ReddRadar
Agent skill
dast-ffuf
Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.
Install this agent skill to your Project
npx add-skill https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/dast-ffuf
SKILL.md
ffuf - Fast Web Fuzzer
Overview
ffuf is a fast web fuzzer written in Go designed for discovering hidden resources, testing parameters, and performing comprehensive web application reconnaissance. It uses the FUZZ keyword as a placeholder for wordlist entries and supports advanced filtering, multiple fuzzing modes, and recursive scanning for thorough security assessments.
Installation
# Using Go
go install github.com/ffuf/ffuf/v2@latest
# Using package managers
# Debian/Ubuntu
apt install ffuf
# macOS
brew install ffuf
# Or download pre-compiled binary from GitHub releases
Quick Start
Basic directory fuzzing:
# Directory discovery
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# File discovery with extension
ffuf -u https://example.com/FUZZ -w wordlist.txt -e .php,.html,.txt
# Virtual host discovery
ffuf -u https://example.com -H "Host: FUZZ.example.com" -w subdomains.txt
Core Workflows
Workflow 1: Directory and File Enumeration
For discovering hidden resources on web applications:
- Start with common directory wordlist:
bash
ffuf -u https://target.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/common.txt \ -mc 200,204,301,302,307,401,403 \ -o results.json - Review discovered directories (focus on 200, 403 status codes)
- Enumerate files in discovered directories:
bash
ffuf -u https://target.com/admin/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt \ -e .php,.bak,.txt,.zip \ -mc all -fc 404 - Use recursive mode for deep enumeration:
bash
ffuf -u https://target.com/FUZZ \ -w wordlist.txt \ -recursion -recursion-depth 2 \ -e .php,.html \ -v - Document findings and test discovered endpoints
Workflow 2: Parameter Fuzzing (GET/POST)
Progress: [ ] 1. Identify target endpoint for parameter testing [ ] 2. Fuzz GET parameter names to discover hidden parameters [ ] 3. Fuzz parameter values for injection vulnerabilities [ ] 4. Test POST parameters with JSON/form data [ ] 5. Apply appropriate filters to reduce false positives [ ] 6. Analyze responses for anomalies and vulnerabilities [ ] 7. Validate findings manually [ ] 8. Document vulnerable parameters and payloads
Work through each step systematically. Check off completed items.
GET Parameter Name Fuzzing:
ffuf -u https://target.com/api?FUZZ=test \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-fs 0 # Filter out empty responses
GET Parameter Value Fuzzing:
ffuf -u https://target.com/api?id=FUZZ \
-w payloads.txt \
-mc all
POST Data Fuzzing:
# Form data
ffuf -u https://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-w passwords.txt \
-H "Content-Type: application/x-www-form-urlencoded"
# JSON data
ffuf -u https://target.com/api/login \
-X POST \
-d '{"username":"admin","password":"FUZZ"}' \
-w passwords.txt \
-H "Content-Type: application/json"
Workflow 3: Virtual Host and Subdomain Discovery
For identifying virtual hosts and subdomains:
- Prepare subdomain wordlist (or use SecLists)
- Run vhost fuzzing:
bash
ffuf -u https://target.com \ -H "Host: FUZZ.target.com" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -fs 0 # Filter by response size to identify valid vhosts - Filter results by comparing response sizes/words
- Verify discovered vhosts manually
- Enumerate directories on each vhost
- Document vhost configurations and exposed services
Workflow 4: Authentication Endpoint Fuzzing
For testing login forms and authentication mechanisms:
- Identify authentication endpoint
- Fuzz usernames:
bash
ffuf -u https://target.com/login \ -X POST \ -d "username=FUZZ&password=test123" \ -w usernames.txt \ -H "Content-Type: application/x-www-form-urlencoded" \ -mr "Invalid password|Incorrect password" # Match responses indicating valid user - For identified users, fuzz passwords:
