ffuf-web-fuzzing

FFUF Web Fuzzing

Guidance for using ffuf (Fuzz Faster U Fool) effectively during authorized penetration testing.

Prerequisites

ffuf must be installed: brew install ffuf (macOS) or go install github.com/ffuf/ffuf/v2@latest

When to Use

• Running directory, file, or subdomain discovery against web targets
• Fuzzing API endpoints, parameters, or POST data
• Authenticated fuzzing with raw HTTP requests
• Analyzing ffuf JSON output for anomalies and interesting findings
• Building fuzzing strategies (wordlist selection, filtering, rate limiting)
• IDOR testing with authenticated sessions

When NOT to Use

• Target system is not in scope or authorization is unclear
• Passive reconnaissance is more appropriate (use OSINT tools instead)
• The target is a production system and rate limiting hasn't been configured
• You need a full vulnerability scanner (use Burp Suite, Nuclei, etc.)
• Testing for logic flaws that require multi-step interaction

Rationalizations to Reject

• "Auto-calibration is optional" -- -ac is mandatory. Without it, results are buried in false positives and analysis is wasted effort.
• "More threads = faster results" -- Hammering a target with -t 200 triggers WAFs, gets you blocked, and may crash staging environments. Start with -t 10 -rate 2 for production targets.
• "I'll filter later" -- Set up filtering before the scan. Running a 220k wordlist without filters and then trying to grep through the noise is backwards.
• "The default wordlist is fine" -- Wordlist selection is the most important decision. A generic wordlist misses technology-specific paths. See references/wordlists.md.
• "Raw requests are too much work" -- For authenticated fuzzing, --request req.txt is simpler and more reliable than chaining -H and -b flags. Capture once, fuzz many times.

Critical Rules

1. Always use -ac (auto-calibration) unless you have a specific, documented reason not to
2. Always save output with -o results.json for later analysis
3. Rate limit production targets with -rate and -t flags
4. Use --request for auth -- raw request files beat command-line header chains
5. Confirm authorization first -- before running any scan, verify the user has written permission for the target. Ask if unclear.

Core Concepts

The FUZZ Keyword

# In URL path
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac

# In headers
ffuf -w wordlist.txt -u https://target.com -H "Host: FUZZ.target.com" -ac

# In POST body
ffuf -w wordlist.txt -X POST -d "user=admin&pass=FUZZ" -u https://target.com/login -ac

# Multiple positions with custom keywords
ffuf -w endpoints.txt:EP -w ids.txt:ID -u https://target.com/EP/ID -mode pitchfork -ac

Auto-Calibration

-ac automatically detects and filters repetitive false-positive responses. It adapts to the target's specific behavior and removes noise from dynamic content.

ffuf -w wordlist.txt -u https://target.com/FUZZ -ac        # Standard
ffuf -w wordlist.txt -u https://target.com/FUZZ -ach       # Per-host (multi-host scans)
ffuf -w wordlist.txt -u https://target.com/FUZZ -acc "404" # Custom calibration string

Common Patterns

Directory Discovery

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt \
     -u https://target.com/FUZZ -e .php,.html,.txt,.bak \
     -ac -c -v -o results.json

Subdomain Enumeration

ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt \
     -u https://FUZZ.target.com -ac -c -v -o results.json

API Endpoint Discovery

ffuf -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
     -u https://api.target.com/v1/FUZZ \
     -H "Authorization: Bearer YOUR_TOKEN_HERE" -mc 200,201 -ac -c

Authenticated Fuzzing with Raw Requests

Capture a full authenticated request, save to req.txt, insert FUZZ:

POST /api/v1/users/FUZZ HTTP/1.1
Host: target.com
Authorization: Bearer YOUR_TOKEN_HERE
Cookie: session=YOUR_SESSION_ID
Content-Type: application/json

{"action":"view","id":"1"}

ffuf --request req.txt -w wordlist.txt -ac -o results.json

See references/request-templates.md for pre-built templates covering bearer tokens, session cookies, API keys, and GraphQL.

Authenticated Fuzzing: Agent Workflow

Authenticated fuzzing requires real credentials that the agent cannot obtain independently. When the user asks for authenticated fuzzing:

1. Ask the user to provide ONE of:
   • A raw HTTP request file (req.txt) with auth headers already included
   • A curl command from browser DevTools (convert it to req.txt format)
   • Individual credentials (Bearer token, session cookie, API key)
2. If given a curl command, convert it to raw HTTP request format and write to req.txt
3. If given individual credentials, use a template from references/request-templates.md and substitute real values
4. Never fabricate or guess authentication tokens

IDOR Testing

ffuf --request req.txt -w <(seq 1 10000) -ac -mc 200 -o idor_results.json

Rate Limiting

Environment	Flags	Notes
Production (stealth)	-rate 2 -t 10	Avoid WAF triggers
Production (normal)	-rate 10 -t 20	Balanced
Staging/Dev	-rate 50 -t 40	Faster
Local/Lab	No limit, -t 100	Maximum speed

Analyzing Results

Save output as JSON (-o results.json), then read the file and focus on:

• Anomalous status codes -- anything other than the baseline 404/403
• Size outliers -- responses significantly larger or smaller than average
• Interesting keywords in URLs -- admin, api, backup, config, .git, .env
• Timing anomalies -- slow responses may indicate SQL injection or heavy processing
• Follow-up targets -- interesting findings warrant deeper fuzzing

Use -fs to filter by response size and -fc to filter by status code when auto-calibration isn't sufficient. Run ffuf -h for the full list of match/filter flags.

References

• Wordlist selection guide -- recommended SecLists by scenario
• Authenticated request templates -- pre-built req.txt for bearer tokens, cookies, API keys
• ffuf official docs
• SecLists