Skills-curated ffuf-web-fuzzing
install
source · Clone the upstream repo
git clone https://github.com/trailofbits/skills-curated
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/trailofbits/skills-curated "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/ffuf-web-fuzzing/skills/ffuf-web-fuzzing" ~/.claude/skills/trailofbits-skills-curated-ffuf-web-fuzzing && rm -rf "$T"
manifest:
plugins/ffuf-web-fuzzing/skills/ffuf-web-fuzzing/SKILL.mdsource content
FFUF Web Fuzzing
Guidance for using ffuf (Fuzz Faster U Fool) effectively during authorized penetration testing.
Prerequisites
ffuf must be installed:
brew install ffufgo install github.com/ffuf/ffuf/v2@latestWhen to Use
- Running directory, file, or subdomain discovery against web targets
- Fuzzing API endpoints, parameters, or POST data
- Authenticated fuzzing with raw HTTP requests
- Analyzing ffuf JSON output for anomalies and interesting findings
- Building fuzzing strategies (wordlist selection, filtering, rate limiting)
- IDOR testing with authenticated sessions
When NOT to Use
- Target system is not in scope or authorization is unclear
- Passive reconnaissance is more appropriate (use OSINT tools instead)
- The target is a production system and rate limiting hasn't been configured
- You need a full vulnerability scanner (use Burp Suite, Nuclei, etc.)
- Testing for logic flaws that require multi-step interaction
Rationalizations to Reject
- "Auto-calibration is optional" --
is mandatory. Without it, results are buried in false positives and analysis is wasted effort.-ac - "More threads = faster results" -- Hammering a target with
triggers WAFs, gets you blocked, and may crash staging environments. Start with-t 200
for production targets.-t 10 -rate 2 - "I'll filter later" -- Set up filtering before the scan. Running a 220k wordlist without filters and then trying to grep through the noise is backwards.
- "The default wordlist is fine" -- Wordlist selection is the most important decision. A generic wordlist misses technology-specific paths. See references/wordlists.md.
- "Raw requests are too much work" -- For authenticated fuzzing,
is simpler and more reliable than chaining--request req.txt
and-H
flags. Capture once, fuzz many times.-b
Critical Rules
- Always use
(auto-calibration) unless you have a specific, documented reason not to-ac - Always save output with
for later analysis-o results.json - Rate limit production targets with
and-rate
flags-t - Use
for auth -- raw request files beat command-line header chains--request - Confirm authorization first -- before running any scan, verify the user has written permission for the target. Ask if unclear.
Core Concepts
The FUZZ Keyword
# In URL path ffuf -w wordlist.txt -u https://target.com/FUZZ -ac # In headers ffuf -w wordlist.txt -u https://target.com -H "Host: FUZZ.target.com" -ac # In POST body ffuf -w wordlist.txt -X POST -d "user=admin&pass=FUZZ" -u https://target.com/login -ac # Multiple positions with custom keywords ffuf -w endpoints.txt:EP -w ids.txt:ID -u https://target.com/EP/ID -mode pitchfork -ac
Auto-Calibration
-acffuf -w wordlist.txt -u https://target.com/FUZZ -ac # Standard ffuf -w wordlist.txt -u https://target.com/FUZZ -ach # Per-host (multi-host scans) ffuf -w wordlist.txt -u https://target.com/FUZZ -acc "404" # Custom calibration string
Common Patterns
Directory Discovery
ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt \ -u https://target.com/FUZZ -e .php,.html,.txt,.bak \ -ac -c -v -o results.json
Subdomain Enumeration
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt \ -u https://FUZZ.target.com -ac -c -v -o results.json
API Endpoint Discovery
ffuf -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \ -u https://api.target.com/v1/FUZZ \ -H "Authorization: Bearer YOUR_TOKEN_HERE" -mc 200,201 -ac -c
Authenticated Fuzzing with Raw Requests
Capture a full authenticated request, save to
req.txtFUZZPOST /api/v1/users/FUZZ HTTP/1.1 Host: target.com Authorization: Bearer YOUR_TOKEN_HERE Cookie: session=YOUR_SESSION_ID Content-Type: application/json {"action":"view","id":"1"}
ffuf --request req.txt -w wordlist.txt -ac -o results.json
See references/request-templates.md for pre-built templates covering bearer tokens, session cookies, API keys, and GraphQL.
Authenticated Fuzzing: Agent Workflow
Authenticated fuzzing requires real credentials that the agent cannot obtain independently. When the user asks for authenticated fuzzing:
- Ask the user to provide ONE of:
- A raw HTTP request file (
) with auth headers already includedreq.txt - A curl command from browser DevTools (convert it to
format)req.txt - Individual credentials (Bearer token, session cookie, API key)
- A raw HTTP request file (
- If given a curl command, convert it to raw HTTP request format and write to
req.txt - If given individual credentials, use a template from references/request-templates.md and substitute real values
- Never fabricate or guess authentication tokens
IDOR Testing
ffuf --request req.txt -w <(seq 1 10000) -ac -mc 200 -o idor_results.json
Rate Limiting
| Environment | Flags | Notes |
|---|---|---|
| Production (stealth) | | Avoid WAF triggers |
| Production (normal) | | Balanced |
| Staging/Dev | | Faster |
| Local/Lab | No limit, | Maximum speed |
Analyzing Results
Save output as JSON (
-o results.json- Anomalous status codes -- anything other than the baseline 404/403
- Size outliers -- responses significantly larger or smaller than average
- Interesting keywords in URLs -- admin, api, backup, config, .git, .env
- Timing anomalies -- slow responses may indicate SQL injection or heavy processing
- Follow-up targets -- interesting findings warrant deeper fuzzing
Use
-fs-fcffuf -hReferences
- Wordlist selection guide -- recommended SecLists by scenario
- Authenticated request templates -- pre-built req.txt for bearer tokens, cookies, API keys
- ffuf official docs
- SecLists