Best use case
ffuf (Fuzz Faster U Fool) is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
## Overview
Teams using ffuf (Fuzz Faster U Fool) should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ffuf/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ffuf (Fuzz Faster U Fool) Compares
| Feature / Agent | ffuf (Fuzz Faster U Fool) | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
## Overview
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# ffuf (Fuzz Faster U Fool)
## Overview
ffuf is the fastest web fuzzer available — written in Go, it discovers hidden files, directories, subdomains, and API endpoints by sending thousands of requests with wordlist-based payloads. Unlike dirbuster or gobuster, ffuf supports multiple fuzzing positions (URL, headers, POST body, cookies), response filtering, and recursive scanning.
## When to Use
- Discovering hidden directories and files on web servers
- Finding undocumented API endpoints
- Subdomain and virtual host enumeration
- Parameter discovery (GET/POST)
- Bug bounty reconnaissance
- Pre-pentest content discovery
## Instructions
### Setup
```bash
# Install
go install github.com/ffuf/ffuf/v2@latest
# Or download binary
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_linux_amd64.tar.gz
tar xzf ffuf_linux_amd64.tar.gz
# Get wordlists (SecLists is the standard)
git clone --depth 1 https://github.com/danielmiessler/SecLists.git
```
### Directory Discovery
```bash
# Basic directory fuzzing — FUZZ keyword marks the injection point
ffuf -u https://target.com/FUZZ -w SecLists/Discovery/Web-Content/common.txt
# Filter by response code (ignore 404s)
ffuf -u https://target.com/FUZZ -w common.txt -fc 404
# Filter by response size (remove default pages)
ffuf -u https://target.com/FUZZ -w common.txt -fs 4242
# Match only specific codes
ffuf -u https://target.com/FUZZ -w common.txt -mc 200,301,302,403
# Recursive scanning — follow discovered directories
ffuf -u https://target.com/FUZZ -w common.txt -recursion -recursion-depth 2
# With extensions
ffuf -u https://target.com/FUZZ -w common.txt -e .php,.bak,.old,.txt,.json,.env
```
### Subdomain Discovery
```bash
# Subdomain fuzzing via DNS
ffuf -u https://FUZZ.target.com -w SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fc 404
# Virtual host discovery (different from DNS — checks Host header)
ffuf -u https://target.com -w subdomains.txt -H "Host: FUZZ.target.com" -fs 1234
```
### API Endpoint Discovery
```bash
# REST API path fuzzing
ffuf -u https://api.target.com/v1/FUZZ -w SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,401,403
# API with authentication
ffuf -u https://api.target.com/v1/FUZZ -w api-endpoints.txt \
-H "Authorization: Bearer eyJhbG..." -mc 200
# Parameter fuzzing (GET)
ffuf -u "https://target.com/api/users?FUZZ=value" -w SecLists/Discovery/Web-Content/burp-parameter-names.txt -fs 0
# POST body parameter fuzzing
ffuf -u https://target.com/api/login -X POST \
-H "Content-Type: application/json" \
-d '{"username":"admin","FUZZ":"test"}' \
-w params.txt -fc 400
```
### Advanced Usage
```bash
# Multiple wordlists (two FUZZ positions: W1 and W2)
ffuf -u https://target.com/W1/W2 -w endpoints.txt:W1 -w ids.txt:W2
# Output to JSON for automation
ffuf -u https://target.com/FUZZ -w common.txt -o results.json -of json
# Throttled scanning (polite)
ffuf -u https://target.com/FUZZ -w common.txt -rate 50 -t 10
# Custom match on response body
ffuf -u https://target.com/FUZZ -w common.txt -mr "admin|dashboard|config"
```
## Examples
### Example 1: Full recon on a new target
**User prompt:** "I have permission to pentest example.com. Start with content discovery."
The agent will run ffuf for directory discovery with common.txt, then check for backup files (.bak, .old, .sql), hidden API endpoints, and admin panels.
### Example 2: Find hidden API endpoints
**User prompt:** "Our API has undocumented endpoints left by previous developers. Find them."
The agent will fuzz API paths with REST-specific wordlists, try common API versioning patterns (/v1/, /v2/), and check HTTP methods (GET, POST, PUT, DELETE) on discovered endpoints.
## Guidelines
- **ALWAYS have authorization** — fuzzing without permission is illegal
- **Start with common.txt** — then escalate to bigger wordlists if needed
- **Filter noise first** — use `-fc 404` or `-fs <size>` to remove false positives
- **Rate limit** — `-rate 50` for production targets, unlimited for local/staging
- **FUZZ is the keyword** — place it wherever you want to inject wordlist entries
- **Extensions matter** — `-e .php,.bak,.env` catches backup and config files
- **JSON output for automation** — `-o results.json -of json` for pipeline integration
- **Recursive with caution** — `-recursion-depth 2` max to avoid infinite loops
- **SecLists is essential** — the standard wordlist collection for web fuzzingRelated Skills
fuzzing-apis
This skill enables Claude to perform automated fuzz testing on APIs to discover vulnerabilities, crashes, and unexpected behavior. It leverages malformed inputs, boundary values, and random payloads to generate comprehensive fuzz test suites. Use this skill when you need to identify potential SQL injection, XSS, command injection vulnerabilities, input validation failures, and edge cases in APIs. Trigger this skill by requesting fuzz testing, vulnerability scanning, or security analysis of an API. The skill is invoked using the `/fuzz-api` command.
OSS-Fuzz
[OSS-Fuzz](https://google.github.io/oss-fuzz/) is an open-source project developed by Google that provides free distributed infrastructure for continuous fuzz testing. It streamlines the fuzzing process and facilitates simpler modifications. While only select projects are accepted into OSS-Fuzz, the project's core is open-source, allowing anyone to host their own instance for private projects.
Writing Fuzzing Harnesses
A fuzzing harness is the entrypoint function that receives random data from the fuzzer and routes it to your system under test (SUT). The quality of your harness directly determines which code paths get exercised and whether critical bugs are found. A poorly written harness can miss entire subsystems or produce non-reproducible crashes.
Overcoming Fuzzing Obstacles
Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, global state (like time-seeded PRNGs), and validation checks can block the fuzzer from exploring deeper code paths. This technique shows how to patch your System Under Test (SUT) to bypass these obstacles during fuzzing while preserving production behavior.
Fuzzing Dictionary
A fuzzing dictionary provides domain-specific tokens to guide the fuzzer toward interesting inputs. Instead of purely random mutations, the fuzzer incorporates known keywords, magic numbers, protocol commands, and format-specific strings that are more likely to reach deeper code paths in parsers, protocol handlers, and file format processors.
cargo-fuzz
cargo-fuzz is the de facto choice for fuzzing Rust projects when using Cargo. It uses libFuzzer as the backend and provides a convenient Cargo subcommand that automatically enables relevant compilation flags for your Rust project, including support for sanitizers like AddressSanitizer.
ffuf-claude-skill
Web fuzzing with ffuf
api-fuzzing-for-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
api-fuzzing-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...
dast-ffuf
Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.
SKILL: Fuzzing
## Metadata
SKILL: Week 2: Finding Vulnerabilities Through Fuzzing
## Metadata