FFUF Web模糊测试工具：快速发现隐藏内容、目录、文件、子域名和漏洞

ffuf-web-fuzzing by jthack/ffuf_claude_skill

114 周安装量

131 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/jthack/ffuf_claude_skill --skill ffuf-web-fuzzing

命令行工具测试安全

🇨🇳中文介绍

FFUF (Fuzz Faster U Fool) 技能

概述

FFUF 是一款用 Go 语言编写的快速 Web 模糊测试工具，旨在渗透测试过程中发现隐藏内容、目录、文件、子域名以及测试漏洞。它比 dirb 或 dirbuster 等传统工具要快得多。

安装

# 使用 Go
go install github.com/ffuf/ffuf/v2@latest

# 使用 Homebrew (macOS)
brew install ffuf

# 二进制下载
# 下载地址: https://github.com/ffuf/ffuf/releases/latest

核心概念

FUZZ 关键字

FUZZ 关键字用作占位符，会被您单词列表中的条目替换。您可以将其放在任何位置：

URL: https://target.com/FUZZ
请求头: -H "Host: FUZZ"
POST 数据: -d "username=admin&password=FUZZ"
使用自定义关键字的多位置模糊测试: -w wordlist.txt:CUSTOM 然后使用代替

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

多单词列表模式

clusterbomb : 测试所有组合（默认）- 笛卡尔积
pitchfork : 并行遍历单词列表（1对1匹配）
sniper : 一次测试一个位置（用于多个 FUZZ 位置）

1. 目录和文件发现

# 基本目录模糊测试
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ

# 带文件扩展名
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -e .php,.html,.txt,.pdf

# 彩色和详细输出
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -c -v

# 递归（查找嵌套目录）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2

# 虚拟主机发现
ffuf -w /path/to/subdomains.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242

# 注意: -fs 4242 过滤掉大小为 4242 的响应（根据默认响应大小进行调整）

3. 参数模糊测试

# GET 参数名
ffuf -w /path/to/params.txt -u https://target.com/script.php?FUZZ=test_value -fs 4242

# GET 参数值
ffuf -w /path/to/values.txt -u https://target.com/script.php?id=FUZZ -fc 401

# 多个参数
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mode clusterbomb

4. POST 数据模糊测试

# 基本 POST 模糊测试
ffuf -w /path/to/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login.php -fc 401

# JSON POST 数据
ffuf -w entries.txt -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "key": "value"}' -fr "error"

# 模糊测试多个 POST 字段
ffuf -w users.txt:USER -w passes.txt:PASS -X POST -d "username=USER&password=PASS" -u https://target.com/login -mode pitchfork

5. 请求头模糊测试

# 自定义请求头
ffuf -w /path/to/wordlist.txt -u https://target.com -H "X-Custom-Header: FUZZ"

# 多个请求头
ffuf -w /path/to/wordlist.txt -u https://target.com -H "User-Agent: FUZZ" -H "X-Forwarded-For: 127.0.0.1"

匹配器（包含结果）

-mc: 匹配状态码（默认: 200-299,301,302,307,401,403,405,500）
-ml: 匹配行数
-mr: 匹配正则表达式
-ms: 匹配响应大小
-mt: 匹配响应时间（例如，>100 或 <100 毫秒）
-mw: 匹配单词数

过滤器（排除结果）

-fc: 过滤状态码（例如，-fc 404,403,401）
-fl: 过滤行数
-fr: 过滤正则表达式（例如，-fr "error"）
-fs: 过滤响应大小（例如，-fs 42,4242）
-ft: 过滤响应时间
-fw: 过滤单词数

自动校准（默认使用！）

关键： 除非有特定原因，否则始终使用 -ac。这在让 Claude 分析结果时尤其重要，因为它能显著减少噪音和误报。

# 自动校准 - 始终使用此选项
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ac

# 每主机自动校准（对多个主机有用）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ach

# 自定义自动校准字符串（用于特定模式）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -acc "404NotFound"

为什么 -ac 至关重要：

自动检测并过滤重复的误报响应
从具有随机内容的动态网站中移除噪音
使结果分析对人类和 Claude 都更加容易
防止成千上万个相同的 404/403 响应使输出混乱
适应目标的特定行为

