Scribd
Upload
65 views2 pages

Attacking Web Applications With Ffuf Module Cheat Sheet

This cheat sheet provides a collection of ffuf commands for various types of web application fuzzing, including directory, extension, page, sub-domain, and parameter fuzzing. It also lists useful wordlists for different fuzzing scenarios and includes miscellaneous commands for adding DNS entries and creating sequence wordlists. The document serves as a quick reference for security professionals conducting web application testing.

Uploaded by

ANIMATOR MCS
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views2 pages

Attacking Web Applications With Ffuf Module Cheat Sheet

This cheat sheet provides a collection of ffuf commands for various types of web application fuzzing, including directory, extension, page, sub-domain, and parameter fuzzing. It also lists useful wordlists for different fuzzing scenarios and includes miscellaneous commands for adding DNS entries and creating sequence wordlists. The document serves as a quick reference for security professionals conducting web application testing.

Uploaded by

ANIMATOR MCS
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

ATTACKING WEB APPLICATIONS

WITH FFUF

CHEAT SHEET
Ffuf
Command Description

ffuf -h ffuf help

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ Directory


Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ Extension


Fuzzing

ffuf -w wordlist.txt:FUZZ -u Page Fuzzing


http://SERVER_IP:PORT/blog/FUZZ.php

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ - Recursive


recursion -recursion-depth 1 -e .php -v Fuzzing

ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/ Sub-domain


Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H VHost


'Host: FUZZ.academy.htb' -fs xxx Fuzzing

ffuf -w wordlist.txt:FUZZ -u Parameter


http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx Fuzzing - GET
Command Description

ffuf -w wordlist.txt:FUZZ -u Parameter


http://admin.academy.htb:PORT/admin/admin.php -X POST -d Fuzzing -
'FUZZ=key' -H 'Content-Type: application/x-www-form-
urlencoded' -fs xxx
POST

ffuf -w ids.txt:FUZZ -u Value Fuzzing


http://admin.academy.htb:PORT/admin/admin.php -X POST -d
'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
-fs xxx

Wordlists
Command Description

/opt/useful/seclists/Discovery/Web-Content/directory-list- Directory/Page
2.3-small.txt Wordlist

/opt/useful/seclists/Discovery/Web-Content/web- Extensions
extensions.txt Wordlist

/opt/useful/seclists/Discovery/DNS/subdomains-top1million- Domain Wordlist


5000.txt

/opt/useful/seclists/Discovery/Web-Content/burp-parameter- Parameters
names.txt Wordlist

Misc
Command Description

sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts' Add DNS entry

for i in $(seq 1 1000); do echo $i >> ids.txt; done Create


Sequence
Wordlist

curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d curl w/ POST


'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

You might also like