You're Fuzzing All Wrong: FFUF & Virtual Host Fuzzing

📖FREE LINK HERE . A hands-on story of how FFUF virtual host fuzzing exposed hidden infrastructure, internal APIs, and four flags.

Abhishek Gupta

InfoSec Write-ups

· ~7 min read · December 13, 2025 (Updated: December 19, 2025) · Free: No

📖FREE LINKKKKK: Click Here

I used to think FFuf was just another gobuster.

Faster, sure. Cleaner output, maybe. But still just a directory brute-forcer.

That belief died the day I touched this lab.

What started as a simple practice room on HackingHub.io quietly turned into a lesson on how much attack surface we miss when we limit ffuf to directories.

This is the story of how virtual host fuzzing unfolded, four flags, hidden infrastructure, and a completely different way of thinking about recon.

The Setup

The lab was titled "Virtual Host Basics." Nothing fancy. No scary description. Just four flags waiting somewhere. First, it looks like a normal ffuf tutorial, vhost fuzzing for me, but when I looked at the patterns, I was amazed.

The target was simple enough: https://epsilon.ctfio.com/

I opened it in the browser. A static page stared back at me. Nothing interesting. So I did what most of us do. I opened a terminal.

Hi,👋 I'm Abhishek Gupta, a security researcher. Learning things to become a Bug Hunter. Always open to suggestions and eager to learn and share new ideas. Sharing the knowledge I gather from various sources in one place My Medium :)

If you really love this article, as a token of appreciation, you can send me:

50 claps, a comment and share everywhere.

The Comfort Zone: Directory Fuzzing with FFUF

I started where I always start. Directory fuzzing.

ffuf -w wordlist/content.txt -u https://epsilon.ctfio.com/FUZZ

Main Game Changer — WORDLIST

Look at the wordlist I used here. The wordlist is always a game-changer. You should learn how to build a custom wordlist.

The Method I use for wordlists is,

✅ Use the Common web endpoints wordlist from seclists ✅ Then whenever I see any critical endpoint in any medium blog or in any post on social media, I simply add that to my wordlist. ✅ Then, when hunting for a specific target, merge it with the endpoints related to the technology stack used by the target. ✅For example, if the target is using ReactJS and NextJS, then I would gather all the endpoints related to this and merge them into my wordlist.

I have explained how you can find all endpoints that are there on the site for NextJS and ReactJS in this blog. 👇👇

Everything You need to know about React2Shell(CVE 2025–55182)

Here’s how I discovered Pre Auth RCE in live targets using React2Shell Vulnerability. Poc Script, Exploit Requests and…

medium.com

Ok, let's continue with our story

The output looked… exciting.

200. 200. 200. 200 everywhere.

For a moment, it felt like progress. Then reality hit. Every endpoint was returning the same response.

Same page. Same size. Same content.

False positives. This is the moment where most people shrug and move on. Instead, I stared at the output and asked myself one question:

What's different here?

Seeing Through the Noise. I noticed the response size. It was identical across requests. So I filtered it.

ffuf -w wordlist/content.txt -u https://epsilon.ctfio.com/FUZZ -fs 2275

The screen went quiet. That silence was useful. Now I knew something important: The attack surface wasn't in directories.

A Small Win Changes Everything

Instead of giving up, I shifted direction. Subdomains.

ffuf -w wordlist/subdomain.txt -u https://FUZZ.epsilon.ctfio.com/

This time, ffuf spoke back. One subdomain broke the silence: https://app.epsilon.ctfio.com

Two assets now. Not one. And experience has taught me something very simple:**More assets mean more mistakes.**

A login page was there this time, I kept it for later and moved on with fuzzing, as this was the main goal.

Still No Flag. Still Moving.

I tried hidden files next. Nothing fancy. Just covering ground.

ffuf -w wordlist/content.txt -u https://epsilon.ctfio.com/FUZZ -e .php,.txt,.html,.json,.yaml,.yml,.lock

Nothing. No flags. No leaks. But something felt off. I had more surface now, yet nothing obvious. That's when it hit me. I wasn't fuzzing wrong. I was fuzzing too narrowly.

The Thought That Changed Everything: Host Header

⁉️What if the real application wasn't in paths at all? ⁉️What if it was sitting behind the same IP, waiting for the right **Host header**?

That's when I stopped thinking about directories and started thinking about **routing**

Virtual Host Fuzzing with FFUF (The Turning Point)

I crafted my first virtual host fuzzing request.

ffuf -w dns.txt -u https://epsilon.ctfio.com/ -H "Host: FUZZ"

The response changed. Not the status code, but the content. A different page. A different behaviour. That was the moment it clicked — this request was being routed somewhere else entirely. And then I saw it **Flag one.**

It wasn't hidden inside a directory or exposed through a file. It was served by a completely different application, one that only responded when the correct **Host header** was supplied.