当 Claude 分析您的 ffuf 结果时，-ac 是强制性的 - 没有它，Claude 将浪费时间筛选成千上万的误报，而不是寻找有趣的反常现象。

速率限制与时间控制

# 限制为每秒 2 个请求（隐身模式）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -rate 2

# 在请求之间添加延迟（0.1 到 2 秒随机）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -p 0.1-2.0

# 设置并发线程数（默认: 40）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -t 10

# 最大总执行时间（60 秒）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime 60

# 每个任务的最大时间（与递归一起使用很有用）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime-job 60 -recursion

# JSON 输出
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -o results.json

# HTML 输出
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of html -o results.html

# CSV 输出
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of csv -o results.csv

# 所有格式
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of all -o results

# 静默模式（无进度，仅结果）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s

# 使用 tee 管道输出到文件
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s | tee results.txt

使用原始 HTTP 请求（对身份验证模糊测试至关重要）

这是 ffuf 最强大的功能之一，特别是对于具有复杂请求头、Cookie 或令牌的身份验证请求。

捕获完整的身份验证请求（来自 Burp Suite、浏览器开发者工具等）
将其保存到文件（例如，req.txt）
将要模糊测试的值替换为 FUZZ 关键字
使用 --request 标志

# 从包含原始 HTTP 请求的文件中读取
ffuf --request req.txt -w /path/to/wordlist.txt -ac

示例 req.txt 文件：

POST /api/v1/users/FUZZ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cookie: session=abc123xyz; csrftoken=def456
Content-Type: application/json
Content-Length: 27

{"action":"view","id":"1"}

使用复杂身份验证请求头对身份验证端点进行模糊测试
使用 JWT 令牌测试 API 端点
使用 CSRF 令牌、会话 Cookie 和自定义请求头进行模糊测试
测试需要特定 User-Agent 或 Accept 请求头的端点
带有身份验证的 POST/PUT/DELETE 请求

您可以将 FUZZ 放在多个位置：URL 路径、请求头、正文
如果需要，使用 -request-proto https（默认为 https）
始终使用 -ac 来过滤掉身份验证后的“未找到”或错误响应
非常适合 IDOR 测试：在身份验证上下文中模糊测试用户 ID、文档 ID 等。

# 常见的身份验证模糊测试模式
ffuf --request req.txt -w user_ids.txt -ac -mc 200 -o results.json

# 使用自定义关键字在多个 FUZZ 位置进行模糊测试
ffuf --request req.txt -w endpoints.txt:ENDPOINT -w ids.txt:ID -mode pitchfork -ac

# HTTP 代理（对 Burp Suite 有用）
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x http://127.0.0.1:8080

# SOCKS5 代理
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x socks5://127.0.0.1:1080

# 通过代理重放匹配的请求
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -replay-proxy http://127.0.0.1:8080

Cookie 和身份验证

# 使用 Cookie
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -b "sessionid=abc123; token=xyz789"

# 客户端证书身份验证
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -cc client.crt -ck client.key

# URL 编码
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode'

# 多重编码
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode b64encode'

# SQL 注入测试
ffuf -w sqli_payloads.txt -u https://target.com/page.php?id=FUZZ -fs 1234

# XSS 测试
ffuf -w xss_payloads.txt -u https://target.com/search?q=FUZZ -mr "<script>"

# 命令注入
ffuf -w cmdi_payloads.txt -u https://target.com/execute?cmd=FUZZ -fr "error"

批量处理多个目标

# 处理多个 URL
cat targets.txt | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -ac'

# 循环处理多个目标并保存结果
for url in $(cat targets.txt); do 
    ffuf -w wordlist.txt -u $url/FUZZ -ac -o "results_$(echo $url | md5sum | cut -d' ' -f1).json"
done

