FFuzzer fuzzes any HTTP request by replacing the literal string FUZZ with each entry of a wordlist. It’s the wfuzz/ffuf-style workflow inside Hugin — fast, scriptable, and integrated with the proxy + browser stack.
Use it for content discovery, virtual-host enumeration, parameter value fuzzing, or any task where “iterate this wordlist into this position” is what you need.
🔗Quick Start
- Open the FFuzzer view
- Paste a target URL or template containing
FUZZsomewhere —https://target.com/FUZZ,https://FUZZ.target.com, or in the body - Pick a wordlist
- Start
Results stream into the table sorted by status code, with per-row request/response inspection.
🔗FUZZ Placement
FUZZ works anywhere in the request:
- URL path —
https://target.com/api/v1/FUZZ - URL host —
https://FUZZ.target.com - Query value —
https://target.com/?id=FUZZ - Header value —
Authorization: Bearer FUZZ - Body —
{"username":"FUZZ"}
🔗Multi-Keyword Fuzzing
Use FUZ2, FUZ3, …, FUZ9 for cluster-bomb-style multi-position fuzzing. Each keyword binds to its own wordlist. Combinations follow the configured combination mode (concat / zip / product).
Example: https://target.com/FUZZ?user=FUZ2 with a paths wordlist for FUZZ and a usernames wordlist for FUZ2 runs the Cartesian product.
🔗Two Engines
🔗HTTP (default)
Raw TCP/TLS sends via the embedded HTTP client. Fast — thousands of requests per second.
- Configurable concurrency
- Per-host rate limit
- Custom TLS fingerprint (BoringSSL Chrome by default)
- Optional Mullvad SOCKS5 routing
Use this for high-volume content discovery and bulk fuzzing where speed matters.
🔗Browser (Marionette)
Routes each request through a Mullvad Browser session via Marionette. Slower but inherits the browser’s exact JA3/JA4 fingerprint — useful when the target filters on TLS fingerprint and the raw HTTP engine is getting filtered.
🔗Wordlists
Each keyword can use:
- Built-in — bundled wordlists (dirs / files / params / subdomains / common / raft variants)
- File — path to a local file (one entry per line)
- Inline — pasted directly in the UI
- Command — output of a shell command (e.g.,
seq 1 1000,curl raw.githubusercontent.com/...)
See the Wordlists chapter for managing the library.
🔗Filters & Hide Rules
The results table supports live filtering:
- Status code — pills for 2xx / 3xx / 4xx / 5xx, or exact code
- Body length — range
- Word count — range (often the most reliable signal for content discovery)
- Line count — range
- Response time — range
- Body contains — substring or regex
The Hide rules complement filters — hide all 404s, hide all responses of size 1234 (typical wildcard length), etc. The visible result set updates instantly.
🔗Recursive Mode
Toggle Recursive to automatically re-fuzz any directory-like result with the same wordlist. Found /admin returning 200? Hugin queues /admin/FUZZ next. Recursion depth and queue caps are configurable to prevent runaway scans.
🔗Calibration
The Auto-calibrate button sends a few requests with random payloads to detect wildcard responses (servers that return 200 for everything). Detected wildcard signatures (status + length) become hide rules automatically.
🔗Right-Click on Result
- Send to Repeater
- Send to Scanner
- Send to Comparer
- View raw — full request + response
- Copy as cURL
- Add to wordlist — append this payload to a saved list (useful for building custom wordlists from real findings)
🔗Export
Results table can be exported as JSON, CSV, or plain newline-separated payloads (matching results only).
🔗MCP
The ffuzzer MCP tool exposes:
run— execute a fuzzing run synchronously and return resultsstart— kick off a session in the background (returns a session ID)status— poll a running session’s progressstop— terminate a running sessionresults— fetch results from a (running or completed) session
Engine modes (mode param): http or browser.
Multi-keyword setup: pass wordlists:{"FUZZ":{...},"FUZ2":{...}} plus attack_mode (clusterbomb default, pitchfork, or sniper).
Useful for AI-driven hunting — agent identifies a parameter that takes a value, runs FFuzzer with a relevant wordlist, then triages results.