ffuf - Fast web fuzzer written in Go
ffuf is a fest web fuzzer written in Go that allows typical
directory discovery, virtual host discovery (without DNS records) and GET
and POST parameter fuzzing.
HTTP OPTIONS
- -H
- Header "Name: Value", separated by colon. Multiple -H
flags are accepted.
- -X
- HTTP method to use (default: GET)
- -b
- Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl
functionality.
- -d
- POST data
- -ignore-body
- Do not fetch the response content. (default: false)
- -r
- Follow redirects (default: false)
- -recursion
- Scan recursively. Only FUZZ keyword is supported, and URL (-u) has
to end in it. (default: false) -recursion-depth Maximum recursion
depth. (default: false)
- -recursion-depth
- Maximum recursion depth. (default: 0)
- -recursion-strategy
- Recursion strategy: "default" for a redirect based, and
"greedy" to recurse on all matches (default: default)
- -replay-proxy
- Replay matched requests using this proxy.
- -sni
- Target TLS SNI, does not support FUZZ keyword.
- -timeout
- HTTP request timeout in seconds. (default: 10)
- -u
- Target URL
- -x
- HTTP Proxy URL
GENERAL OPTIONS
- -V
- Show version information. (default: false)
- -ac
- Automatically calibrate filtering options (default: false)
- -acc
- Custom auto-calibration string. Can be used multiple times. Implies
-ac
- -c
- Colorize output. (default: false)
- -maxtime
- Maximum running time in seconds. (default: 0)
- -maxtime-job
- Maximum running time in seconds per job. (default: 0)
- -noninteractive
- Disable the interactive console functionality (default: false)
- -p
- Seconds of 'delay' between requests, or a range of random delay. For
example "0.1" or "0.1-2.0"
- -rate
- Rate of requests per second (default: 0)
- -s
- Do not print additional information (silent mode) (default: false)
- -sa
- Stop on all error cases. Implies -sf and -se. (default:
false)
- -se
- Stop on spurious errors (default: false)
- -sf
- Stop when > 95% of responses return 403 Forbidden (default: false)
- -t
- Number of concurrent threads. (default: 40)
- -v
- Verbose output, printing full URL and redirect location (if any) with the
results. (default: false)
MATCHER OPTIONS
- -mc
- Match HTTP status codes, or "all" for everything. (default:
200,204,301,302,307,401,403)
- -ml
- Match amount of lines in response
- -mr
- Match regexp
- -ms
- Match HTTP response size
- -mt
- Match how many milliseconds to the first response byte, either greater or
less than. EG: >100 or <100
- -mw
- Match amount of words in response
FILTER OPTIONS
- -fc
- Filter HTTP status codes from response. Comma separated list of codes and
ranges
- -fl
- Filter by amount of lines in response. Comma separated list of line counts
and ranges
- -fr
- Filter regexp
- -fs
- Filter HTTP response size. Comma separated list of sizes and ranges
- -ft
- Filter by number of milliseconds to the first response byte, either
greater or less than. EG: >100 or <100
- -fw
- Filter by amount of words in response. Comma separated list of word counts
and ranges
INPUT OPTIONS
- -D
- DirSearch wordlist compatibility mode. Used in conjunction with -e
flag. (default: false)
- -e
- Comma separated list of extensions. Extends FUZZ keyword.
- -ic
- Ignore wordlist comments (default: false)
- -input-cmd
- Command producing the input. --input-num is required when using
this input method. Overrides -w.
- -input-num
- Number of inputs to test. Used in conjunction with --input-cmd.
(default: 100)
- -input-shell
- Shell to be used for running command
- -mode
- Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork
(default: clusterbomb)
- -request
- File containing the raw http request
- -request-proto
- Protocol to use along with raw request (default: https)
- -w
- Wordlist file path and (optional) keyword separated by colon. eg.
'/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS
- -debug-log
- Write all of the internal logging to the specified file.
- -o
- Write output to file
- -od
- Directory path to store matched results to.
- -of
- Output file format. Available formats: json, ejson, html, md, csv, ecsv
(or, 'all' for all formats) (default: json)
- -or
- Don't create the output file if we don't have results (default:
false)
INTERACTIVE MODE
Fuzz file paths from wordlist.txt, match all responses but filter
out those with content-size 42. Colored, verbose output.
Fuzz Host-header, match HTTP 200 responses.
Fuzz POST JSON data. Match all responses not containing text
"error".
Fuzz multiple locations. Match only responses reflecting the value
of "VAL" keyword. Colored.
More information and examples:
https://github.com/ffuf/ffuf
In INTERACTIVE MODE, filters can be reconfigured, queue
managed and the current state saved to disk.
When (re)configuring the filters, they get applied posthumously
and all the false positive matches from memory that would have been filtered
out by the newly added filters get deleted.
The new state of matches can be printed out with a command show
that will print out all the matches as like they would have been found by
ffuf.
As "negative" matches are not stored to memory, relaxing
the filters cannot unfortunately bring back the lost matches. For this kind
of scenario, the user is able to use the command restart, which resets the
state and starts the current job from the beginning.
This manual page was written based on the author's README by Pedro
Loami Barbosa dos Santos <pedro@loami.eng.br> for the Debian project
(but may be used by others).