Back to Details

ffuf-web-fuzzing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

FFUF (Fuzz Faster U Fool) Skill

FFUF(Fuzz Faster U Fool)技能

Overview

概述

FFUF is a fast web fuzzer written in Go, designed for discovering hidden content, directories, files, subdomains, and testing for vulnerabilities during penetration testing. It's significantly faster than traditional tools like dirb or dirbuster.
FFUF是一款用Go语言编写的快速Web模糊测试工具,专为在渗透测试过程中发现隐藏内容、目录、文件、子域名以及测试漏洞而设计。它比dirb或dirbuster等传统工具快得多。

Installation

安装

bash
undefined
bash
undefined

Using Go

使用Go

go install github.com/ffuf/ffuf/v2@latest
go install github.com/ffuf/ffuf/v2@latest

Using Homebrew (macOS)

使用Homebrew(macOS)

brew install ffuf
brew install ffuf

Binary download

二进制下载

Download from: https://github.com/ffuf/ffuf/releases/latest

下载地址:https://github.com/ffuf/ffuf/releases/latest

undefined
undefined

Core Concepts

核心概念

The FUZZ Keyword

FUZZ关键字

The 
FUZZ
keyword is used as a placeholder that gets replaced with entries from your wordlist. You can place it anywhere:
  • URLs: 
    https://target.com/FUZZ
  • Headers: 
    -H "Host: FUZZ"
  • POST data: 
    -d "username=admin&password=FUZZ"
  • Multiple locations with custom keywords: 
    -w wordlist.txt:CUSTOM
    then use 
    CUSTOM
    instead of 
    FUZZ
FUZZ
关键字用作占位符,会被词表中的条目替换。你可以将它放在任意位置:
  • URL:
    https://target.com/FUZZ
  • 请求头:
    -H "Host: FUZZ"
  • POST数据:
    -d "username=admin&password=FUZZ"
  • 自定义关键字实现多位置模糊:
    -w wordlist.txt:CUSTOM
    然后用
    CUSTOM
    替代
    FUZZ

Multi-wordlist Modes

多词表模式

  • clusterbomb: Tests all combinations (default) - cartesian product
  • pitchfork: Iterates through wordlists in parallel (1-to-1 matching)
  • sniper: Tests one position at a time (for multiple FUZZ positions)
  • clusterbomb:测试所有组合(默认)- 笛卡尔积
  • pitchfork:并行遍历多个词表(一对一匹配)
  • sniper:一次测试一个位置(适用于多个FUZZ位置)

Common Use Cases

常见使用场景

1. Directory and File Discovery

1. 目录与文件发现

bash
undefined
bash
undefined

Basic directory fuzzing

基础目录模糊测试

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ

With file extensions

指定文件扩展名

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -e .php,.html,.txt,.pdf
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -e .php,.html,.txt,.pdf

Colored and verbose output

带颜色的详细输出

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -c -v
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -c -v

With recursion (finds nested directories)

递归扫描(发现嵌套目录)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2
undefined

2. Subdomain Enumeration

2. 子域名枚举

bash
undefined
bash
undefined

Virtual host discovery

虚拟主机发现

ffuf -w /path/to/subdomains.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242
ffuf -w /path/to/subdomains.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242

Note: -fs 4242 filters out responses of size 4242 (adjust based on default response size)

注意:-fs 4242 用于过滤响应大小为4242的结果(根据默认响应大小调整)

undefined
undefined

3. Parameter Fuzzing

3. 参数模糊测试

bash
undefined
bash
undefined

GET parameter names

GET参数名称

ffuf -w /path/to/params.txt -u https://target.com/script.php?FUZZ=test_value -fs 4242
ffuf -w /path/to/params.txt -u https://target.com/script.php?FUZZ=test_value -fs 4242

GET parameter values

GET参数值

ffuf -w /path/to/values.txt -u https://target.com/script.php?id=FUZZ -fc 401
ffuf -w /path/to/values.txt -u https://target.com/script.php?id=FUZZ -fc 401

