Gobuster & ffuf: Web & Subdomain Fuzzing

Gobuster and ffuf are two of the most popular fuzzing tools in web penetration testing. They discover hidden directories, files, parameters, and subdomains through dictionary-based attacks. Both are fast, flexible, and essential during the reconnaissance phase.

1. Installation

# Gobuster (Go):
apt install gobuster

# ffuf (Go — more flexible):
apt install ffuf
# or build from source:
go install github.com/ffuf/ffuf/v2@latest

# Recommended wordlists (SecLists):
apt install seclists
# Path: /usr/share/seclists/

2. Gobuster — Directory Enumeration

# Basic directory scan:
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

# With file extensions:
gobuster dir -u http://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -x php,html,txt,bak,zip

# Ignore specific status codes:
gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirb/big.txt \
  -b 404,403

# With custom HTTP headers (session cookies):
gobuster dir -u http://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -H "Cookie: session=abc123" \
  -H "Authorization: Bearer TOKEN"

# Through Burp Suite proxy:
gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  --proxy http://127.0.0.1:8080

3. Gobuster — Subdomain Enumeration

# DNS subdomain brute-force:
gobuster dns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Show resolved IPs:
gobuster dns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt \
  --show-ips

# Custom DNS resolver:
gobuster dns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  -r 8.8.8.8

4. Gobuster — VHost Fuzzing

# Discover Virtual Hosts on the same IP:
gobuster vhost -u http://target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain

# Filter false positives by response size:
gobuster vhost -u http://target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain \
  --exclude-length 250

5. ffuf — Advanced Fuzzing

# Directory fuzzing (FUZZ = placeholder):
ffuf -u http://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# With multiple extensions:
ffuf -u http://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.html,.txt,.bak

# GET parameter name fuzzing:
ffuf -u "http://target.com/page.php?FUZZ=test" \
  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt

# GET parameter value fuzzing (LFI):
ffuf -u "http://target.com/page.php?id=FUZZ" \
  -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

# POST fuzzing (login forms, APIs):
ffuf -u http://target.com/login \
  -w /usr/share/wordlists/rockyou.txt \
  -X POST \
  -d "username=admin&password=FUZZ" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -fc 302

6. ffuf — Filtering False Positives

# Filter by HTTP status code:
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404,403

# Filter by response size (bytes):
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234

# Filter by word count:
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 10

# Filter by line count:
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 25

# Silent mode + save JSON output:
ffuf -u http://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
  -o results.json -of json -s

7. ffuf — Subdomain & VHost Fuzzing

# Subdomain fuzzing:
ffuf -u http://FUZZ.target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs 0

# VHost fuzzing via Host header:
ffuf -u http://SERVER_IP \
  -H "Host: FUZZ.target.com" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs 4242    # filter out default response by size

8. Recommended Wordlists by Scenario