FFuF Cheat Sheet - CyberMaks's Knowledge Base

🚀 Basic Directory Fuzzing

Simple Directory Scan

-u https://target.com/FUZZ -w wordlist.txt

Fuzz directories. FUZZ replaced by each word from wordlist.

💡 Always start here! Fastest discovery method.

Multiple Extensions

-u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak

Tests: dir.php, dir.html, dir.txt, dir.bak simultaneously.

File Fuzzing

-u https://target.com/images/FUZZ -w files.txt -e .jpg,.png,.zip

Find hidden files, backups, config files.

Custom Status Filter

-u https://target.com/FUZZ -w wordlist.txt -fs 404,403

Hide 404/403 responses. Shows only interesting results.

📚 Wordlists & Payloads

Built-in Wordlists

Directories

$FFUF/wordlist/directory/directory-list-2.3-medium.txt
$FFUF/wordlist/directory/common.txt

Files

$FFUF/wordlist/fuzzdb-collection/fuzzdb-files-names.txt
raft-medium-files.txt

Parameters

$FFUF/wordlist/fuzzdb-collection/fuzzdb-parameters-parameters.txt

Custom Wordlists

-w /path/to/custom.txt -u https://target.com/FUZZ

Use your own wordlists or SecLists.

Multiple Positions

-u https://target.com/FUZZ1/images/FUZZ2.png -w words.txt:FUZZ1 -w files.txt:FUZZ2

Fuzz 2+ positions simultaneously!

🔍 Filtering & Output

Status Code Filter

-u https://target.com/FUZZ -w wordlist.txt -fc 404,403,500

-fc Filter codes | -fs Filter sizes | -fw Filter words
Hide junk, show only hits!

Response Size Filter

-u https://target.com/FUZZ -w wordlist.txt -fs 1234

Hide responses exactly 1234 bytes (usually 404 page).

💡 Run once without filter → ffuf -u URL -w LIST -o output.json → Find common sizes!

JSON Output

-u https://target.com/FUZZ -w wordlist.txt -o results.json -of json

Machine readable. Perfect for parsing.

Recursion

-u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

Fuzz subdirectories recursively. Depth 1-3 max!

⚡ Performance Tuning

Option	Purpose	Example
`-t 200`	Threads	Default: 40
`-timeout 5`	Timeout (s)	Default: 10s
`-r 100-500`	Rate limit	Avoid bans
`-H "User-Agent: ..."`	Custom headers	Bypass WAF

High Performance

-u https://target.com/FUZZ -w wordlist.txt -t 200 -timeout 3 -r 100-1000

200 threads, 3s timeout, 100-1000 req/s.

⚠️ Don't DoS yourself! Test rate limits first.

Stealth Mode

-u https://target.com/FUZZ -w wordlist.txt -t 10 -timeout 15 -delay 500ms

Slow & steady. Perfect for production targets.

🌐 Headers, Methods & Auth

Custom Headers

-u https://target.com/FUZZ -w wordlist.txt -H "User-Agent: Mozilla/5.0" -H "X-Forwarded-For: 127.0.0.1"

Multiple headers with -H. Bypass WAF rules.

POST Fuzzing

-u https://target.com/login.php -w params.txt -X POST -d "username=FUZZ&password=test"

Fuzz POST parameters. Use -H "Content-Type: application/x-www-form-urlencoded".

Basic Auth Bypass

-u https://target.com/FUZZ -w wordlist.txt -H "Authorization: Basic YWRtaW46YWRtaW4="

Base64 encoded: admin:admin. Fuzz credentials too!

API Fuzzing

-u https://api.target.com/v1/users/FUZZ -w api-endpoints.txt -mc 200,201,401

API endpoints often return 200 even on valid paths.

🎯 Advanced Techniques

Virtual Host Fuzzing

-u https://target.com -w vhosts.txt -H "Host: FUZZ.target.com" -fs 0

Discover subdomains/virtual hosts. Filter size 0.

Parameter Discovery

-u "https://target.com/?FUZZ=test" -w params.txt -mc all -fw 10

Find query parameters. Match all codes, filter small words.

Regex Matching

-u https://target.com/FUZZ -w wordlist.txt -mr "Login|Dashboard|Admin"

Match responses containing keywords.

Rate Limit Bypass

-u https://target.com/FUZZ -w wordlist.txt -H "X-Originating-IP: 127.0.0.1" -H "X-Forwarded-For: 127.0.0.1" -H "X-Remote-IP: 127.0.0.1"

Multiple IP headers bypass some rate limits.