1. 始终使用自动校准

默认情况下，每次扫描都使用 -ac。这对于高效的渗透测试是不可协商的：

ffuf -w wordlist.txt -u https://target.com/FUZZ -ac

2. 使用原始请求进行身份验证

不要为复杂的身份验证而费力使用命令行标志。捕获完整的请求并使用 --request：

# 1. 从 Burp/DevTools 捕获身份验证请求
# 2. 保存到 req.txt，并在适当位置插入 FUZZ 关键字
# 3. 使用 -ac 运行
ffuf --request req.txt -w wordlist.txt -ac -o results.json

3. 使用合适的单词列表

目录发现 : SecLists Discovery/Web-Content (raft-large-directories.txt, directory-list-2.3-medium.txt)
子域名 : SecLists Discovery/DNS (subdomains-top1million-5000.txt)
参数 : SecLists Discovery/Web-Content (burp-parameter-names.txt)
用户名 : SecLists Usernames
密码 : SecLists Passwords
来源: https://github.com/danielmiessler/SecLists

3. 为隐身进行速率限制

使用 -rate 以避免触发 WAF/IDS 或压垮服务器：

ffuf -w wordlist.txt -u https://target.com/FUZZ -rate 2 -t 10

首先检查默认响应，以识别常见的响应大小、状态码或模式
使用 -fs 按大小过滤或 -fc 按状态码过滤
组合过滤器：-fc 403,404 -fs 1234

5. 适当保存结果

始终将结果保存到文件以供后续分析：

ffuf -w wordlist.txt -u https://target.com/FUZZ -o results.json -of json

6. 使用交互模式

在执行过程中按 ENTER 键进入交互模式，您可以：

动态调整过滤器
保存当前结果
重新开始扫描
管理队列

小心递归深度，以避免陷入无限循环或压垮服务器：

ffuf -w wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2 -maxtime-job 120

常见模式和单行命令

ffuf -w ~/wordlists/common.txt -u https://target.com/FUZZ -mc 200,301,302,403 -ac -c -v

带扩展名的全面扫描

ffuf -w ~/wordlists/raft-large-directories.txt -u https://target.com/FUZZ -e .php,.html,.txt,.bak,.old -ac -c -v -o results.json

身份验证模糊测试（原始请求）

# 1. 将您的身份验证请求保存到 req.txt，并插入 FUZZ 关键字
# 2. 运行:
ffuf --request req.txt -w ~/wordlists/api-endpoints.txt -ac -o results.json -of json

ffuf -w ~/wordlists/api-endpoints.txt -u https://api.target.com/v1/FUZZ -H "Authorization: Bearer TOKEN" -mc 200,201 -ac -c

带自动校准的子域名发现

ffuf -w ~/wordlists/subdomains-top5000.txt -u https://FUZZ.target.com -ac -c -v

POST 登录暴力破解

ffuf -w ~/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -fc 401 -rate 5 -ac

带身份验证的 IDOR 测试

# 使用带有身份验证请求头和 ID 参数中 FUZZ 的 req.txt
ffuf --request req.txt -w numbers.txt -ac -mc 200 -fw 100-200

创建 ~/.config/ffuf/ffufrc 以设置默认配置：

[http]
headers = ["User-Agent: Mozilla/5.0"]
timeout = 10

[general]
colors = true
threads = 40

[matcher]
status = "200-299,301,302,307,401,403,405,500"

