There is a common issue with case-insensitive web servers (e.g., Windows/IIS-based or some misconfigured Apache/Nginx instances) where they return the same resource for multiple URL casings (e.g., /admin, /Admin, /ADMIN, etc.), and ffuf treats them as different results :
Copy cat wordlist.txt | tr '[:upper:]' '[:lower:]' | sort | uniq > lowerlist.txt
Copy ffuf -mode pitchfork -u http://vapi.apisec.ai/vapi/api2/user/login -w emails:EMAIL,passwords:PASS -X POST -H 'Content-Type: application/json' -d '{"email":"EMAIL","password":"PASS"}' -c -fc 401
Copy read -rp "Enter protocol (HTTP/HTTPS): " protocol
read -rp "Enter the domain to fuzz: " domain
read -rp "Enter extension string to fuzz: " ext
echo "Scanning for directories..."
ffuf -u "${protocol}"://"${domain}"/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -s -c -ac -ic -e "${ext}" -o ./scans/"${protocol}"-"${domain}"-dirscan
echo "Directory scanning completed: less ./scans/${protocol}-${domain}-dirscan"
echo "Scanning for subdomains..."
ffuf -u "${protocol}"://FUZZ."${domain}" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -s -ac -c -ic -o ./scans/"${protocol}"-"${domain}"-subdomains
echo "Subdomain scanning completed: ./scans/${protocol}-${domain}-subdomains"
echo "Scanning for vhosts..."
ffuf -u "${protocol}"://"{$domain}" -H "HOST: FUZZ.${domain}" -ac -c -ic -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -s -o ./scans/streamio.htb/"${protocol}"-"${domain}"-vhosts
echo "Vhost scanning completed: ./scans/${protocol}-${domain}-vhosts" 
