Task 1 of 2
What is ffuf?
ffuf (Fuzz Faster U Fool) is a web fuzzing tool. It takes a wordlist of common directory and file names and tries each one against a target URL — thousands of requests per second. Any path that returns something other than 404 is flagged as interesting.
Real applications often have routes that are never linked from the UI: admin panels, debug endpoints, old API versions, backup files, internal tools. They're not hidden by access control — they're just not advertised. ffuf finds them.
INSTALL
KALI / DEBIAN
sudo apt install ffuf
MACOS
brew install ffuf
GO
go install github.com/ffuf/ffuf/v2@latest
How it works
THE FUZZING PROCESS
GET /admin → 200 OK ← interesting!
GET /backup → 200 OK ← interesting!
GET /about → 404 Not Found ← skip
GET /login2 → 404 Not Found ← skip
GET /debug → 200 OK ← interesting!
... repeated for every word in the wordlist (10,000+ words)
Wordlists
ffuf needs a wordlist — a file with one path per line. In the HackrGG terminal, these are pre-loaded for you:
/wordlists/common.txt— 4,600 common paths, good starting point/wordlists/raft-small-words.txt— 30,000 paths
On your own machine, SecLists has the full collection: sudo apt install seclists
1
How does ffuf identify interesting paths on a web server?
Answer all 1 question to continue