When performing a security audit on a web application, it is essential to identify publicly exposed resources, such as files, folders or API endpoints. Enumerating these elements can uncover potential security flaws and expand the attack surface.
There are several tools available for this task, including DirBuster, GoBuster and FFuF (Fast Fuzzing), an open-source tool developed in Go. Fast, efficient and flexible, FFuF has become a must-have in the field of cybersecurity.
In this article, we'll look at how FFuF works, how to install it and how to use it effectively for hidden resource discovery.
You can find the content of this article in video form on my YouTube channel :
Download and installation
There are several ways to install FFuF, depending on your operating system:
- Downloading precompiled binaries (Windows, Linux, Mac):
- Installation via Go :
go install github.com/ffuf/ffuf/v2@latest
- Manual compilation :
git clone https://github.com/ffuf/ffuf.git
cd ffuf
go get
go build
- Installation via a package manager (e.g. on Kali Linux) :
sudo apt install ffuf
Dictionaries and wordlists
To function, FFuF requires files containing lists of words or paths to be tested. One of the most popular sources is the SecLists repository, which contains a vast collection of wordlists suitable for various types of testing.
Download SecLists :
cd /opt/
git clone https://github.com/danielmiessler/SecLists.git
Once the wordlists are in place, we can start using FFuF.
Searching for hidden files and folders
The basic command for scanning a website for hidden files and folders is :
ffuf -c -w /opt/SecLists/Discovery/Web-Content/common.txt -u https://example.com/FUZZ
Explanation:
-c: enable coloring of results in the terminal-w: specifies the file containing the words to be tested-u: defines target URL with FUZZ parameter replaced by dictionary words
FFuF will send a query for each word in the dictionary and display the resources found.
Recursive search
To automate enumeration by also testing the sub-folders found, we add -recursion :
ffuf -c -w /opt/SecLists/Discovery/Web-Content/common.txt -recursion -u https://example.com/FUZZ
FFuF will then analyze each folder discovered and search for other files or sub-folders inside.
Filtering results
Some servers always return a HTTP 200 code, even when the resource doesn't exist. To avoid false positives, you can filter responses by size (-fs) or content (-fr):
ffuf -w /opt/SecLists/Discovery/Web-Content/common.txt -u https://example.com/FUZZ -fs 669
Or use a regular expression to filter a specific error message:
ffuf -w /opt/SecLists/Discovery/Web-Content/common.txt -u https://example.com/FUZZ -en "Page Not Found"
Search for API parameters
FFuF can also be used to discover unknown API parameters:
ffuf -w /opt/SecLists/Discovery/Web-Content/params.txt -u "https://example.com/api/data?FUZZ=1" -mc all -fr "Required Parameter Missing"
This command replaces FUZZ with each word in the dictionary to test different parameters and identify those accepted by the application.
Discover VHosts
FFuF can also be used to enumerate the Virtual Hosts on a server:
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.example.com" -u https://example.com -fs 1495
If a subdomain exists but has no DNS record, you can test its response with :
curl -H "Host: vhost.example.com" https://example.com
Conclusion
FFuF is a powerful, fast and flexible tool for discovering web resources. When used in conjunction with appropriate wordlists and a wide range of filtering options, it delivers precise, usable results.
Whether for pentesting, bug bounty or simply to better understand a target's infrastructure, FFuF is an indispensable asset.
If you'd like to deepen your skills, don't hesitate to test FFuF on platforms such as TryHackMe or HackTheBox.