Ethical Hacking #ffuf#web fuzzing#ethical hacking

FFuf Web Fuzzing Tutorial: Find Hidden Paths Fast

Learn to use FFuf for web fuzzing — discover hidden directories, endpoints, and parameters with practical command examples.

7 min read

FFuf (Fuzz Faster U Fool) is one of the fastest web fuzzing tools available. Written in Go, it outperforms older tools like DirBuster and Gobuster in speed and flexibility. This tutorial walks you through using FFuf to discover hidden directories, endpoints, subdomains, and parameters during a penetration test or bug bounty engagement.

Installing FFuf

FFuf ships as a single binary with no dependencies.

# From GitHub releases
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Or via Go
go install github.com/ffuf/ffuf/v2@latest

# Kali/Parrot
sudo apt install ffuf

Verify with ffuf -V.

Wordlists

FFuf is only as good as your wordlists. The best sources:

  • SecLists (/usr/share/seclists/ on Kali): Discovery/Web-Content/directory-list-2.3-medium.txt
  • dirbuster wordlists: common.txt, small.txt
  • assetnote: large curated lists available at wordlists.assetnote.io

Install SecLists on Debian/Ubuntu:

sudo apt install seclists

Basic Directory Fuzzing

The FUZZ keyword is a placeholder FFuf replaces with wordlist entries.

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Useful flags

FlagPurpose
-uTarget URL with FUZZ keyword
-wWordlist path
-tThreads (default 40, increase carefully)
-fcFilter by HTTP status code (e.g., -fc 404)
-mcMatch specific status codes (e.g., -mc 200,301)
-fsFilter by response size
-fwFilter by word count
-oOutput file
-ofOutput format: json, csv, html

Filter noise

Most scans return thousands of 404s. Filter them:

ffuf -u https://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -fc 404,403 \
  -t 50

If the 404 page is dynamic (different size each time), filter by size:

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234

File Extension Fuzzing

Discover backup files, PHP sources, and config files:

ffuf -u https://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.bak,.txt,.zip,.old,.conf

This appends each extension to every wordlist entry — great for finding config.php.bak, index.php~, and similar developer mistakes.

Subdomain Fuzzing

ffuf -u https://FUZZ.target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -H "Host: FUZZ.target.com" \
  -fs 0

Using the Host header technique works even when subdomains don’t have separate DNS entries (virtual hosting).

GET Parameter Fuzzing

Discover hidden query parameters:

ffuf -u "https://target.com/page?FUZZ=value" \
  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -fw 39

Then fuzz parameter values once you find interesting parameters:

ffuf -u "https://target.com/page?id=FUZZ" \
  -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

POST Body Fuzzing

ffuf -u https://target.com/login \
  -X POST \
  -d "username=admin&password=FUZZ" \
  -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -mc 302

Multiple FUZZ Keywords

FFuf supports multiple keywords using -w wordlist1:W1 -w wordlist2:W2:

ffuf -u https://target.com/W1/W2 \
  -w dirs.txt:W1 \
  -w files.txt:W2 \
  -fc 404

Saving and Reviewing Output

ffuf -u https://target.com/FUZZ \
  -w wordlist.txt \
  -o results.json \
  -of json \
  -fc 404

Parse with jq:

cat results.json | jq '.results[] | {url, status, length}'

Rate Limiting and Stealth

Avoid triggering WAFs or getting banned:

ffuf -u https://target.com/FUZZ \
  -w wordlist.txt \
  -t 10 \
  -p 0.1 \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120"
  • -p 0.1: 100ms delay between requests
  • -t 10: reduce thread count
  • Use -replay-proxy to send interesting results through Burp Suite for further analysis

Practical Bug Bounty Workflow

  1. Passive recon: identify in-scope subdomains
  2. Subdomain fuzzing: find virtual hosts
  3. Directory fuzzing: common.txt first (fast), then medium wordlist
  4. File extension sweep: on discovered directories
  5. Parameter discovery: on dynamic pages
  6. Manual review: investigate all 200/301/302 results in Burp

FFuf’s speed makes it ideal for running multiple concurrent scans across different endpoints. Pair it with httpx for probing live hosts and nuclei for automated vulnerability checks on discovered paths.

Only fuzz systems you own or have explicit written permission to test. Unauthorized scanning is illegal and unethical.

#bug bounty #ethical hacking #web fuzzing #ffuf