Linod FuzzLab — Learn web fuzzing safely

Interactive Playground

This simulator mimics how ffuf runs look and helps you learn flags, wordlists and results parsing — all locally, without sending network requests.

Target URL (simulated)

Wordlist (choose)

Threads

Custom wordlist (one word per line)

Simulator logs

Example ffuf commands

# Content discovery
ffuf -w wordlists/common.txt -u http://target/FUZZ

# VHost discovery
ffuf -w wordlists/vhosts.txt -H "Host: FUZZ.target.com" -u http://target/

Guided Exercises

Try these tasks in the simulator, then when comfortable follow the "Run real ffuf" instructions in Hosting to practice on your own test instance.

Exercise 1 — Basic content discovery

Goal: find hidden directories like /admin, /backup.

Set Target URL to http://linod.eu.org/FUZZ.
Select common.txt and click Run (simulate).
Observe hits appearing in the logs — they show status codes and sizes (simulated).

Exercise 2 — Virtual host discovery

Goal: learn how changing the Host header affects results.

Try the example VHost ffuf command from the examples snippet.
Read about vhost discovery in the resources panel.

Resources & downloads

Official ffuf site and playground inspiration: ffuf.me
ffuf GitHub repository (tool itself): github.com/ffuf/ffuf
Recommended reading — OWASP fuzzing vectors & testing guide: OWASP WSTG
ffuf wordlists (examples): ffuf.me/wordlists

(Links open in a new tab.)

Hosting & "real" ffuf setup (optional)

If you want to run a live lab where visitors can safely run ffuf against curated targets, you need a server backend and containerized ffuf instances. Below are minimal steps (summary) — see the full README in the project repository for a production-ready guide.

Provision a VPS (you already own linod.eu.org) and point DNS A record to its IP.
Create a dockerized environment with limited network access and sandboxed targets (use private subnets, non-routable targets) — never allow arbitrary fuzzing against external domains.
Use a queue (Redis) and worker pattern to run ffuf jobs safely and timebox CPU usage.
Use HTTPS (Let's Encrypt) and rate-limiting on the public API.
Log results to a database and sanitize output shown to users.

See hosting notes at the bottom of the saved file for an example nginx site config and a Docker Compose snippet for running ffuf workers.