$ go install github.com/ffuf/ffuf@latest
$ ffuf -u https://codingo.io/FUZZ/ -w ./wordlist
$ ffuf -u https://codingo.io/FUZZ -w ./wordlist.txt -recursion
Do not add "/" after FUZZ keyword.
$ ffuf -u http://codingo.io/FUZZ -w ./wrodlist.txt -recursion -e .bak
$ ffuf -u http://codingo.io/W1 -w ./wordlist.txt:W1 -e .bak
W1 could be set to anything of your choosing.
Silent Mode and Tee for Output
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -s
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -s | tee ./outfile.txt
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo
Supported formats include json, ejson, html, md, csv, and ecsv
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo -b "NAME1=VALUE1; NAME2=VALUE2"
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo -H "NAME1=VALUE1; NAME2=VALUE2"
Setting custom headers to identify yourself can also be a requirement on some pentest engagements, or bug bounty programs.
Authentication via Burp Suite
This can be bound to any available port, and can be consumend by any tool, not just FFUF
Burp Suite Macros and Burp Suite Extension support is a major strength of tunneling a request in this manner.
Multiple Fuzzing Locations
$ ffuf -u https://W2.io/W1 -w ./wordlist.txt:W1 -w ./domains.txt:W2
Save the request from Burp Suite
Right click on the requst -> Save item
vim /tmp/request
add GET /FUZZ at the request file
$ ffuf -request /tmp/request -w ./wordlist.txt
To use pitchfork mode, simply use the flag "-mode pitchfork"
Automatic Calibration Mode
$ ffuf -u https://codingo.io/FUZZ -w ./wordlist.txt --replay-proxy http://127.0.0.1:8080
$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -replay-proxy http://127.0.0.1:8888