Multiple parameters

多参数测试

ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mode clusterbomb
undefined
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mode clusterbomb
undefined

4. POST Data Fuzzing

4. POST数据模糊测试

bash
undefined
bash
undefined

Basic POST fuzzing

基础POST模糊测试

ffuf -w /path/to/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login.php -fc 401
ffuf -w /path/to/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login.php -fc 401

JSON POST data

JSON格式POST数据

ffuf -w entries.txt -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "key": "value"}' -fr "error"
ffuf -w entries.txt -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "key": "value"}' -fr "error"

Fuzzing multiple POST fields

多POST字段模糊测试

ffuf -w users.txt:USER -w passes.txt:PASS -X POST -d "username=USER&password=PASS" -u https://target.com/login -mode pitchfork
undefined
ffuf -w users.txt:USER -w passes.txt:PASS -X POST -d "username=USER&password=PASS" -u https://target.com/login -mode pitchfork
undefined

5. Header Fuzzing

5. 请求头模糊测试

bash
undefined
bash
undefined

Custom headers

自定义请求头

ffuf -w /path/to/wordlist.txt -u https://target.com -H "X-Custom-Header: FUZZ"
ffuf -w /path/to/wordlist.txt -u https://target.com -H "X-Custom-Header: FUZZ"

Multiple headers

多请求头测试

ffuf -w /path/to/wordlist.txt -u https://target.com -H "User-Agent: FUZZ" -H "X-Forwarded-For: 127.0.0.1"
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com -H "User-Agent: FUZZ" -H "X-Forwarded-For: 127.0.0.1"
undefined

Filtering and Matching

过滤与匹配

Matchers (Include Results)

匹配器(包含结果)

  • -mc
    : Match status codes (default: 200-299,301,302,307,401,403,405,500)
  • -ml
    : Match line count
  • -mr
    : Match regex
  • -ms
    : Match response size
  • -mt
    : Match response time (e.g., 
    >100
    or 
    <100
    milliseconds)
  • -mw
    : Match word count
  • -mc
    :匹配状态码(默认:200-299,301,302,307,401,403,405,500)
  • -ml
    :匹配行数
  • -mr
    :匹配正则表达式
  • -ms
    :匹配响应大小
  • -mt
    :匹配响应时间(例如:
    >100
    <100
    毫秒)
  • -mw
    :匹配单词数

Filters (Exclude Results)

过滤器(排除结果)

  • -fc
    : Filter status codes (e.g., 
    -fc 404,403,401
    )
  • -fl
    : Filter line count
  • -fr
    : Filter regex (e.g., 
    -fr "error"
    )
  • -fs
    : Filter response size (e.g., 
    -fs 42,4242
    )
  • -ft
    : Filter response time
  • -fw
    : Filter word count
  • -fc
    :过滤状态码(例如:
    -fc 404,403,401
  • -fl
    :过滤行数
  • -fr
    :过滤正则表达式(例如:
    -fr "error"
  • -fs
    :过滤响应大小(例如:
    -fs 42,4242
  • -ft
    :过滤响应时间
  • -fw
    :过滤单词数

Auto-Calibration (USE BY DEFAULT!)

自动校准(默认启用!)

CRITICAL: Always use 
-ac
unless you have a specific reason not to. This is especially important when having Claude analyze results, as it dramatically reduces noise and false positives.
bash
undefined
关键提示: 除非有特殊原因,否则始终使用
-ac
。这在让Claude分析结果时尤为重要,因为它能大幅减少噪声和误报。
bash
undefined

Auto-calibration - ALWAYS USE THIS

自动校准 - 务必使用

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ac
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ac

Per-host auto-calibration (useful for multiple hosts)

按主机自动校准(适用于多主机场景)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ach
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ach

Custom auto-calibration string (for specific patterns)

自定义自动校准字符串(针对特定模式)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -acc "404NotFound"