使用 -ac 进行自动校准
检查默认响应并使用 -fs 按大小过滤
使用 -fr 进行正则表达式过滤

增加线程数：-t 100
减小单词列表大小
如果不需要响应内容，使用 -ignore-body

降低速率：-rate 2
添加延迟：-p 0.5-1.5
减少线程数：-t 10
随机化 User-Agent
使用代理轮换

检查是否过滤过于激进
使用 -mc all 查看所有响应
暂时禁用自动校准
使用详细模式 -v 查看正在发生的情况

任务	命令模板
目录发现	`ffuf -w wordlist.txt -u https://target.com/FUZZ -ac`
子域名发现	`ffuf -w subdomains.txt -u https://FUZZ.target.com -ac`
参数模糊测试	`ffuf -w params.txt -u https://target.com/page?FUZZ=value -ac`
POST 数据模糊测试	`ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/endpoint`
带扩展名	添加 `-e .php,.html,.txt`
过滤状态码	添加 `-fc 404,403`
过滤大小	添加 `-fs 1234`
速率限制	添加 `-rate 2`
保存输出	添加 `-o results.json`
详细模式	添加 `-c -v`
递归	添加 `-recursion -recursion-depth 2`
通过代理	添加 `-x http://127.0.0.1:8080`

此技能在 resources/ 目录中包含补充材料：

WORDLISTS.md : SecLists 单词列表的全面指南，针对不同场景的推荐列表、文件扩展名和快速参考模式
REQUEST_TEMPLATES.md : 针对常见身份验证场景（JWT、OAuth、会话 Cookie、API 密钥等）的预构建 req.txt 模板，附带使用示例

ffuf_helper.py : Python 脚本，用于协助：
- 分析 ffuf JSON 结果中的异常和有趣发现
- 根据命令行参数创建 req.txt 模板文件
- 为 IDOR 测试生成基于数字的单词列表

辅助脚本用法：

# 分析结果以查找有趣的异常
python3 ffuf_helper.py analyze results.json

# 创建身份验证请求模板
python3 ffuf_helper.py create-req -o req.txt -m POST -u "https://api.target.com/users" \
    -H "Authorization: Bearer TOKEN" -d '{"action":"FUZZ"}'

# 生成 IDOR 测试单词列表
python3 ffuf_helper.py wordlist -o ids.txt -t numbers -s 1 -e 10000

何时使用资源：

用户需要单词列表推荐 → 参考 WORDLISTS.md
用户需要身份验证请求方面的帮助 → 参考 REQUEST_TEMPLATES.md
用户想要分析结果 → 使用 ffuf_helper.py analyze
用户需要生成 req.txt → 使用 ffuf_helper.py create-req
用户需要 IDOR 的数字范围 → 使用 ffuf_helper.py wordlist

给 Claude 的注意事项

在帮助用户使用 ffuf 时：

始终在每个命令中包含 -ac - 这对于高效的渗透测试和结果分析是强制性的
当用户提到身份验证模糊测试或提供身份验证令牌/Cookie 时：
- 建议创建一个包含完整 HTTP 请求的 req.txt 文件
- 向他们展示如何在他们想要模糊测试的位置插入 FUZZ
- 使用 ffuf --request req.txt -w wordlist.txt -ac
始终建议从 -ac 开始进行自动校准
根据任务建议使用 SecLists 中合适的单词列表
提醒用户对生产目标使用速率限制（-rate）
鼓励将输出保存到文件以供文档记录：-o results.json
建议基于初步侦察的过滤策略
始终使用 FUZZ 关键字（区分大小写）
考虑隐身性：对于敏感目标，降低线程数、速率限制和延迟
对于渗透测试报告，使用 -of html 或 -of csv 以生成对客户友好的格式
在为用户分析 ffuf 结果时：
- 假设他们使用了 -ac（如果没有，结果会太嘈杂）
- 专注于异常：不同的状态码、响应大小、时间
- 寻找有趣的端点：admin、api、backup、config、.git 等
- 标记潜在的漏洞：错误消息、堆栈跟踪、版本信息
- 建议对有趣的发现进行后续模糊测试

🇺🇸English

FFUF (Fuzz Faster U Fool) Skill

Overview

FFUF is a fast web fuzzer written in Go, designed for discovering hidden content, directories, files, subdomains, and testing for vulnerabilities during penetration testing. It's significantly faster than traditional tools like dirb or dirbuster.

