FUZZ" -u https://target.com/login -ac

Multiple positions with custom keywords

ffuf -w endpoints.txt:EP -w ids.txt:ID -u https://target.com/EP/ID -mode pitchfork -ac

Auto-Calibration

-ac automatically detects and filters repetitive false-positive responses. It adapts to the target's specific behavior and removes noise from dynamic content.

ffuf -w wordlist.txt -u https://target.com/FUZZ -ac # Standard ffuf -w wordlist.txt -u https://target.com/FUZZ -ach # Per-host (multi-host scans) ffuf -w wordlist.txt -u https://target.com/FUZZ -acc "404" # Custom calibration string

Common Patterns

Directory Discovery

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
-u https://target.com/FUZZ -e .php,.html,.txt,.bak
-ac -c -v -o results.json

Subdomain Enumeration

ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
-u https://FUZZ.target.com -ac -c -v -o results.json

API Endpoint Discovery

ffuf -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt
-u https://api.target.com/v1/FUZZ
-H "Authorization: Bearer YOUR_TOKEN_HERE" -mc 200,201 -ac -c

Authenticated Fuzzing with Raw Requests

Capture a full authenticated request, save to req.txt , insert FUZZ :

POST /api/v1/users/FUZZ HTTP/1.1 Host: target.com Authorization: Bearer YOUR_TOKEN_HERE Cookie: session=YOUR_SESSION_ID Content-Type: application/json

{"action":"view","id":"1"}

ffuf --request req.txt -w wordlist.txt -ac -o results.json

See references/request-templates.md for pre-built templates covering bearer tokens, session cookies, API keys, and GraphQL.

Authenticated Fuzzing: Agent Workflow

Authenticated fuzzing requires real credentials that the agent cannot obtain independently. When the user asks for authenticated fuzzing:

• Ask the user to provide ONE of:

• A raw HTTP request file (req.txt ) with auth headers already included

• A curl command from browser DevTools (convert it to req.txt format)

• Individual credentials (Bearer token, session cookie, API key)

• If given a curl command, convert it to raw HTTP request format and write to req.txt

• If given individual credentials, use a template from references/request-templates.md and substitute real values

• Never fabricate or guess authentication tokens

IDOR Testing

ffuf --request req.txt -w <(seq 1 10000) -ac -mc 200 -o idor_results.json

Rate Limiting

Environment Flags Notes

Production (stealth) -rate 2 -t 10

Avoid WAF triggers

Production (normal) -rate 10 -t 20

Balanced

Staging/Dev -rate 50 -t 40

Faster

Local/Lab No limit, -t 100

Maximum speed

Analyzing Results

Save output as JSON (-o results.json ), then read the file and focus on:

• Anomalous status codes -- anything other than the baseline 404/403

• Size outliers -- responses significantly larger or smaller than average

• Interesting keywords in URLs -- admin, api, backup, config, .git, .env

• Timing anomalies -- slow responses may indicate SQL injection or heavy processing

• Follow-up targets -- interesting findings warrant deeper fuzzing

Use -fs to filter by response size and -fc to filter by status code when auto-calibration isn't sufficient. Run ffuf -h for the full list of match/filter flags.

References

• Wordlist selection guide -- recommended SecLists by scenario

• Authenticated request templates -- pre-built req.txt for bearer tokens, cookies, API keys

• ffuf official docs

• SecLists