**Why `-ac` is essential:**
- Automatically detects and filters repetitive false positive responses
- Removes noise from dynamic websites with random content
- Makes results analysis much easier for both humans and Claude
- Prevents thousands of identical 404/403 responses from cluttering output
- Adapts to the target's specific behavior

**When Claude analyzes your ffuf results, `-ac` is MANDATORY** - without it, Claude will waste time sifting through thousands of false positives instead of finding the interesting anomalies.
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -acc "404NotFound"

**为什么`-ac`至关重要:**
- 自动检测并过滤重复的误报响应
- 消除动态网站中随机内容带来的噪声
- 让人类和Claude都能更轻松地分析结果
- 避免成千上万条相同的404/403响应充斥输出
- 适配目标的特定行为

**当Claude分析你的ffuf结果时,`-ac`是必需的** - 没有它,Claude会浪费大量时间在成千上万的误报中筛选,而无法找到有价值的异常结果。

Rate Limiting and Timing

速率限制与计时

Rate Control

速率控制

bash
undefined
bash
undefined

Limit to 2 requests per second (stealth mode)

限制为每秒2个请求(隐身模式)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -rate 2
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -rate 2

Add delay between requests (0.1 to 2 seconds random)

请求间添加延迟(随机0.1到2秒)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -p 0.1-2.0
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -p 0.1-2.0

Set number of concurrent threads (default: 40)

设置并发线程数(默认:40)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -t 10
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -t 10
undefined

Time Limits

时间限制

bash
undefined
bash
undefined

Maximum total execution time (60 seconds)

最大总执行时间(60秒)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime 60
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime 60

Maximum time per job (useful with recursion)

每个任务的最大时间(适用于递归扫描)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime-job 60 -recursion
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime-job 60 -recursion
undefined

Output Options

输出选项

Output Formats

输出格式

bash
undefined
bash
undefined

JSON output

JSON输出

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -o results.json
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -o results.json

HTML output

HTML输出

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of html -o results.html
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of html -o results.html

CSV output

CSV输出

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of csv -o results.csv
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of csv -o results.csv

All formats

所有格式

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of all -o results
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of all -o results

Silent mode (no progress, only results)

静默模式(无进度,仅显示结果)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s

Pipe to file with tee

使用tee命令输出到文件

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s | tee results.txt
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s | tee results.txt
undefined

Advanced Techniques

高级技巧

Using Raw HTTP Requests (Critical for Authenticated Fuzzing)

使用原始HTTP请求(认证模糊测试的关键)

This is one of the most powerful features of ffuf, especially for authenticated requests with complex headers, cookies, or tokens.
Workflow:
  1. Capture a full authenticated request (from Burp Suite, browser DevTools, etc.)
  2. Save it to a file (e.g., 
    req.txt
    )
  3. Replace the value you want to fuzz with the 
    FUZZ
    keyword
  4. Use the 
    --request
    flag
bash
undefined
这是ffuf最强大的功能之一,尤其适用于带有复杂请求头、Cookie或令牌的认证请求。
工作流程:
  1. 捕获完整的认证请求(从Burp Suite、浏览器开发者工具等)
  2. 将其保存到文件中(例如:
    req.txt
  3. 将想要模糊测试的值替换为
    FUZZ
    关键字
  4. 使用
    --request
    参数
bash
undefined

From a file containing raw HTTP request

从包含原始HTTP请求的文件中读取

ffuf --request req.txt -w /path/to/wordlist.txt -ac

**Example req.txt file:**
```http
POST /api/v1/users/FUZZ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cookie: session=abc123xyz; csrftoken=def456
Content-Type: application/json
Content-Length: 27

{"action":"view","id":"1"}
Use Cases:
  • Fuzzing authenticated endpoints with complex auth headers
  • Testing API endpoints with JWT tokens
  • Fuzzing with CSRF tokens, session cookies, and custom headers
  • Testing endpoints that require specific User-Agents or Accept headers
  • POST/PUT/DELETE requests with authentication
Pro Tips:
  • You can place FUZZ in multiple locations: URL path, headers, body
  • Use 
    -request-proto https
    if needed (default is https)
  • Always use 
    -ac
    to filter out authenticated "not found" or error responses
  • Great for IDOR testing: fuzz user IDs, document IDs, etc. in authenticated contexts
bash
undefined
ffuf --request req.txt -w /path/to/wordlist.txt -ac

**req.txt文件示例:**
```http
POST /api/v1/users/FUZZ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cookie: session=abc123xyz; csrftoken=def456
Content-Type: application/json
Content-Length: 27