Installation

# Using Go
go install github.com/ffuf/ffuf/v2@latest

# Using Homebrew (macOS)
brew install ffuf

# Binary download
# Download from: https://github.com/ffuf/ffuf/releases/latest

Core Concepts

The FUZZ Keyword

The FUZZ keyword is used as a placeholder that gets replaced with entries from your wordlist. You can place it anywhere:

URLs: https://target.com/FUZZ
Headers: -H "Host: FUZZ"
POST data: -d "username=admin&password=FUZZ"
Multiple locations with custom keywords: -w wordlist.txt:CUSTOM then use CUSTOM instead of FUZZ

Multi-wordlist Modes

clusterbomb : Tests all combinations (default) - cartesian product
pitchfork : Iterates through wordlists in parallel (1-to-1 matching)
sniper : Tests one position at a time (for multiple FUZZ positions)

Common Use Cases

1. Directory and File Discovery

# Basic directory fuzzing
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ

# With file extensions
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -e .php,.html,.txt,.pdf

# Colored and verbose output
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -c -v

# With recursion (finds nested directories)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2

2. Subdomain Enumeration

# Virtual host discovery
ffuf -w /path/to/subdomains.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242

# Note: -fs 4242 filters out responses of size 4242 (adjust based on default response size)

3. Parameter Fuzzing

# GET parameter names
ffuf -w /path/to/params.txt -u https://target.com/script.php?FUZZ=test_value -fs 4242

# GET parameter values
ffuf -w /path/to/values.txt -u https://target.com/script.php?id=FUZZ -fc 401

# Multiple parameters
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mode clusterbomb

4. POST Data Fuzzing

# Basic POST fuzzing
ffuf -w /path/to/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login.php -fc 401

# JSON POST data
ffuf -w entries.txt -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "key": "value"}' -fr "error"

# Fuzzing multiple POST fields
ffuf -w users.txt:USER -w passes.txt:PASS -X POST -d "username=USER&password=PASS" -u https://target.com/login -mode pitchfork

5. Header Fuzzing

# Custom headers
ffuf -w /path/to/wordlist.txt -u https://target.com -H "X-Custom-Header: FUZZ"

# Multiple headers
ffuf -w /path/to/wordlist.txt -u https://target.com -H "User-Agent: FUZZ" -H "X-Forwarded-For: 127.0.0.1"

Filtering and Matching

Matchers (Include Results)

-mc: Match status codes (default: 200-299,301,302,307,401,403,405,500)
-ml: Match line count
-mr: Match regex
-ms: Match response size
-mt: Match response time (e.g., >100 or <100 milliseconds)
-mw: Match word count

Filters (Exclude Results)

-fc: Filter status codes (e.g., -fc 404,403,401)
-fl: Filter line count
-fr: Filter regex (e.g., -fr "error")
-fs: Filter response size (e.g., -fs 42,4242)
-ft: Filter response time
-fw: Filter word count

Auto-Calibration (USE BY DEFAULT!)

CRITICAL: Always use -ac unless you have a specific reason not to. This is especially important when having Claude analyze results, as it dramatically reduces noise and false positives.

# Auto-calibration - ALWAYS USE THIS
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ac

# Per-host auto-calibration (useful for multiple hosts)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ach

# Custom auto-calibration string (for specific patterns)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -acc "404NotFound"

Why-ac is essential:

Automatically detects and filters repetitive false positive responses
Removes noise from dynamic websites with random content
Makes results analysis much easier for both humans and Claude
Prevents thousands of identical 404/403 responses from cluttering output
Adapts to the target's specific behavior

When Claude analyzes your ffuf results,-ac is MANDATORY - without it, Claude will waste time sifting through thousands of false positives instead of finding the interesting anomalies.

