Byte-Sized OSINT Tip: ffuf

CyberQueenMeg
3 min readJul 14, 2023

--

ffuf (Fuzz Faster U Fool) is a feature-filled web fuzzer written in Golang. It can be used for many different purposes. In this Byte-Sized OSINT Tip, I will focus on directory discovery. To install ffuf, follow the commands below:

# macOS only:
brew install ffuf

# other (must have golang compiler installed):
go install github.com/ffuf/ffuf/v2@latest

Directory Discovery

ffuf can be used to discover directories on a webpage. To do directory enumeration, you will need to provide a wordlist with directory names, such as the ones SecLists provides. You will then need to provide a target to test and at the end of the target, put /FUZZ . That is the place that ffuf will enter the words in the wordlist to test.

Subdirectory Discovery

You can also do subdirectory enumeration. If you have a website like example.fake/notreal, you can test for further directories by putting a URL like example.fake/notreal/FUZZ or example.fake/notreal/imagination/FUZZ

Response Filters

ffuf has several response filters you can use to filter out false positives. You can filter HTTP status codes, the amount of lines in the response, by regular expression, by HTTP response size, by the amount of words in the response, and more! To filter your responses, you will want to find the false positive value and then use the filter tag and put the value you want to exclude after it.

Command Examples

# Example command to run ffuf for directory discovery
ffuf -w /wordlist/path -u https://example.fake/FUZZ

# Example command to run ffuf for subdirectory discovery
ffuf -w /wordlist/path -u https://example.fake/imagination/FUZZ

# Example command to run ffuf for directory discovery (HTTP status code filter)
ffuf -w /wordlist/path -u https://example.fake/FUZZ -fc 301

# Example command to run ffuf for directory discovery (HTTP response size filter)
ffuf -w /wordlist/path -u https://example.fake/FUZZ -fr 444

# Example command to run ffuf for directory discovery (regexfilter)
ffuf -w /wordlist/path -u https://example.fake/FUZZ -fr EXAMPLE_REGEX

# Example command to run ffuf for directory discovery (Line amount filter)
ffuf -w /wordlist/path -u https://example.fake/FUZZ -fl 444

# Example command to run ffuf for directory discovery (Word amount filter)
ffuf -w /wordlist/path -u https://example.fake/FUZZ -fl 444

To find more examples for ffuf usage, please visit https://github.com/ffuf/ffuf.

Megan Howell (CyberQueenMeg) is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.

DISCLAIMER

The information presented above can be used for both beneficial and malicious purposes. I do not condone or endorse the use of this information for malicious purposes and will fully support the prosecution of those who use the information presented above in a manner that violates the law. You are only authorized to utilize this information on your own systems or on systems you are explicitly authorized to penetration test or perform bug bounties on. If you use this exploit in a malicious manner, you will be charged and prosecuted to the full extent of the laws surrounding unethical hacking and cyber crime.

--

--

CyberQueenMeg
CyberQueenMeg

Written by CyberQueenMeg

GCU ‘25. DFIR Intern @ Cisco, Cybersecurity/tech nerd, musician (violin, piano, & guitar), Christian, and bug bounty hunter.

No responses yet