{"action":"view","id":"1"}
适用场景:
  • 对带有复杂认证头的认证端点进行模糊测试
  • 测试带有JWT令牌的API端点
  • 使用CSRF令牌、会话Cookie和自定义请求头进行模糊测试
  • 测试需要特定User-Agent或Accept请求头的端点
  • 带有认证的POST/PUT/DELETE请求
专业提示:
  • 你可以在多个位置放置FUZZ:URL路径、请求头、请求体
  • 如果需要,使用
    -request-proto https
    (默认是https)
  • 始终使用
    -ac
    来过滤认证后的“未找到”或错误响应
  • 非常适合IDOR测试:在认证环境中对用户ID、文档ID等进行模糊测试
bash
undefined

Common authenticated fuzzing patterns

常见的认证模糊测试模式

ffuf --request req.txt -w user_ids.txt -ac -mc 200 -o results.json
ffuf --request req.txt -w user_ids.txt -ac -mc 200 -o results.json

With multiple FUZZ positions using custom keywords

使用自定义关键字在多个位置进行FUZZ测试

ffuf --request req.txt -w endpoints.txt:ENDPOINT -w ids.txt:ID -mode pitchfork -ac
undefined
ffuf --request req.txt -w endpoints.txt:ENDPOINT -w ids.txt:ID -mode pitchfork -ac
undefined

Proxy Usage

代理使用

bash
undefined
bash
undefined

HTTP proxy (useful for Burp Suite)

HTTP代理(适用于Burp Suite)

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x http://127.0.0.1:8080
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x http://127.0.0.1:8080

SOCKS5 proxy

SOCKS5代理

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x socks5://127.0.0.1:1080
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x socks5://127.0.0.1:1080

Replay matched requests through proxy

通过代理重放匹配的请求

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -replay-proxy http://127.0.0.1:8080
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -replay-proxy http://127.0.0.1:8080
undefined

Cookie and Authentication

Cookie与认证

bash
undefined
bash
undefined

Using cookies

使用Cookie

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -b "sessionid=abc123; token=xyz789"
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -b "sessionid=abc123; token=xyz789"

Client certificate authentication

客户端证书认证

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -cc client.crt -ck client.key
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -cc client.crt -ck client.key
undefined

Encoding

编码

bash
undefined
bash
undefined

URL encoding

URL编码

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode'
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode'

Multiple encodings

多种编码

ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode b64encode'
undefined
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode b64encode'
undefined

Testing for Vulnerabilities

漏洞测试

bash
undefined
bash
undefined

SQL injection testing

SQL注入测试

ffuf -w sqli_payloads.txt -u https://target.com/page.php?id=FUZZ -fs 1234
ffuf -w sqli_payloads.txt -u https://target.com/page.php?id=FUZZ -fs 1234

XSS testing

XSS测试

ffuf -w xss_payloads.txt -u https://target.com/search?q=FUZZ -mr "<script>"
ffuf -w xss_payloads.txt -u https://target.com/search?q=FUZZ -mr "<script>"

Command injection

命令注入测试

ffuf -w cmdi_payloads.txt -u https://target.com/execute?cmd=FUZZ -fr "error"
undefined
ffuf -w cmdi_payloads.txt -u https://target.com/execute?cmd=FUZZ -fr "error"
undefined

Batch Processing Multiple Targets

批量处理多个目标

bash
undefined
bash
undefined

Process multiple URLs

处理多个URL

cat targets.txt | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -ac'
cat targets.txt | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -ac'

