Ffuf checks first if there is a default configuration file. The file path for it is
$HOME/.ffufrc for most *nixes (for example
%USERPROFILE%.ffufrc for Windows. This file can contain multiple options, which will be used for every subsequent ffuf job. is an example of a.ffufrc-file.
Configuration options that are provided by the command line will override those loaded from . This does not apply CLI flags which can be given more than one time.
-H is an example of such a flag. The
-H values will instead be added to those in the config file.
You can also use multiple configuration files to suit different purposes by using
-config, the command line flag which takes as its parameter the path to the configuration folder.
You can define the test case of ffuf by using the keyword
FUZZ in your URL (
-H, or post data (
Fuzz Faster Fool - HTTP OPTIONS : -H Header "Name: Value", separated by a colon Multiple -H flags can be accepted. Use -X HTTP to copy the curl functionality. -d Post data -ignore body Do not retrieve the response content. (Default: false). -r Follow redirects. (Default: false). -recursion Scans recursively. Only FUZZ keywords are supported. URLs (-u), however, must end in that keyword. (default: false) -recursion-depth Maximum recursion depth. (default is 0). -recursion–strategy Recursion strategy. "Default" will use a redirect-based approach. "greedy” will recurse for all matches. (default) –replay-proxy This proxy can replay matched requests. -sni Target HTTPS SNI does not support FUZZ keywords -timeout HTTP Request Timeout in Seconds (default: 10) -u Target URL. -x Proxy URL. (SOCKS5 and HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 GENERAL OPTIONS: -V Show version information. (default is false) (ac Automatically calibrate filtering options, default: false). -acc Customized auto-calibration string. Multiple times can be used. Use -ac and -c to colorize the output. (Default: false) Load configuration files from a file. -maxtime The maximum running time for the entire process. (default: false) -maxtimejob Maximum job running time in seconds. (default is 0). -noninteractive Disable interactive console functionality (default, false). -p Seconds delay between requests or range of random delays. Example: "0.1", "0.1-2.0" Implies sf, &se. (default is false) Stop spurious errors. (default: 40). -v Verbose output. Prints full URL and location of redirection (if applicable) along with results. MATCHER OPTIONS : (default: false). -mc Match URL status codes or "all". (default: 200,204,301,302,307,401,403,405,500) -ml Match amount of lines in response -mr Match regexp -ms Match HTTP response size -mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or 100 -mw Match response amount FILTER OPTIONS : -fc Remove HTTP status codes. Filter according to the number of lines returned. Comma-separated list of ranges and line counts -fr Filter regexp. -fs Filter the HTTP response size. Comma-separated list of sizes, ranges –ft Filter according to how long it takes for the response byte to arrive. EG: >100, 100 –fw Filter according to the number of words included in the response. List of ranges and word counts separated by commas. INPUT OPTIONS : -D DirSearch Wordlist Compatibility Mode. Use in combination with the -e flag (default: false). -e Comma seperated list of extensions. Extends FUZZ keyword. -ic To ignore wordlist comments (default is false). -input–cmd The command that produces the input. This input method requires --input_num Overrides: -w. Use in combination with --input_cmd Use with --input-cmd. There are three modes available: Clusterbomb, pitchfork and sniper. eg. '/path/to/wordlist:KEYWORD' OUTPUT OPTIONS: -debug-log Write all of the internal logging to the specified file. -o Write output into file. -od Directory path where to save matched results. Format of the output file. Formats available: json and ejson. HTML, md. csv. ecsv. (or, "all" for all formats). EXAMPLE USAGE : Use wordlist.txt to fuzz the file paths, match all answers, but remove those that have content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. All responses that do not contain text "error" must be matched. Ffuf.w entries.txt.u https://example.org/ POST -H Content-Type: Application/json -d "Name": "FUZZ", 'anotherkey': 'anothervalue' r "Error" Fuzz multiple places Only match responses that reflect the value of "VAL". Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c More information and examples: https://github.com/ffuf/ffuf
When ffuf is executed, press
ENTER to stop the execution. The user will then be dropped into a shell-like interactive mode.
Enter interactive mode and type in "help" to see a complete list of commands. > Help available commands: fc
This mode allows filters to be reconfigured and queue managed, as well as saving the current state to disk.
After (re)configuring filters, all false positive matches that were filtered by them are removed from the memory.
You can print the new match state using the
show command. This will produce all matches exactly as they were found with
Removing filters can’t be used to restore lost matches, as “negative” matches cannot be stored in memory. This scenario can be handled by the
restart command. It resets the state of the game and begins the job again from scratch.
uses a sponsorship model. All new features created by the author will be made available to its sponsors only at first. 30 days after the exclusive release, all the new features will be released at the freely available open-source repository at .
I can provide tangible benefits to the companies and individuals who allow me to work on
The open-source repository contains all community contributions. Exclusive version features only include the new features that created.
Get the sponsorware by submitting code
The sponsorware should be available to anyone who makes significant contributions to
FFUF. is the best place to start a similar contribution.
Advanced payloads and Helperscripts
For helper scripts or payload generators, see repository. They are available for various workflows and use cases.
ffuf has been released under the MIT License. See .