Ffuf: The Tool That Helps You Find What Others Miss

When you start testing web applications, it feels like everything is visible.

m0cha_

~6 min read · April 20, 2026 (Updated: April 20, 2026) · Free: Yes

You browse pages, test inputs, intercept requests, and it seems like you're covering the application.

But in reality, you're only seeing what the application chooses to show you.

Behind the scenes, there are Hidden endpoints, Internal APIs, Backup files, etc., something that you won't find just by clicking around.

This is where Ffuf becomes important.

What is Ffuf?

Ffuf (Fuzz Faster U Fool) is a fast web fuzzer used to discover hidden parts of a web application.

It helps you find what is not meant to be found.

Also, Ffuf is an Active tool.

It actively sends requests to the target, swapping in different payloads from a wordlist each time.

So instead of just observing traffic (like passive tools), it interacts with the application to discover hidden content.

Why Use Ffuf?

While testing applications or even just trying to explore there, I always felt stuck, not knowing what to do or what to test, or even where to start from, because let's be honest, everything on the screen seemed perfectly working right there, then coming to hidden pages or directories, I realised,

You can't test what you can't see.

That's where Ffuf helps you:

Expand the attack surface
Discover hidden entry points
Identify misconfigurations

How Ffuf Works

Ffuf replaces a keyword (usually FUZZ) with words from a list and sends requests.

Example:

ffuf -u https://target.com/FUZZ -w wordlist.txt

Here:

-u → Target URL
FUZZ → Placeholder that gets replaced
-w → Wordlist

Installation:

sudo apt install ffuf

go install github.com/ffuf/ffuf/v2@latest

Wordlists:

Before I explain the commands, it's important to know that ffuf works on wordlists. Now, the main question one might get is which wordlists to use? And to clear that, I have listed the word lists below for reference:

/usr/share/wordlists/dirb/common.txt :- basic

This basic wordlist comes pre-installed on Kali. No extra installation needed. Around 4600 words covering the most common directories and files. Use this for a quick first pass, fast, lightweight, finds obvious things like /admin, /login, /backup, /uploads.

2. /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt :- standard

This is a part of the SecLists package. Install with sudo apt install seclists if not already present. Around 220,000 words. This is the standard wordlist for serious directory fuzzing on real engagements. It's slower but thorough; use this when the quick scan finds nothing interesting.

SecLists generally — There are numerous more SecLists that can be used according to the needs, you can get to know more about them on https://www.kali.org/tools/seclists/

Wordlists can be found in common locations such as /usr/share/dirbuster/wordlists/ or by installing SecLists, depending on your environment.

You can also find the required wordlist using the find command.

Ffuf Cheat Sheet (With Meanings)

1. Basic Directory Fuzzing

ffuf -u https://target.com/FUZZ -w wordlist.txt

Use: Finds hidden directories like /admin, /backup Why: Expands your attack surface

2. Match Status Codes

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403

-mc (Match Codes): Shows only selected HTTP responses Why: Filters out useless responses like 404

3. Filter Status Codes

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404

-fc (Filter Codes): Hides specific responses Why: Removes noise

4. Filter by Response Size

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234

-fs (Filter Size): Removes responses of a specific size Why: Many false pages have the same size

5. Filter by Words

ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 20

-fw (Filter Words): Filters based on word count Why: Helps detect real vs fake responses

6. Filter by Lines

ffuf -u https://target.com/FUZZ -w wordlist.txt -fl 10

-fl (Filter Lines): Filters based on line count Why: Useful when size filtering fails

7. Recursive Fuzzing

ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion

-recursion: Automatically scans deeper directories Why: Finds nested paths

8. Control Recursion Depth

ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

-recursion-depth: Limits how deep to scan Why: Prevents excessive requests

9. Parameter Fuzzing (GET)

ffuf -u "https://target.com/page?param=FUZZ" -w wordlist.txt

Use: Finds hidden or vulnerable parameters Why: Some parameters are not documented

10. POST Request Fuzzing

ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -w wordlist.txt

-X: Request method -d: Data sent in request Why: Useful for login or form testing

11. JSON Fuzzing

ffuf -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"user":"admin","pass":"FUZZ"}' -w wordlist.txt

-H: Header Why: APIs often use JSON

12. Header Fuzzing

ffuf -u https://target.com -H "X-Forwarded-For: FUZZ" -w wordlist.txt

Use: Test header-based vulnerabilities Why: Useful for bypass techniques

13. Cookie Fuzzing

ffuf -u https://target.com -b "session=FUZZ" -w wordlist.txt

-b: Cookie Why: Tests session-related issues

14. Subdomain Fuzzing

ffuf -u https://FUZZ.target.com -w wordlist.txt

Use: Finds subdomains Why: Expands scope significantly

15. Match Response Content

ffuf -u https://target.com/FUZZ -w wordlist.txt -mr "admin"

-mr (Match Regex/Text): Shows responses containing the keyword Why: Helps find interesting pages

16. Follow Redirects

ffuf -u https://target.com/FUZZ -w wordlist.txt -r

-r: Follow redirects Why: Some endpoints redirect to real content

17. Delay Requests

ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5

-p: Delay between requests Why: Avoids rate limiting

18. Control Speed (Threads)

ffuf -u https://target.com/FUZZ -w wordlist.txt -t 50

-t: Number of threads Why: Balance speed and stability

19. Proxy (Burp Suite)

ffuf -u https://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

-x: Proxy Why: Analyse requests in Burp

20. Save Output

ffuf -u https://target.com/FUZZ -w wordlist.txt -o output.json

-o: Output file Why: Save results for later

21. Silent Mode

ffuf -u https://target.com/FUZZ -w wordlist.txt -s

-s: Minimal output Why: Cleaner results

22. Auto Calibration

ffuf -u https://target.com/FUZZ -w wordlist.txt -ac

-ac: Automatically filters false positives Why: Saves time in analysis

Practical Example:

For a simple practical example, we can try ffuf on a URL where we want to find hidden directories.

In this, I am gonna use ffuf basic directory fuzzing following redirects on the Basic challenge no. 11 on HackThisSite URL.

As you can see in the screenshot above, we have used the basic directory fuzzing on the URL https://www.hackthissite.org/missions/basic/11/FUZZ

Here, the tool ffuf changes the word FUZZ with other words from the wordlists.

In this example, I have also used the -r flag, which follows the redirects in this directory fuzzing.

As for the output, we can see that we have found various directories as well as their status codes, indicating whether they are accessible or not.

Note: The practical demonstration above was performed on a platform designed for security testing. Never use these techniques on systems you don't own or have explicit permission to test.

Final Thought

Ffuf doesn't exploit vulnerabilities.

It helps you find where they might exist.

And in pentesting, that's often the hardest part.

Because once you discover something hidden, there's a high chance that something is wrong there.

And that's where real findings begin.

#cybersecurity #kali-linux #vapt #penetration-testing #offensive-security

< Go to the original