Loop through multiple targets with results

遍历多个目标并保存结果

for url in $(cat targets.txt); do ffuf -w wordlist.txt -u $url/FUZZ -ac -o "results_$(echo $url | md5sum | cut -d' ' -f1).json" done
undefined
for url in $(cat targets.txt); do ffuf -w wordlist.txt -u $url/FUZZ -ac -o "results_$(echo $url | md5sum | cut -d' ' -f1).json" done
undefined

Best Practices

最佳实践

1. ALWAYS Use Auto-Calibration

1. 始终使用自动校准

Use 
-ac
by default for every scan. This is non-negotiable for productive pentesting:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac
默认对每次扫描都使用
-ac
。这对于高效的渗透测试来说是必不可少的:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac

2. Use Raw Requests for Authentication

2. 使用原始请求进行认证

Don't struggle with command-line flags for complex auth. Capture the full request and use 
--request
:
bash
undefined
不要为复杂的认证在命令行参数上纠结。捕获完整的请求并使用
--request
bash
undefined

1. Capture authenticated request from Burp/DevTools

1. 从Burp/开发者工具捕获认证请求

2. Save to req.txt with FUZZ keyword in place

2. 将其保存到req.txt,并在合适位置替换为FUZZ关键字

3. Run with -ac

3. 配合-ac运行

ffuf --request req.txt -w wordlist.txt -ac -o results.json
undefined
ffuf --request req.txt -w wordlist.txt -ac -o results.json
undefined

3. Use Appropriate Wordlists

3. 使用合适的词表

  • Directory discovery: SecLists Discovery/Web-Content (raft-large-directories.txt, directory-list-2.3-medium.txt)
  • Subdomains: SecLists Discovery/DNS (subdomains-top1million-5000.txt)
  • Parameters: SecLists Discovery/Web-Content (burp-parameter-names.txt)
  • Usernames: SecLists Usernames
  • Passwords: SecLists Passwords
  • Source: https://github.com/danielmiessler/SecLists
  • 目录发现:SecLists Discovery/Web-Content(raft-large-directories.txt, directory-list-2.3-medium.txt)
  • 子域名:SecLists Discovery/DNS(subdomains-top1million-5000.txt)
  • 参数:SecLists Discovery/Web-Content(burp-parameter-names.txt)
  • 用户名:SecLists Usernames
  • 密码:SecLists Passwords
  • 来源:https://github.com/danielmiessler/SecLists

3. Rate Limiting for Stealth

3. 速率限制以实现隐身

Use 
-rate
to avoid triggering WAF/IDS or overwhelming the server:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -rate 2 -t 10
使用
-rate
避免触发WAF/IDS或压垮服务器:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -rate 2 -t 10

4. Filter Strategically

4. 策略性过滤

  • Check the default response first to identify common response sizes, status codes, or patterns
  • Use 
    -fs
    to filter by size or 
    -fc
    to filter by status code
  • Combine filters: 
    -fc 403,404 -fs 1234
  • 先检查默认响应,确定常见的响应大小、状态码或模式
  • 使用
    -fs
    按大小过滤,或使用
    -fc
    按状态码过滤
  • 组合过滤器:
    -fc 403,404 -fs 1234

5. Save Results Appropriately

5. 妥善保存结果

Always save results to a file for later analysis:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -o results.json -of json
始终将结果保存到文件以便后续分析:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -o results.json -of json

6. Use Interactive Mode

6. 使用交互模式

Press ENTER during execution to drop into interactive mode where you can:
  • Adjust filters on the fly
  • Save current results
  • Restart the scan
  • Manage the queue
执行过程中按ENTER进入交互模式,你可以:
  • 实时调整过滤器
  • 保存当前结果
  • 重新启动扫描
  • 管理任务队列

7. Recursion Depth

7. 递归深度

Be careful with recursion depth to avoid getting stuck in infinite loops or overwhelming the server:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2 -maxtime-job 120
注意递归深度,避免陷入无限循环或压垮服务器:
bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2 -maxtime-job 120

