Attacking Web Applications with Ffuf¶
What Is Ffuf?¶
Ffuf (Fuzz Faster U Fool) is a fast, flexible web fuzzer written in Go. It accepts one or more wordlists and injects each entry at positions you mark with the FUZZ keyword — in the URL path, query string, headers, POST body, or anywhere else in the HTTP request. Its speed (multithreaded, compiled binary) and filtering power make it the go-to tool for OSCP/CPTS-level web enumeration.
Unlike tools that are locked into a single fuzzing mode (e.g., directory brute-forcing only), ffuf is a generic HTTP fuzzer. You define where the payload goes and how to identify hits. That flexibility is what makes it a core exam tool.
Installation¶
# Kali / Parrot (pre-installed)
which ffuf
# Manual install (latest)
go install github.com/ffuf/ffuf/v2@latest
# Verify
ffuf -V
Pre-installed on exam VMs
Both OSCP (Kali) and CPTS (PwnBox) ship with ffuf already in $PATH. You shouldn't need to install it during an exam — but verify the version if a flag you need isn't available.
Core Syntax¶
Every ffuf command follows the same pattern:
The FUZZ keyword is a placeholder that ffuf replaces with each line from the wordlist. You can place it anywhere in the request:
| Position | Example |
|---|---|
| URL path | -u http://10.10.10.5/FUZZ |
| File extension | -u http://10.10.10.5/indexFUZZ |
| Subdomain | -u http://FUZZ.target.com |
| Host header | -H "Host: FUZZ.target.com" |
| GET parameter name | -u http://10.10.10.5/page?FUZZ=value |
| POST body | -d "FUZZ=value" |
| Parameter value | -u http://10.10.10.5/page?id=FUZZ |
You can also use multiple keywords (e.g., W1, W2) for multi-position fuzzing:
Common Flags Reference¶
| Flag | Purpose | Example |
|---|---|---|
-w |
Wordlist (:KEYWORD to name it) |
-w list.txt:FUZZ |
-u |
Target URL | -u http://10.10.10.5/FUZZ |
-t |
Threads (default 40) | -t 100 |
-rate |
Max requests/second | -rate 500 |
-fc |
Filter by HTTP status code | -fc 404,403 |
-fs |
Filter by response size (bytes) | -fs 4242 |
-fw |
Filter by word count | -fw 12 |
-fl |
Filter by line count | -fl 10 |
-mc |
Match by HTTP status code | -mc 200,301 |
-ms |
Match by response size | -ms 1234 |
-mw |
Match by word count | -mw 50 |
-ml |
Match by line count | -ml 20 |
-e |
Extensions to append | -e .php,.html,.txt |
-recursion |
Enable recursive fuzzing | -recursion |
-recursion-depth |
Max recursion depth | -recursion-depth 2 |
-H |
Custom header | -H "Host: FUZZ.target.com" |
-X |
HTTP method | -X POST |
-d |
POST data body | -d "key=FUZZ" |
-v |
Verbose (show full URL + redirect) | -v |
-o |
Output file | -o results.json |
-of |
Output format (json, csv, md, html) | -of json |
-ic |
Ignore wordlist comments | -ic |
-timeout |
HTTP timeout in seconds | -timeout 10 |
-ac |
Auto-calibrate filtering | -ac |
Methodology¶
The fuzzing workflow follows a logical escalation from broad discovery to targeted exploitation:
graph LR
A[Directory<br>Fuzzing] --> B[Extension<br>Fuzzing]
B --> C[Page<br>Fuzzing]
C --> D[Recursive<br>Fuzzing]
D --> E[Subdomain<br>Fuzzing]
E --> F[VHost<br>Fuzzing]
F --> G[Parameter<br>Fuzzing]
G --> H[Value<br>Fuzzing]
Each phase builds on the previous:
- Directory Fuzzing — Find top-level directories on the target
- Extension Fuzzing — Determine what tech stack / file types the server uses
- Page Fuzzing — Combine directories + extensions to find actual pages
- Recursive Fuzzing — Automatically spider nested directories
- Subdomain Fuzzing — Discover DNS-resolvable subdomains
- VHost Fuzzing — Find virtual hosts that don't have DNS entries
- Parameter Fuzzing — Discover hidden GET/POST parameters on known pages
- Value Fuzzing — Brute-force parameter values for exploitation
Series Navigation¶
| # | Page | What You'll Learn |
|---|---|---|
| 1 | Directory Fuzzing | Finding top-level directories, filtering false positives |
| 2 | Extension Fuzzing | Identifying the web technology stack |
| 3 | Page Fuzzing | Discovering actual files within directories |
| 4 | Recursive Fuzzing | Automated deep-dive into nested paths |
| 5 | Subdomain Fuzzing | DNS-based subdomain enumeration |
| 6 | VHost Fuzzing | Virtual host discovery via Host header |
| 7 | Parameter Fuzzing — GET | Finding hidden query parameters |
| 8 | Parameter Fuzzing — POST | POST parameter discovery + curl equivalents |
| 9 | Value Fuzzing | Brute-forcing parameter values |
| 10 | Cheatsheet | Consolidated quick reference |