Precision FFUF Web Fuzzing Workshop
A comprehensive skill that enables web application fuzzing for vulnerability analysis. Built for Claude Code with best practices and real-world patterns.
FFUF Web Fuzzing Workshop
Comprehensive web application fuzzing framework using FFUF (Fuzz Faster U Fool) for directory discovery, parameter fuzzing, virtual host enumeration, and API endpoint brute-forcing in authorized security testing engagements.
When to Use This Skill
Choose FFUF Web Fuzzing when:
- Performing authorized directory and file discovery on web targets
- Fuzzing API endpoints for hidden parameters and paths
- Enumerating virtual hosts and subdomains
- Testing authentication mechanisms for bypass vulnerabilities
- Discovering backup files, configuration files, and admin panels
Consider alternatives when:
- Need full vulnerability scanning — use Burp Suite or OWASP ZAP
- Performing network-level scanning — use Nmap
- Need authenticated crawling — use specialized crawlers
Quick Start
# Activate FFUF fuzzing toolkit claude skill activate precision-ffuf-web-fuzzing-workshop # Basic directory fuzzing claude "Run FFUF directory discovery against https://target.example.com" # API endpoint fuzzing claude "Fuzz API endpoints on the target with common REST path patterns"
Example FFUF Commands
# Basic directory brute-force ffuf -u https://target.example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt # Filter by response size to reduce noise ffuf -u https://target.example.com/FUZZ -w wordlist.txt -fs 4242 # Filter by status code ffuf -u https://target.example.com/FUZZ -w wordlist.txt -fc 404,403 # Multiple fuzzing points ffuf -u https://target.example.com/FUZZ1/FUZZ2 \ -w endpoints.txt:FUZZ1 \ -w params.txt:FUZZ2 # POST parameter fuzzing ffuf -u https://target.example.com/login \ -X POST \ -d "username=admin&password=FUZZ" \ -w passwords.txt \ -fc 401 # Virtual host enumeration ffuf -u https://target.example.com \ -H "Host: FUZZ.target.example.com" \ -w subdomains.txt \ -fs 0 # API endpoint discovery with JSON ffuf -u https://api.target.example.com/v1/FUZZ \ -w api-endpoints.txt \ -mc 200,201,301,302,401,403 \ -H "Content-Type: application/json" # Recursive discovery ffuf -u https://target.example.com/FUZZ \ -w wordlist.txt \ -recursion \ -recursion-depth 2 \ -e .php,.html,.js,.bak
Core Concepts
Fuzzing Modes
| Mode | Description | Use Case |
|---|---|---|
| Directory Discovery | Replace path segments with wordlist entries | Find hidden directories and files |
| Parameter Fuzzing | Fuzz GET/POST parameters | Discover hidden API parameters |
| Header Fuzzing | Replace header values | Virtual host enumeration, auth bypass |
| Subdomain Enum | Fuzz Host header | Find hidden subdomains |
| Method Fuzzing | Try different HTTP methods | Find method-based access controls |
| Extension Brute | Append file extensions | Discover backup and config files |
Filtering and Matching
| Filter | Flag | Description |
|---|---|---|
| Status Code | -mc / -fc | Match/filter by HTTP status |
| Response Size | -ms / -fs | Match/filter by response size in bytes |
| Word Count | -mw / -fw | Match/filter by word count |
| Line Count | -ml / -fl | Match/filter by line count |
| Regex | -mr / -fr | Match/filter by regex pattern |
| Response Time | -mt / -ft | Match/filter by response time |
# Advanced filtering examples # Auto-calibrate filters (recommended first step) ffuf -u https://target.example.com/FUZZ -w wordlist.txt -ac # Match only specific sizes ffuf -u https://target.example.com/FUZZ -w wordlist.txt -ms 1234,5678 # Combine multiple filters ffuf -u https://target.example.com/FUZZ -w wordlist.txt \ -fc 404 -fs 0 -fw 12 # Output results to file ffuf -u https://target.example.com/FUZZ -w wordlist.txt \ -o results.json -of json
Configuration
| Parameter | Description | Default |
|---|---|---|
threads | Concurrent request threads | 40 |
rate | Requests per second limit | 0 (unlimited) |
timeout | HTTP request timeout | 10s |
follow_redirects | Follow HTTP redirects | false |
recursion_depth | Depth for recursive fuzzing | 0 (disabled) |
extensions | File extensions to append | [] |
auto_calibrate | Auto-calibrate filtering | true |
output_format | Output: json, csv, html, md | json |
Best Practices
-
Always start with auto-calibration (
-ac) — FFUF's auto-calibrate mode sends baseline requests to determine typical 404 response characteristics, then automatically filters similar responses. This dramatically reduces false positives without manual filter tuning. -
Rate limit to avoid disrupting target systems — Use
-rateto cap requests per second. Start with 50-100 RPS for web applications and lower for APIs with rate limiting. Unthrottled fuzzing can trigger WAF blocks, crash unstable applications, or be mistaken for a denial-of-service attack. -
Use targeted wordlists rather than massive generic ones — Match wordlists to the technology stack. Use PHP-specific lists for PHP apps, API-specific lists for REST endpoints, and technology-aware lists (WordPress, Django, Spring) for framework-specific discovery.
-
Layer your fuzzing approach — Start with common directories, then recursive discovery on interesting paths, then extension brute-forcing on discovered paths, then parameter fuzzing on discovered endpoints. Each layer narrows the target and increases finding quality.
-
Save and version your results — Output results to JSON (
-o results.json -of json) for programmatic analysis. Compare results across scans to identify new endpoints or removed content that may indicate changes in the attack surface.
Common Issues
All requests return the same status code and response size. The application uses a custom error handler that returns 200 OK for all paths with a generic error page. Use auto-calibrate (-ac) or manually filter by response size (-fs), word count (-fw), or regex (-fr) to distinguish real pages from the custom 404.
FFUF gets blocked by WAF or rate limiting after a few hundred requests. Reduce thread count (-t 5), add rate limiting (-rate 10), randomize request intervals, and rotate User-Agent headers. For WAF bypass during authorized testing, consider using a custom -H "X-Forwarded-For: 127.0.0.1" header if the WAF trusts proxy headers.
Results contain hundreds of false positives with slight size variations. Custom error pages often include dynamic content (timestamps, request paths, session tokens) causing size variation. Use word count filtering (-fw) instead of size filtering, as word count is more stable. Alternatively, use regex filtering (-fr "Page not found") to match the error page text pattern.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Full-Stack Code Reviewer
Comprehensive code review skill that checks for security vulnerabilities, performance issues, accessibility, and best practices across frontend and backend code.
Test Suite Generator
Generates comprehensive test suites with unit tests, integration tests, and edge cases. Supports Jest, Vitest, Pytest, and Go testing.
Pro Architecture Workspace
Battle-tested skill for architectural, decision, making, framework. Includes structured workflows, validation checks, and reusable patterns for development.