A hostname no one thought to lock down.

[FLAG_ONE]

Pulling the Thread: Testing Combinations

One vhost is never alone. I started testing combinations. Different hosts. Different assets.

ffuf -w dns.txt -u https://epsilon.ctfio.com/ -H "Host: FUZZ"
ffuf -w dns.txt -u https://app.epsilon.ctfio.com/ -H "Host: FUZZ"
ffuf -w dns.txt -u https://epsilon.ctfio.com/ -H "Host: FUZZ.epsilon.ctfio.com"
ffuf -w dns.txt -u https://app.epsilon.ctfio.com/ -H "Host: FUZZ.epsilon.ctfio.com"
ffuf -w dns.txt -u https://epsilon.ctfio.com/ -H "Host: FUZZ.app.epsilon.ctfio.com"
ffuf -w dns.txt -u https://app.epsilon.ctfio.com/ -H "Host: FUZZ.app.epsilon.ctfio.com"

One by one, new virtual hosts appeared. Four of them.

One of them quietly handed me **flag two** inside a marketing-related host.

[FLAG_TWO]

The Moment Developers Gave Me a Gift

On Mapping the zeus host, I got something:

The response wasn't an error. It was a message.

> EvilCorp API Server 
> For customer data use `{host}-zeus.epsilon.ctfio.com`

I laughed. Then I smiled 😉. Then I fuzzed again.

When Patterns Start Talking

I replaced logic with curiosity.

ffuf -w wordlist/dns.txt -u https://epsilon.ctfio.com/ -H "Host: FUZZ-zeus.epsilon.ctfio.com"

What's the Learning for us here:

If you see an endpoint like user-page, then do this user-FUZZ and FUZZ-page and when finding other endpoints from this fuzz, fuzz them till infinityyy……….

The same goes for user_page, user~page or anything that seems like a pattern to us.

Follow the Pattern

⁉️If there is store-zeus, then there can be api-user, admin-page, and user-profile as well. I started fuzzing for endpoints with *— * between them, and I found something.

So I tried all combinations with all the keywords we have found so far.

ffuf -w wordlist/dns.txt -u https://thompson.ctfio.com/ -H "Host: store-FUZZ.thompson.ctfio.com"
ffuf -w wordlist/dns.txt -u https://thompson.ctfio.com/ -H "Host: app-FUZZ.thompson.ctfio.com"
ffuf -w wordlist/dns.txt -u https://thompson.ctfio.com/ -H "Host: FUZZ-app.thompson.ctfio.com"
ffuf -w wordlist/dns.txt -u https://thompson.ctfio.com/ -H "Host: FUZZ-zeus.thompson.ctfio.com"[already done with this]

And guess what, we were right, asking questions always leads to success!!!!!

curl  https://thompson.ctfio.com/ -H "Host: app-dev.thompson.ctfio.com"

This yields the flag for us

[FLAG_THREE]

Enumerating Customer APIs After Virtual Host Discovery

Five new hosts appeared from our previous command. Four were dead ends. One wasn't.

So I fuzzed for some endpoints or directories on this host. And yes, it was just as the description said, Customer API. An endpoint named /api appeared on the screen.

And there it was. The final flag. No exploit. No payload. Just ffuf, used properly along with host header fuzzing.

[FLAG_FOUR]

Additional Tip

You Learned Vhost Fuzzing, but That's Not the Only Use of ffuf.
You can also use it for parameter fuzzing.

ffuf -w wordlists/params.txt -u https://target.com/user?FUZZ=123 
# try this different values instead of 123

And that is also not the end, there are many more use cases for FFUF.
FFUF for bug bounty is really helpful, while bug bounty recon is as you need your Burp free sometimes.

What This Lab Taught Me

ffuf isn't a gobuster replacement. It's a mindset shift. Directories are only one dimension. Headers, hosts, and patterns are where the real surface hides. If you're only fuzzing paths, you're walking past open doors.

Virtual host fuzzing is one of the most underrated techniques in bug bounty recon, and ffuf makes it extremely easy to automate.

This lab didn't make me feel clever. It made me feel aware. And that's far more dangerous.

What surprised me most wasn't the flags. It was how much infrastructure stayed invisible until I stopped treating ffuf like a directory scanner. That mindset shift is what actually finds bugs.

Happy fuzzing.

Enjoyed the read? Let's connect — I share more insights, bugs, and write-ups on

LinkedIn: Click Here

Medium: Click Here

#bug-bounty #cybersecurity #ffuf #penetration-testing #ethical-hacking