HowToCyberSec

Where you learn about technology news and raise your Cyber IQ

FFUF Playbook – Web Fuzzing Like a Pro

  1. Installation
  2. Basic Syntax
  3. Basic Directory Fuzzing
  4. Filter by Status Code / Size / Words
  5. Hidden Admin Pages Detection
  6. File Extension Brute Force
  7. Recursive Directory Bruteforce
  8. Subdomain Brute Forcing
  9. Virtual Host (vHost) Discovery
  10. Fuzzing GET Parameters
  11. Fuzzing POST Parameters
  12. Authentication & Header Fuzzing
  13. Bypass 403 Forbidden
  14. Input Reflection Fuzzing (Basic XSS/Debug)
  15. Combine with Waybackurls/GAU Output
  16. Combo Mode: Multiple Wordlists
  17. Tips:
  18. Wordlists You Should Use

Installation

go install github.com/ffuf/ffuf/v2@latest

Or precompiled:
https://github.com/ffuf/ffuf/releases

Basic Syntax

ffuf -u https://target.com/FUZZ -w wordlist.txt

Basic Directory Fuzzing

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Filter by Status Code / Size / Words

ffuf -u https://target.com/FUZZ -w common.txt -mc 200
-mc 200 → Match status code
-fs 1234 → Filter by size
-fw 20 → Filter by word count

Hidden Admin Pages Detection

ffuf -u https://target.com/FUZZ -w admin-panels.txt -mc 200

Use targeted wordlists like Admin-Login-Pages.txt.

File Extension Brute Force

ffuf -u https://target.com/FUZZ.php -w common.txt

Or:

ffuf -u https://target.com/FUZZ -w common.txt -e .php,.bak,.zip,.old

Use Case: Discover .bak, .zip, or .php~ dev files.

Recursive Directory Bruteforce

ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2

Subdomain Brute Forcing

ffuf -u https://FUZZ.target.com -w subdomains.txt -H "Host: FUZZ.target.com"

Virtual Host (vHost) Discovery

ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt

Fuzzing GET Parameters

ffuf -u https://target.com/index.php?FUZZ=test -w params.txt -fs 0

Fuzzing POST Parameters

ffuf -w params.txt -X POST -d 'FUZZ=test' -u https://target.com/login.php -H "Content-Type: application/x-www-form-urlencoded"

Add -fs to skip same-size error responses.

Authentication & Header Fuzzing

ffuf -u https://target.com/FUZZ -H "Authorization: Bearer FUZZ" -w tokenlist.txt

Or:

ffuf -u https://target.com/ -w headers.txt -H "FUZZ: customvalue"

Bypass 403 Forbidden

ffuf -u https://target.com/FUZZ -w bypass-403.txt -mc 200,403,401

Input Reflection Fuzzing (Basic XSS/Debug)

ffuf -u "https://target.com/page.php?input=FUZZ" -w xss-payloads.txt -fr "<script>"

-fr → match reflected payloads

Combine with Waybackurls/GAU Output

gau target.com | grep -iE '\.php|\.asp' | ffuf -u https://target.com/FUZZ -w - -mc 200

Combo Mode: Multiple Wordlists

ffuf -w usernames.txt:USERNAME -w passwords.txt:PASSWORD -u https://target.com/login.php?u=USERNAME&p=PASSWORD

Tips:

Use -ac (auto-calibrate) for noisy targets

Use -of json for structured output

Combine with tools like httpx or gau in bash pipelines

Try encoding payloads in base64/URL for bypass

Create recon templates for repeatable workflows

Wordlists You Should Use

  • /usr/share/seclists/Discovery/Web-Content/
  • assetnote/commonspeak2
  • PayloadsAllTheThings
  • Custom wordlists from waybackurls, gau