Rate Limiting and Timing

Rate Control

# Limit to 2 requests per second (stealth mode)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -rate 2

# Add delay between requests (0.1 to 2 seconds random)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -p 0.1-2.0

# Set number of concurrent threads (default: 40)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -t 10

Time Limits

# Maximum total execution time (60 seconds)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime 60

# Maximum time per job (useful with recursion)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -maxtime-job 60 -recursion

Output Options

Output Formats

# JSON output
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -o results.json

# HTML output
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of html -o results.html

# CSV output
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of csv -o results.csv

# All formats
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of all -o results

# Silent mode (no progress, only results)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s

# Pipe to file with tee
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s | tee results.txt

Advanced Techniques

Using Raw HTTP Requests (Critical for Authenticated Fuzzing)

This is one of the most powerful features of ffuf, especially for authenticated requests with complex headers, cookies, or tokens.

Workflow:

Capture a full authenticated request (from Burp Suite, browser DevTools, etc.)
Save it to a file (e.g., req.txt)
Replace the value you want to fuzz with the FUZZ keyword
Use the --request flag

# From a file containing raw HTTP request

ffuf --request req.txt -w /path/to/wordlist.txt -ac

Example req.txt file:

POST /api/v1/users/FUZZ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cookie: session=abc123xyz; csrftoken=def456
Content-Type: application/json
Content-Length: 27

{"action":"view","id":"1"}

Use Cases:

Fuzzing authenticated endpoints with complex auth headers
Testing API endpoints with JWT tokens
Fuzzing with CSRF tokens, session cookies, and custom headers
Testing endpoints that require specific User-Agents or Accept headers
POST/PUT/DELETE requests with authentication

Pro Tips:

You can place FUZZ in multiple locations: URL path, headers, body
Use -request-proto https if needed (default is https)
Always use -ac to filter out authenticated "not found" or error responses
Great for IDOR testing: fuzz user IDs, document IDs, etc. in authenticated contexts

Common authenticated fuzzing patterns

ffuf --request req.txt -w user_ids.txt -ac -mc 200 -o results.json

With multiple FUZZ positions using custom keywords

ffuf --request req.txt -w endpoints.txt:ENDPOINT -w ids.txt:ID -mode pitchfork -ac

Proxy Usage

# HTTP proxy (useful for Burp Suite)
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x http://127.0.0.1:8080

# SOCKS5 proxy
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -x socks5://127.0.0.1:1080

# Replay matched requests through proxy
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -replay-proxy http://127.0.0.1:8080

Cookie and Authentication

# Using cookies
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -b "sessionid=abc123; token=xyz789"

# Client certificate authentication
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -cc client.crt -ck client.key

Encoding

# URL encoding
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode'

# Multiple encodings
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -enc 'FUZZ:urlencode b64encode'

Testing for Vulnerabilities

# SQL injection testing
ffuf -w sqli_payloads.txt -u https://target.com/page.php?id=FUZZ -fs 1234

# XSS testing
ffuf -w xss_payloads.txt -u https://target.com/search?q=FUZZ -mr "<script>"

# Command injection
ffuf -w cmdi_payloads.txt -u https://target.com/execute?cmd=FUZZ -fr "error"

Batch Processing Multiple Targets

# Process multiple URLs
cat targets.txt | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -ac'

# Loop through multiple targets with results
for url in $(cat targets.txt); do 
    ffuf -w wordlist.txt -u $url/FUZZ -ac -o "results_$(echo $url | md5sum | cut -d' ' -f1).json"
done

Best Practices

1. ALWAYS Use Auto-Calibration

Use -ac by default for every scan. This is non-negotiable for productive pentesting:

ffuf -w wordlist.txt -u https://target.com/FUZZ -ac

2. Use Raw Requests for Authentication

Don't struggle with command-line flags for complex auth. Capture the full request and use --request:

# 1. Capture authenticated request from Burp/DevTools
# 2. Save to req.txt with FUZZ keyword in place
# 3. Run with -ac
ffuf --request req.txt -w wordlist.txt -ac -o results.json

