aeondave/ffuf
offensive-tools/recon/ffuf/SKILL.md
Fast web fuzzer for directory/file discovery, parameter fuzzing, virtual host discovery, and POST data fuzzing. Use when asked to fuzz web endpoints, discover hidden parameters, enumerate directories, test for injection points, or perform any HTTP-level wordlist-based fuzzing.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill ffufInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 31, 2026, 9:26 PM59.4s1 file scanned
SKILL.md
- name:
- ffuf
- description:
- Fast web fuzzer for directory/file discovery, parameter fuzzing, virtual host discovery, and POST data fuzzing. Use when asked to fuzz web endpoints, discover hidden parameters, enumerate directories, test for injection points, or perform any HTTP-level wordlist-based fuzzing.
- license:
- MIT
- compatibility:
- Linux, Windows, macOS. Install: go install github.com/ffuf/ffuf/v2@latest or download binary from GitHub releases. Pre-installed on Kali.
- author:
- AeonDave
- version:
- 1.0
ffuf
Go-based web fuzzer — FUZZ keyword can be placed anywhere in a request (URL, headers, body, hostname).
Quick Start
# Directory fuzzing
ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# With file extension
ffuf -u http://example.com/FUZZ -w common.txt -e .php,.html,.txt
# Subdomain/vhost fuzzing
ffuf -u http://FUZZ.example.com -w subdomains.txt -H "Host: FUZZ.example.com"
Core Flags
| Flag | Description |
|------|-------------|
| -u <url> | Target URL (use FUZZ as placeholder) |
| -w <wordlist> | Wordlist path (:KEYWORD for named payloads) |
| -e <ext> | Append extensions to each word |
| -t <n> | Threads (default 40) |
| -rate <n> | Max requests per second |
| -H <header> | Custom header |
| -X <method> | HTTP method (default GET) |
| -d <data> | POST data body |
| -b <cookies> | Cookie string |
| -r | Follow redirects |
| -k | Skip TLS verification |
| -x <proxy> | Proxy URL |
| -o <file> | Output file |
| -of <format> | Output format: json, html, csv, md, all |
| -v | Verbose (show redirects) |
| -s | Silent mode |
| -p <delay> | Delay between requests (e.g., 0.1 or 0.1-0.5) |
Filtering & Matching
| Flag | Description |
|------|-------------|
| -mc <codes> | Match HTTP status codes (default 200,204,301,302,307,401,403,405) |
| -ml <n> | Match by response lines |
| -mw <n> | Match by word count |
| -ms <size> | Match by response size |
| -mr <regex> | Match by regex in body |
| -fc <codes> | Filter (exclude) status codes |
| -fl <n> | Filter by lines |
| -fw <n> | Filter by words |
| -fs <n> | Filter by size |
| -fr <regex> | Filter by regex |
Multiple FUZZ Positions
# Two wordlists: W1 + W2
ffuf -u http://target.com/W1/W2 -w list1.txt:W1 -w list2.txt:W2
# Cluster bomb (all combinations)
ffuf -u http://target.com/W1?param=W2 -w list1.txt:W1 -w list2.txt:W2 -mode clusterbomb
# Pitchfork (paired positions)
ffuf -u http://target.com/W1?user=W2 -w paths.txt:W1 -w users.txt:W2 -mode pitchfork
Common Workflows
# Standard dir fuzz with noise filtering
ffuf -u https://target.com/FUZZ -w raft-medium.txt -fc 404 -o dirs.json -of json
# POST login brute-force
ffuf -u https://target.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fc 401
# Parameter discovery (GET)
ffuf -u "https://target.com/page?FUZZ=test" -w params.txt -fw 42
# Vhost discovery
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fw 42
# API endpoint fuzzing with auth
ffuf -u https://api.target.com/v1/FUZZ -w api-words.txt -H "Authorization: Bearer TOKEN" -mc 200,201,204
Resources
| File | When to load |
|------|--------------|
| references/filters.md | All filter/matcher flags, noise reduction strategies, multi-FUZZ patterns |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026