bash
ffuf -u https://target.com/login \ -X POST \ -d "username=admin&password=FUZZ" \ -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \ -H "Content-Type: application/x-www-form-urlencoded" \ -fc 401,403 # Filter failed attempts - Use clusterbomb mode for combined username/password fuzzing:
bash
ffuf -u https://target.com/login \ -X POST \ -d "username=FUZZ1&password=FUZZ2" \ -w usernames.txt:FUZZ1 \ -w passwords.txt:FUZZ2 \ -mode clusterbomb
Workflow 5: Backup and Sensitive File Discovery
For finding exposed backup files and sensitive data:
- Create wordlist of common backup patterns
- Fuzz for backup files:
bash
ffuf -u https://target.com/FUZZ \ -w backup-files.txt \ -e .bak,.backup,.old,.zip,.tar.gz,.sql,.7z \ -mc 200 \ -o backup-files.json - Test common sensitive file locations:
bash
ffuf -u https://target.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/sensitive-files.txt \ -mc 200,403 - Download and analyze discovered files
- Report findings with severity classification
Fuzzing Modes
ffuf supports multiple fuzzing modes for different attack scenarios:
Clusterbomb Mode - Cartesian product of all wordlists (default):
ffuf -u https://target.com/FUZZ1/FUZZ2 \
-w dirs.txt:FUZZ1 \
-w files.txt:FUZZ2 \
-mode clusterbomb
Tests every combination: dir1/file1, dir1/file2, dir2/file1, dir2/file2
Pitchfork Mode - Parallel iteration of wordlists:
ffuf -u https://target.com/login \
-X POST \
-d "username=FUZZ1&password=FUZZ2" \
-w users.txt:FUZZ1 \
-w passwords.txt:FUZZ2 \
-mode pitchfork
Tests pairs: user1/pass1, user2/pass2 (stops at shortest wordlist)
Sniper Mode - One wordlist, multiple positions:
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-mode sniper
Standard single-wordlist fuzzing.
Filtering and Matching
Effective filtering is crucial for reducing noise:
Match Filters (only show matching):
-mc 200,301- Match HTTP status codes-ms 1234- Match response size-mw 100- Match word count-ml 50- Match line count-mr "success|admin"- Match regex pattern in response
Filter Options (exclude matching):
-fc 404,403- Filter status codes-fs 0,1234- Filter response sizes-fw 0- Filter word count-fl 0- Filter line count-fr "error|not found"- Filter regex pattern
Auto-Calibration:
# Automatically filter baseline responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
Common Patterns
Pattern 1: API Endpoint Discovery
Discover REST API endpoints:
# Enumerate API paths
ffuf -u https://api.target.com/v1/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,401,403 \
-o api-endpoints.json
# Fuzz API versions
ffuf -u https://api.target.com/FUZZ/users \
-w <(seq 1 10 | sed 's/^/v/') \
-mc 200
Pattern 2: Extension Fuzzing
Test multiple file extensions:
# Brute-force extensions on known files
ffuf -u https://target.com/admin.FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt \
-mc 200
# Or use -e flag for multiple extensions
ffuf -u https://target.com/FUZZ \
-w filenames.txt \
-e .php,.asp,.aspx,.jsp,.html,.bak,.txt
Pattern 3: Rate-Limited Fuzzing
Respect rate limits and avoid detection:
# Add delay between requests
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-p 0.5-1.0 # Random delay 0.5-1.0 seconds
# Limit concurrent requests
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-t 5 # Only 5 concurrent threads
Pattern 4: Custom Header Fuzzing
Fuzz HTTP headers for security misconfigurations:
# Fuzz custom headers
ffuf -u https://target.com/admin \
-w headers.txt:HEADER \
-H "HEADER: true" \
-mc all
# Fuzz header values
ffuf -u https://target.com/admin \
-H "X-Forwarded-For: FUZZ" \
-w /usr/share/seclists/Fuzzing/IPs.txt \
-mc 200
Pattern 5: Cookie Fuzzing
Test cookie-based authentication and session management:
# Fuzz cookie values
ffuf -u https://target.com/dashboard \
-b "session=FUZZ" \
-w session-tokens.txt \
-mc 200
# Fuzz cookie names
ffuf -u https://target.com/admin \
-b "FUZZ=admin" \