3. Use Appropriate Wordlists

Directory discovery : SecLists Discovery/Web-Content (raft-large-directories.txt, directory-list-2.3-medium.txt)
Subdomains : SecLists Discovery/DNS (subdomains-top1million-5000.txt)
Parameters : SecLists Discovery/Web-Content (burp-parameter-names.txt)
Usernames : SecLists Usernames
Passwords : SecLists Passwords
Source: https://github.com/danielmiessler/SecLists

3. Rate Limiting for Stealth

Use -rate to avoid triggering WAF/IDS or overwhelming the server:

ffuf -w wordlist.txt -u https://target.com/FUZZ -rate 2 -t 10

4. Filter Strategically

Check the default response first to identify common response sizes, status codes, or patterns
Use -fs to filter by size or -fc to filter by status code
Combine filters: -fc 403,404 -fs 1234

5. Save Results Appropriately

Always save results to a file for later analysis:

ffuf -w wordlist.txt -u https://target.com/FUZZ -o results.json -of json

6. Use Interactive Mode

Press ENTER during execution to drop into interactive mode where you can:

Adjust filters on the fly
Save current results
Restart the scan
Manage the queue

7. Recursion Depth

Be careful with recursion depth to avoid getting stuck in infinite loops or overwhelming the server:

ffuf -w wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2 -maxtime-job 120

Common Patterns and One-Liners

Quick Directory Scan

ffuf -w ~/wordlists/common.txt -u https://target.com/FUZZ -mc 200,301,302,403 -ac -c -v

Comprehensive Scan with Extensions

ffuf -w ~/wordlists/raft-large-directories.txt -u https://target.com/FUZZ -e .php,.html,.txt,.bak,.old -ac -c -v -o results.json

Authenticated Fuzzing (Raw Request)

# 1. Save your authenticated request to req.txt with FUZZ keyword
# 2. Run:
ffuf --request req.txt -w ~/wordlists/api-endpoints.txt -ac -o results.json -of json

API Endpoint Discovery

ffuf -w ~/wordlists/api-endpoints.txt -u https://api.target.com/v1/FUZZ -H "Authorization: Bearer TOKEN" -mc 200,201 -ac -c

Subdomain Discovery with Auto-Calibration

ffuf -w ~/wordlists/subdomains-top5000.txt -u https://FUZZ.target.com -ac -c -v

POST Login Brute Force

ffuf -w ~/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -fc 401 -rate 5 -ac

IDOR Testing with Auth

# Use req.txt with authenticated headers and FUZZ in the ID parameter
ffuf --request req.txt -w numbers.txt -ac -mc 200 -fw 100-200

Configuration File

Create ~/.config/ffuf/ffufrc for default settings:

[http]
headers = ["User-Agent: Mozilla/5.0"]
timeout = 10

[general]
colors = true
threads = 40

[matcher]
status = "200-299,301,302,307,401,403,405,500"

Troubleshooting

Too Many False Positives

Use -ac for auto-calibration
Check default response and filter by size with -fs
Use regex filtering with -fr

Too Slow

Increase threads: -t 100
Reduce wordlist size
Use -ignore-body if you don't need response content

Getting Blocked

Reduce rate: -rate 2
Add delays: -p 0.5-1.5
Reduce threads: -t 10
Randomize User-Agent
Use proxy rotation

Missing Results

Check if you're filtering too aggressively
Use -mc all to see all responses
Disable auto-calibration temporarily
Use verbose mode -v to see what's happening

Resources

Official GitHub: https://github.com/ffuf/ffuf
Wiki: https://github.com/ffuf/ffuf/wiki
Codingo's Guide: https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html
Practice Lab: http://ffuf.me
SecLists Wordlists: https://github.com/danielmiessler/SecLists

