Ffuf (Fuzz Faster U Fool) is a high-performance web fuzzer written in Go, specifically designed for directory discovery, virtual host enumeration, and fuzzing of HTTP parameters. Known for its speed and flexibility, it allows security researchers to quickly identify hidden resources and potential vulnerabilities by testing large wordlists against web applications using highly customizable filters and matchers.

Installation

Install ffuf on Kali Linux

sudo apt install ffuf

Install ffuf on Debian/Ubuntu

sudo apt install ffuf

Install using Go (recommended latest version)

go install github.com/ffuf/ffuf/v2@latest

Install with Homebrew (macOS / Linux)

brew install ffuf

Install using Snap

sudo snap install ffuf

Download precompiled binary (Linux)

wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_Linux_amd64.tar.gz
tar -xvf ffuf_Linux_amd64.tar.gz
chmod +x ffuf
sudo mv ffuf /usr/local/bin/

Download precompiled binary (Windows)

wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_Windows_amd64.zip

From Source

git clone https://github.com/ffuf/ffuf.git
cd ffuf
go build
ffuf -h
ffuf -V

Basic Usage

ffuf -u https://target.com/FUZZ -w wordlist.txt                     #Basic directory fuzzing
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200             #Show only successful results
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302     #Show successful results and 30x redirects
ffuf -u https://target.com/FUZZ -w wordlist.txt -s                  #Silent mode
ffuf -u https://target.com/FUZZ -w wordlist.txt -v                  #Verbose output
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json     #Save results

Directory & File Discovery

ffuf -u https://target.com/FUZZ -w directories.txt                        #Directory brute force
ffuf -u https://target.com/FUZZ -w directories.txt -mc 200,301,302,403    #Directory scan with common status codes
ffuf -u https://target.com/FUZZ.bak -w wordlist.txt                       #Scan for backup files
ffuf -u https://target.com/FUZZ.conf -w wordlist.txt                      #Scan for config files
ffuf -u https://target.com/.FUZZ -w wordlist.txt                          #Find hidden files

Recursive Directory Discovery

ffuf -u https://target.com/FUZZ -w directories.txt -recursion                       #Enable recursion
ffuf -u https://target.com/FUZZ -w directories.txt -recursion -recursion-depth 3    #Recursive scan with depth
ffuf -u https://target.com/FUZZ -w directories.txt -recursion -mc 200,301,302       #Recursive scan with filtering

Virtual Host Discovery

ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt              #Vhost fuzzing
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -mc 200      #Vhost discovery with filtering
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242     #Vhost fuzzing with size filter

Subdomain Fuzzing

ffuf -u https://FUZZ.target.com -w subdomains.txt               #Subdomain brute force
ffuf -u https://FUZZ.target.com -w subdomains.txt -mc 200       #Subdomain scan with status filter
ffuf -u https://FUZZ.target.com -w subdomains.txt -fs 1234      #Subdomain scan ignoring page size

GET Parameter Fuzzing

ffuf -u "https://target.com/page.php?id=FUZZ" -w payloads.txt             #Fuzz GET parameter values
ffuf -u "https://target.com/page.php?id=FUZZ&cat=test" -w payloads.txt    #Fuzz multiple parameters
ffuf -u "https://target.com/page.php?FUZZ=test" -w params.txt             #Fuzz parameter names

POST Parameter Fuzzing

ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt                                                           #Basic POST fuzzing
ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -w passwords.txt      #POST fuzzing with headers
ffuf -u https://target.com/login -X POST -d "username=FUZZ&password=test" -w users.txt                                                                #Multiple parameter fuzzing

JSON API Fuzzing

ffuf -u https://target.com/api/login -X POST -d '{"username":"admin","password":"FUZZ"}' -H "Content-Type: application/json" -w passwords.txt     #JSON key value fuzzing
ffuf -u https://target.com/api/auth -X POST -d '{"token":"FUZZ"}' -H "Content-Type: application/json" -w tokens.txt                               #JSON token fuzzing

HTTP Header Fuzzing

ffuf -u https://target.com -H "User-Agent: FUZZ" -w useragents.txt            #User agent Header fuzzing
ffuf -u https://target.com -H "Authorization: Bearer FUZZ" -w tokens.txt      #Authorization header fuzzing
ffuf -u https://target.com -H "Cookie: session=FUZZ" -w sessions.txt          #Cookie fuzzing

Filtering Results

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200               #Match status codes
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302       #Match multiple status codes
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 4242              #Filter by response size
ffuf -u https://target.com/FUZZ -w wordlist.txt -ms 1024              #Match by response size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 50                #Filter by word count
ffuf -u https://target.com/FUZZ -w wordlist.txt -fl 20                #Filter by line count

Rate Limiting & Performance

ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 100     #Limit request rate per second
ffuf -u https://target.com/FUZZ -w wordlist.txt -t 50         #Set thread count
ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.1        #Delay between requests in seconds
ffuf -u https://target.com/FUZZ -w wordlist.txt -timeout 10   #Timeout setting in seconds

Output Options

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json              #Save results to json file
ffuf -u https://target.com/FUZZ -w wordlist.txt -od /home -o results.json    #Save results to json file in custom directory
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv       #Save results in CSV
ffuf -u https://target.com/FUZZ -w wordlist.txt -o report.html -of html      #Save results in HTML
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -or          #Creates a file only if there are results

Proxy Usage (Burp/ZAP)

ffuf -u https://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080      #Send traffic through Burp
ffuf -u https://target.com/FUZZ -w wordlist.txt -x socks5://127.0.0.1:9050    #Use SOCKS proxy

Recursive Web Content Discovery

ffuf -u https://target.com/FUZZ -w directories.txt -recursion                      #Recursive directory brute force
ffuf -u https://target.com/FUZZ -w directories.txt -recursion -recursion-depth 2   #Recursive with depth limit

Multiple Wordlists

ffuf -u https://target.com/FUZZ1/FUZZ2 -w directory.txt:FUZZ1 -w file.txt:FUZZ2 -mode clusterbomb     #Clusterbomb attack
ffuf -u https://target.com/FUZZ1/FUZZ2 -w directory.txt:FUZZ1 -w file.txt:FUZZ2 -mode pitchfork       #Pitchfork attack