Common Patterns and One-Liners

常见模式与单行命令

Quick Directory Scan

快速目录扫描

bash
ffuf -w ~/wordlists/common.txt -u https://target.com/FUZZ -mc 200,301,302,403 -ac -c -v
bash
ffuf -w ~/wordlists/common.txt -u https://target.com/FUZZ -mc 200,301,302,403 -ac -c -v

Comprehensive Scan with Extensions

带扩展名的全面扫描

bash
ffuf -w ~/wordlists/raft-large-directories.txt -u https://target.com/FUZZ -e .php,.html,.txt,.bak,.old -ac -c -v -o results.json
bash
ffuf -w ~/wordlists/raft-large-directories.txt -u https://target.com/FUZZ -e .php,.html,.txt,.bak,.old -ac -c -v -o results.json

Authenticated Fuzzing (Raw Request)

认证模糊测试(原始请求)

bash
undefined
bash
undefined

1. Save your authenticated request to req.txt with FUZZ keyword

1. 将认证请求保存到req.txt,并在合适位置替换为FUZZ关键字

2. Run:

2. 运行:

ffuf --request req.txt -w ~/wordlists/api-endpoints.txt -ac -o results.json -of json
undefined
ffuf --request req.txt -w ~/wordlists/api-endpoints.txt -ac -o results.json -of json
undefined

API Endpoint Discovery

API端点发现

bash
ffuf -w ~/wordlists/api-endpoints.txt -u https://api.target.com/v1/FUZZ -H "Authorization: Bearer TOKEN" -mc 200,201 -ac -c
bash
ffuf -w ~/wordlists/api-endpoints.txt -u https://api.target.com/v1/FUZZ -H "Authorization: Bearer TOKEN" -mc 200,201 -ac -c

Subdomain Discovery with Auto-Calibration

带自动校准的子域名发现

bash
ffuf -w ~/wordlists/subdomains-top5000.txt -u https://FUZZ.target.com -ac -c -v
bash
ffuf -w ~/wordlists/subdomains-top5000.txt -u https://FUZZ.target.com -ac -c -v

POST Login Brute Force

POST登录暴力破解

bash
ffuf -w ~/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -fc 401 -rate 5 -ac
bash
ffuf -w ~/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -fc 401 -rate 5 -ac

IDOR Testing with Auth

带认证的IDOR测试

bash
undefined
bash
undefined

Use req.txt with authenticated headers and FUZZ in the ID parameter

使用包含认证请求头且在ID参数位置带有FUZZ的req.txt

ffuf --request req.txt -w numbers.txt -ac -mc 200 -fw 100-200
undefined
ffuf --request req.txt -w numbers.txt -ac -mc 200 -fw 100-200
undefined

Configuration File

配置文件

Create 
~/.config/ffuf/ffufrc
for default settings:
[http]
headers = ["User-Agent: Mozilla/5.0"]
timeout = 10

[general]
colors = true
threads = 40

[matcher]
status = "200-299,301,302,307,401,403,405,500"
创建
~/.config/ffuf/ffufrc
文件设置默认配置:
[http]
headers = ["User-Agent: Mozilla/5.0"]
timeout = 10

[general]
colors = true
threads = 40

[matcher]
status = "200-299,301,302,307,401,403,405,500"

Troubleshooting

故障排除

Too Many False Positives

误报过多

  • Use 
    -ac
    for auto-calibration
  • Check default response and filter by size with 
    -fs
  • Use regex filtering with 
    -fr
  • 使用
    -ac
    进行自动校准
  • 检查默认响应,使用
    -fs
    按大小过滤
  • 使用
    -fr
    进行正则表达式过滤

Too Slow

速度过慢

  • Increase threads: 
    -t 100
  • Reduce wordlist size
  • Use 
    -ignore-body
    if you don't need response content
  • 增加线程数:
    -t 100
  • 减小词表大小
  • 如果不需要响应内容,使用
    -ignore-body

