ffuf

🔍 Uncover Hidden Endpoints with This Powerful FFUF Oneliner

Refined for WAF Bypass & Information Disclosure Hunting

When it comes to hunting for information disclosure bugs, WAF bypasses, or just sensitive endpoints, you don’t always need complex tooling. Sometimes, a well-tuned one-liner with FFUF is enough to break through defenses and reveal what’s hiding behind the surface.

In this post, I’m sharing one of my favorite FFUF one-liners that I regularly use during reconnaissance and bug bounty testing. It’s fast, aggressive, stealthy, and great at bypassing WAFs while delivering refined results.

🧨 The One-Liner That Delivers

ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt \
-u https://example.com/FUZZ \
-fc 400,401,402,403,404,429,500,501,502,503 \
-recursion -recursion-depth 2 \
-e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db \
-ac -c \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" \
-H "X-Forwarded-For: 127.0.0.1" \
-H "X-Originating-IP: 127.0.0.1" \
-H "X-Forwarded-Host: localhost" \
-t 100 -r \
-o results.json

🔍 Why It Works

Let’s break down why this one-liner is so effective for finding juicy endpoints:

✅ Bypasses WAFs

The custom headers (X-Forwarded-For, X-Originating-IP, etc.) spoof internal IPs or localhost headers, often tricking WAFs into skipping blocking or rate-limiting protections.

🔎 Filters Noise

The -fc flag filters common status codes (403, 404, 429, 500s) to reduce false positives and highlight real findings like 200, 302, 401, or 503 variations that matter.

🧠 File Extension Awareness

The -e option adds many likely extensions: .php, .bak, .env, .config, .sql, .log, and more—perfect for catching leaked configs, backups, DB dumps, and log files.

🚀 Recursion Mode

With -recursion and -recursion-depth 2, FFUF digs into discovered folders and directories—multiplying your coverage without extra effort.

⚙️ Aggressive Threading & Retry

-t 100 + -r ensures you blast through requests quickly and retry any dropped responses, which is ideal for high-latency or lightly protected apps.

🧰 Customize It for Your Target

You can tweak this line to match your bug bounty or pentest target:

• Change the wordlist (-w) to any size: small for stealth, big for depth.
• Modify extensions (-e) based on tech stack (e.g., .rb, .py, .cgi).
• Adjust headers to match real apps (some WAFs bypass based on X-Host, X-Real-IP tricks).

💡 Pro Tips

• Run this on /admin, /api/, /uploads/, /internal/ paths too.
• Combine with -v for verbose output or -of html for pretty reports.
• Use httpx or nuclei to post-process discovered endpoints.
• Don’t ignore 403s — sometimes those reveal protected but real paths.

📦 Sample Results You’ll Love

Running this against real-world scopes can reveal:

• /admin.bak
• /config/.env
• /backup/db.sql
• /api/internal/
• /debug/logs.txt

These are often low-hanging fruits leading to critical information disclosure, credential leaks, or auth bypass opportunities.

🔒 Final Thoughts

When hunting bugs, the right tooling + the right mindset makes all the difference. This FFUF oneliner is part of my daily recon toolkit and has helped uncover multiple valid bugs, especially in programs using default WAF setups or exposed dev infrastructure.

Try it out, tweak it for your use case, and happy fuzzing! 🛡️💥

Like what you read?

• 💬 Drop your favorite FFUF tricks in the comments
• 🚀 Share this with your hacker network
• 🧠 Follow for more recon and automation content

Written by: Mejbaur Bahar Fagun
GitHub: fagunti (Mejbaur Bahar Fagun)
X/Twitter: Mejbaur Bahar Fagun (@fagun018) / Twitter
Linkedin: Mejbaur Bahar Fagun | LinkedIn