# Basic directory discoveryffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ
# With status code filterffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-fc404# With response size filter (after checking baseline)ffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-fs4242# Auto-calibrate filteringffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-ac
# Fast with increased threadsffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-fc404-t100
# Discover extensions on a known directory (recommended first step)ffuf-w/usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ\-uhttp://SERVER_IP:PORT/blog/indexFUZZ
# Append extensions to wordlist entriesffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/blog/FUZZ-e.php,.html,.txt
# Multi-keyword: filename × extensionffuf-w/usr/share/seclists/Discovery/Web-Content/common.txt:FILE\-w/usr/share/seclists/Discovery/Web-Content/web-extensions.txt:EXT\-uhttp://SERVER_IP:PORT/FILE.EXT-fc404# Backup file extensionsffuf-w/tmp/backup-ext.txt:FUZZ\-uhttp://SERVER_IP:PORT/admin/config.phpFUZZ
# Find pages within a directory (known extension)ffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/blog/FUZZ.php-fc404# Quick check with common filenamesffuf-w/usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ\-uhttp://SERVER_IP:PORT/admin/FUZZ.php-fc404# Multi-extension page fuzzingffuf-w/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-e.php,.html,.txt-fc404# Quick-hits (common sensitive files)ffuf-w/usr/share/seclists/Discovery/Web-Content/quickhits.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-fc404
# Recursive with depth limit (recommended)ffuf-w/usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-recursion-recursion-depth2-e.php-fc404# Recursive with auto-calibrateffuf-w/usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-recursion-recursion-depth2-e.php-ac-t100# Recursive with outputffuf-w/usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ\-uhttp://SERVER_IP:PORT/FUZZ-recursion-recursion-depth2\-e.php-fc404-orecursive.json-ofjson-v
# Basic vhost discoveryffuf-w/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ\-uhttp://target.com-H"Host: FUZZ.target.com"-fs986# Against IP directlyffuf-w/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ\-uhttp://10.10.10.5-H"Host: FUZZ.target.com"-fs986# With word count filter (more stable than size)ffuf-w/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ\-uhttp://10.10.10.5-H"Host: FUZZ.target.com"-fw423# HTTPS with vhost fuzzingffuf-w/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ\-uhttps://target.com-H"Host: FUZZ.target.com"-fs986
# Form-encoded POST parameter discoveryffuf-w/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ\-uhttp://SERVER_IP:PORT/admin/admin.php-XPOST\-d"FUZZ=key"-H"Content-Type: application/x-www-form-urlencoded"-fs0# JSON POST parameter discoveryffuf-w/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ\-uhttp://SERVER_IP:PORT/api/endpoint-XPOST\-d'{"FUZZ":"value"}'-H"Content-Type: application/json"-fs0# With authenticationffuf-w/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ\-uhttp://SERVER_IP:PORT/admin/admin.php-XPOST\-d"FUZZ=key"-H"Content-Type: application/x-www-form-urlencoded"\-H"Cookie: session=abc123"-fs0# PUT methodffuf-w/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ\-uhttp://SERVER_IP:PORT/api/resource/1-XPUT\-d'{"FUZZ":"value"}'-H"Content-Type: application/json"-fs0
graph TD
A[Start Fuzzing] --> B{Getting too<br>many results?}
B -->|No| C[Results are clean ✓]
B -->|Yes| D{All same<br>status code?}
D -->|Yes| E[Use -fc to filter that code]
D -->|No| F{All same<br>response size?}
F -->|Yes| G[Use -fs to filter that size]
F -->|No| H{All same<br>word count?}
H -->|Yes| I[Use -fw to filter that count]
H -->|No| J{All same<br>line count?}
J -->|Yes| K[Use -fl to filter that count]
J -->|No| L[Use -ac auto-calibrate]
Start recursive (common.txt, depth 2, -e .php) while you enumerate manually
Check /etc/hosts entries for the box — vhosts are common exam targets
Always note response sizes when browsing — makes filtering instant
Save everything to JSON (-o) — you can grep it later without re-running
Output Parsing
# Extract URLs from JSON outputcatresults.json|jq-r'.results[].url'# Extract just the FUZZ valuescatresults.json|jq-r'.results[].input.FUZZ'# Sort by response size (find outliers)catresults.json|jq-r'.results[] | "\(.length) \(.url)"'|sort-n