Quick Reference Card

Task	Command Template
Directory Discovery	`ffuf -w wordlist.txt -u https://target.com/FUZZ -ac`
Subdomain Discovery	`ffuf -w subdomains.txt -u https://FUZZ.target.com -ac`
Parameter Fuzzing	`ffuf -w params.txt -u https://target.com/page?FUZZ=value -ac`
POST Data Fuzzing	`ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/endpoint`
With Extensions	Add `-e .php,.html,.txt`
Filter Status

Additional Resources

This skill includes supplementary materials in the resources/ directory:

Resource Files

WORDLISTS.md : Comprehensive guide to SecLists wordlists, recommended lists for different scenarios, file extensions, and quick reference patterns
REQUEST_TEMPLATES.md : Pre-built req.txt templates for common authentication scenarios (JWT, OAuth, session cookies, API keys, etc.) with usage examples

Helper Script

ffuf_helper.py : Python script to assist with:
- Analyzing ffuf JSON results for anomalies and interesting findings
- Creating req.txt template files from command-line arguments
- Generating number-based wordlists for IDOR testing

Helper Script Usage:

# Analyze results to find interesting anomalies
python3 ffuf_helper.py analyze results.json

# Create authenticated request template
python3 ffuf_helper.py create-req -o req.txt -m POST -u "https://api.target.com/users" \
    -H "Authorization: Bearer TOKEN" -d '{"action":"FUZZ"}'

# Generate IDOR testing wordlist
python3 ffuf_helper.py wordlist -o ids.txt -t numbers -s 1 -e 10000

When to use resources:

Users need wordlist recommendations → Reference WORDLISTS.md
Users need help with authenticated requests → Reference REQUEST_TEMPLATES.md
Users want to analyze results → Use ffuf_helper.py analyze
Users need to generate req.txt → Use ffuf_helper.py create-req
Users need number ranges for IDOR → Use ffuf_helper.py wordlist

Notes for Claude

When helping users with ffuf:

ALWAYS include-ac in every command - This is mandatory for productive pentesting and result analysis
When users mention authenticated fuzzing or provide auth tokens/cookies:
- Suggest creating a req.txt file with the full HTTP request
- Show them how to insert FUZZ where they want to fuzz
- Use ffuf --request req.txt -w wordlist.txt -ac
Always recommend starting with -ac for auto-calibration
Suggest appropriate wordlists from SecLists based on the task
Remind users to use rate limiting (-rate) for production targets
Encourage saving output to files for documentation: -o results.json
Suggest filtering strategies based on initial reconnaissance
Always use the FUZZ keyword (case-sensitive)
Consider stealth: lower threads, rate limiting, and delays for sensitive targets
For pentesting reports, use -of html or for client-friendly formats

Weekly Installs

Repository

jthack/ffuf_claude_skill

GitHub Stars

128

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

codex77

opencode75

gemini-cli73

cursor71

github-copilot65

claude-code61

xget技能：自动执行Shell命令与文件编辑的开发运维工具，提升开发效率

43,100 周安装

When analyzing ffuf results for users: * Assume they used -ac (if not, results will be too noisy) * Focus on anomalies: different status codes, response sizes, timing * Look for interesting endpoints: admin, api, backup, config, .git, etc. * Flag potential vulnerabilities: error messages, stack traces, version info * Suggest follow-up fuzzing on interesting findings

FFUF Web模糊测试工具：快速发现隐藏内容、目录、文件、子域名和漏洞

🇨🇳中文介绍

FFUF (Fuzz Faster U Fool) 技能

概述

安装

核心概念

FUZZ 关键字

相关 Skills

多单词列表模式

常见用例

1. 目录和文件发现

2. 子域名枚举

3. 参数模糊测试

4. POST 数据模糊测试

5. 请求头模糊测试

过滤与匹配

匹配器（包含结果）

过滤器（排除结果）

自动校准（默认使用！）

速率限制与时间控制

速率控制

时间限制

输出选项

输出格式

高级技巧

使用原始 HTTP 请求（对身份验证模糊测试至关重要）

代理使用