Getting Blocked

被拦截

  • Reduce rate: 
    -rate 2
  • Add delays: 
    -p 0.5-1.5
  • Reduce threads: 
    -t 10
  • Randomize User-Agent
  • Use proxy rotation
  • 降低速率:
    -rate 2
  • 添加延迟:
    -p 0.5-1.5
  • 减少线程数:
    -t 10
  • 随机化User-Agent
  • 使用代理轮换

Missing Results

结果缺失

  • Check if you're filtering too aggressively
  • Use 
    -mc all
    to see all responses
  • Disable auto-calibration temporarily
  • Use verbose mode 
    -v
    to see what's happening
  • 检查是否过滤过于严格
  • 使用
    -mc all
    查看所有响应
  • 暂时禁用自动校准
  • 使用详细模式
    -v
    查看执行情况

Resources

资源

Quick Reference Card

快速参考卡片

TaskCommand Template
Directory Discovery
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac
Subdomain Discovery
ffuf -w subdomains.txt -u https://FUZZ.target.com -ac
Parameter Fuzzing
ffuf -w params.txt -u https://target.com/page?FUZZ=value -ac
POST Data Fuzzing
ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/endpoint
With ExtensionsAdd 
-e .php,.html,.txt
Filter StatusAdd 
-fc 404,403
Filter SizeAdd 
-fs 1234
Rate LimitAdd 
-rate 2
Save OutputAdd 
-o results.json
VerboseAdd 
-c -v
RecursionAdd 
-recursion -recursion-depth 2
Through ProxyAdd 
-x http://127.0.0.1:8080
任务命令模板
目录发现
ffuf -w wordlist.txt -u https://target.com/FUZZ -ac
子域名发现
ffuf -w subdomains.txt -u https://FUZZ.target.com -ac
参数模糊测试
ffuf -w params.txt -u https://target.com/page?FUZZ=value -ac
POST数据模糊测试
ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/endpoint
带扩展名添加 
-e .php,.html,.txt
过滤状态码添加 
-fc 404,403
过滤响应大小添加 
-fs 1234
速率限制添加 
-rate 2
保存输出添加 
-o results.json
详细模式添加 
-c -v
递归扫描添加 
-recursion -recursion-depth 2
通过代理添加 
-x http://127.0.0.1:8080

Additional Resources

附加资源

This skill includes supplementary materials in the 
resources/
directory:
本技能在
resources/
目录中包含补充材料:

Resource Files

资源文件

  • WORDLISTS.md: Comprehensive guide to SecLists wordlists, recommended lists for different scenarios, file extensions, and quick reference patterns
  • REQUEST_TEMPLATES.md: Pre-built req.txt templates for common authentication scenarios (JWT, OAuth, session cookies, API keys, etc.) with usage examples
  • WORDLISTS.md:SecLists词表的全面指南,不同场景的推荐词表、文件扩展名以及快速参考模式
  • REQUEST_TEMPLATES.md:针对常见认证场景(JWT、OAuth、会话Cookie、API密钥等)的预构建req.txt模板,包含使用示例

Helper Script

辅助脚本

  • ffuf_helper.py: Python script to assist with:
    • Analyzing ffuf JSON results for anomalies and interesting findings
    • Creating req.txt template files from command-line arguments
    • Generating number-based wordlists for IDOR testing
Helper Script Usage:
bash
undefined
  • ffuf_helper.py:Python脚本,用于:
    • 分析ffuf JSON结果以发现异常和有价值的发现
    • 从命令行参数创建req.txt模板文件
    • 生成基于数字的词表用于IDOR测试
辅助脚本使用方法:
bash
undefined

Analyze results to find interesting anomalies

分析结果以发现有价值的异常

python3 ffuf_helper.py analyze results.json
python3 ffuf_helper.py analyze results.json

Create authenticated request template

创建认证请求模板

python3 ffuf_helper.py create-req -o req.txt -m POST -u "https://api.target.com/users"
-H "Authorization: Bearer TOKEN" -d '{"action":"FUZZ"}'
python3 ffuf_helper.py create-req -o req.txt -m POST -u "https://api.target.com/users"
-H "Authorization: Bearer TOKEN" -d '{"action":"FUZZ"}'