-w cookie-names.txt
Output Formats
Save results in multiple formats:
# JSON output (recommended for parsing)
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# CSV output
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
# HTML report
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.html -of html
# All formats
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results -of all
Security Considerations
- Sensitive Data Handling: Discovered files may contain credentials, API keys, or PII. Handle findings securely and report responsibly
- Access Control: Only fuzz applications with proper authorization. Obtain written permission before testing third-party systems
- Audit Logging: Log all fuzzing activities including targets, wordlists used, and findings for compliance and audit trails
- Compliance: Ensure fuzzing activities comply with bug bounty program rules, penetration testing agreements, and legal requirements
- Safe Defaults: Use reasonable rate limits to avoid DoS conditions. Start with small wordlists before scaling up
Integration Points
Reconnaissance Workflow
- Subdomain enumeration (amass, subfinder)
- Port scanning (nmap)
- Service identification
- ffuf directory/file enumeration
- Content discovery and analysis
- Vulnerability scanning
CI/CD Security Testing
Integrate ffuf into automated security pipelines:
# CI/CD script
#!/bin/bash
set -e
# Run directory enumeration
ffuf -u https://staging.example.com/FUZZ \
-w /wordlists/common.txt \
-mc 200,403 \
-o ffuf-results.json \
-of json
# Parse results and fail if sensitive files found
if grep -q "/.git/\|/backup/" ffuf-results.json; then
echo "ERROR: Sensitive files exposed!"
exit 1
fi
Integration with Burp Suite
- Use Burp to identify target endpoints
- Export interesting requests
- Convert to ffuf commands for automated fuzzing
- Import ffuf results back to Burp for manual testing
Troubleshooting
Issue: Too Many False Positives
Solution: Use auto-calibration or manual filtering:
# Auto-calibration
ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
# Manual filtering by size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234,5678
Issue: Rate Limiting or Blocking
Solution: Reduce concurrency and add delays:
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-t 1 \
-p 2.0 \
-H "User-Agent: Mozilla/5.0..."
Issue: Large Wordlist Takes Too Long
Solution: Start with smaller, targeted wordlists:
# Use top 1000 instead of full list
head -1000 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt > small.txt
ffuf -u https://target.com/FUZZ -w small.txt
Issue: Missing Discovered Content
Solution: Test with multiple extensions and match codes:
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-e .php,.html,.txt,.asp,.aspx,.jsp \
-mc all \
-fc 404
OWASP Testing Integration
Map ffuf usage to OWASP Testing Guide categories:
- WSTG-CONF-04: Review Old Backup and Unreferenced Files
- WSTG-CONF-05: Enumerate Infrastructure and Application Admin Interfaces
- WSTG-CONF-06: Test HTTP Methods
- WSTG-IDENT-01: Test Role Definitions (directory enumeration)
- WSTG-ATHZ-01: Test Directory Traversal/File Include
- WSTG-INPVAL-01: Test for Reflected Cross-site Scripting
- WSTG-INPVAL-02: Test for Stored Cross-site Scripting
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
AgentSecOps/SecOpsAgentKit
policy-opa
Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.
AgentSecOps/SecOpsAgentKit
ir-velociraptor
Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.
AgentSecOps/SecOpsAgentKit
forensics-osquery
SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.
AgentSecOps/SecOpsAgentKit
detection-sigma
Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.
AgentSecOps/SecOpsAgentKit
skill-name
[REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.
AgentSecOps/SecOpsAgentKit
pytm
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
Didn't find tool you were looking for?