ffuf Cheat Sheet

Fast web fuzzer for directories, parameters, vhosts, and header injection with flexible matchers.

Scanning & Enumerationdirectory-bruteforcefuzzingvhostwebUpdated 2026-06-02

Overview

ffuf (Fuzz Faster U Fool) fuzzes URLs, parameters, headers, and POST bodies using wordlists and powerful filtering. It replaces or complements gobuster when you need multi-position fuzzing, JSON APIs, or fine-grained match/filter rules.

Authorized testing only. High concurrency can DoS small apps. Cap threads and use delays on shared or production systems.

Install

go install github.com/ffuf/ffuf/v2@latest

sudo apt install -y ffuf

ffuf -V

Essential commands

Directory fuzz

ffuf -u https://target.example.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Extensions

ffuf -u https://target.example.com/FUZZ -w wordlist.txt -e .php,.html,.bak

Filter noise (hide 404 of size 1234)

ffuf -u https://target.example.com/FUZZ -w wordlist.txt -fs 1234

Quick one-liners

Fuzz directories on a site

ffuf -u https://target.example.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Hide responses that are always 404 with size 1234

ffuf -u https://target.example.com/FUZZ -w wordlist.txt -fs 1234

Discover vhosts via Host header

ffuf -u https://target.example.com -H "Host: FUZZ.target.example.com" -w vhosts.txt

Fuzz GET parameters on a URL

ffuf -u "https://target.example.com/search?FUZZ=test" -w params.txt -fc 404

Throttle and send traffic through Burp

ffuf -u https://target.example.com/FUZZ -w wordlist.txt -t 10 -p 0.5 -x http://127.0.0.1:8080

Common workflows

Virtual host fuzzing —

ffuf -u https://target.example.com -H "Host: FUZZ.target.example.com" -w vhosts.txt -fs 4242

Parameter fuzzing —

ffuf -u "https://target.example.com/search?FUZZ=test" -w params.txt -fc 404

POST JSON API —

ffuf -u https://target.example.com/api -X POST -H "Content-Type: application/json"

-d '{"user":"FUZZ"}' -w users.txt -mc 200,401

Recursive (manual chain) —

ffuf -u https://target.example.com/FUZZ -w dirs.txt -recursion -recursion-depth 2

Rate limit and proxy —

ffuf -u https://target.example.com/FUZZ -w wordlist.txt -t 10 -p 0.5 -x http://127.0.0.1:8080

Flags reference

`-u`	URL with FUZZ keyword
`-w`	Wordlist (path:keyword for multiple)
`-X`	HTTP method
`-d`	POST data
`-H`	Header (Name: Value)
`-mc`	Match HTTP status codes
`-ms`	Match response size
`-mw`	Match word count
`-ml`	Match line count
`-fc / -fs / -fw / -fl`	Filter status/size/words/lines
`-e`	Extensions appended
`-t`	Threads
`-p`	Delay between requests (seconds)
`-x`	Proxy URL
`-o`	Output file (json, csv, html)
`-recursion`	Recursive fuzzing

Tips

Calibrate filters on a known 404: note size/words and use -fs or -fw.
Use FUZZ, W1, W2 in URL and multiple -w lists for combo fuzzing.
-request / -request-proto help with raw HTTP when needed.
Prefer lower -t behind WAFs; rotate -H "User-Agent: …" if allowed.