Generate IDOR testing wordlist

生成IDOR测试词表

python3 ffuf_helper.py wordlist -o ids.txt -t numbers -s 1 -e 10000

**When to use resources:**
- Users need wordlist recommendations → Reference WORDLISTS.md
- Users need help with authenticated requests → Reference REQUEST_TEMPLATES.md
- Users want to analyze results → Use ffuf_helper.py analyze
- Users need to generate req.txt → Use ffuf_helper.py create-req
- Users need number ranges for IDOR → Use ffuf_helper.py wordlist
python3 ffuf_helper.py wordlist -o ids.txt -t numbers -s 1 -e 10000

**何时使用资源:**
- 用户需要词表推荐 → 参考WORDLISTS.md
- 用户需要认证请求的帮助 → 参考REQUEST_TEMPLATES.md
- 用户想要分析结果 → 使用ffuf_helper.py analyze
- 用户需要生成req.txt → 使用ffuf_helper.py create-req
- 用户需要IDOR测试的数字范围 → 使用ffuf_helper.py wordlist

Notes for Claude

给Claude的提示

When helping users with ffuf:
  1. ALWAYS include 
    -ac
    in every command     - This is mandatory for productive pentesting and result analysis
  2. When users mention authenticated fuzzing or provide auth tokens/cookies:
    • Suggest creating a 
      req.txt
      file with the full HTTP request
    • Show them how to insert FUZZ where they want to fuzz
    • Use 
      ffuf --request req.txt -w wordlist.txt -ac
  3. Always recommend starting with 
    -ac
    for auto-calibration
  4. Suggest appropriate wordlists from SecLists based on the task
  5. Remind users to use rate limiting (
    -rate
    ) for production targets
  6. Encourage saving output to files for documentation: 
    -o results.json
  7. Suggest filtering strategies based on initial reconnaissance
  8. Always use the FUZZ keyword (case-sensitive)
  9. Consider stealth: lower threads, rate limiting, and delays for sensitive targets
  10. For pentesting reports, use 
    -of html
    or 
    -of csv
    for client-friendly formats
  11. When analyzing ffuf results for users:
    • Assume they used 
      -ac
      (if not, results will be too noisy)
    • Focus on anomalies: different status codes, response sizes, timing
    • Look for interesting endpoints: admin, api, backup, config, .git, etc.
    • Flag potential vulnerabilities: error messages, stack traces, version info
    • Suggest follow-up fuzzing on interesting findings
当帮助用户使用ffuf时:
  1. 始终在每个命令中包含
    -ac
     - 这对于高效的渗透测试和结果分析是必需的
  2. 当用户提到认证模糊测试或提供认证令牌/Cookie时:
    • 建议创建包含完整HTTP请求的
      req.txt
      文件
    • 向他们展示如何在想要模糊测试的位置插入FUZZ
    • 使用
      ffuf --request req.txt -w wordlist.txt -ac
  3. 始终建议从
    -ac
    自动校准开始
  4. 根据任务推荐SecLists中的合适词表
  5. 提醒用户对生产环境目标使用速率限制(
    -rate
  6. 鼓励将输出保存到文件以用于文档记录:
    -o results.json
  7. 根据前期侦察结果建议过滤策略
  8. 始终使用FUZZ关键字(区分大小写)
  9. 考虑隐身:针对敏感目标降低线程数、使用速率限制和延迟
  10. 对于渗透测试报告,使用
    -of html
    -of csv
    以获得对客户友好的格式
  11. 当为用户分析ffuf结果时:
    • 假设他们使用了
      -ac
      (如果没有,结果会过于嘈杂)
    • 关注异常:不同的状态码、响应大小、响应时间
    • 寻找有价值的端点:admin、api、backup、config、.git等
    • 标记潜在漏洞:错误消息、堆栈跟踪、版本信息
    • 建议对有价值的发现进行后续模糊测试