ffuf
Ffuf (Fuzz Faster U Fool) is a high-performance web fuzzer written in Go, specifically designed for directory discovery, virtual host enumeration, and fuzzing of HTTP parameters. Known for its speed and flexibility, it allows security researchers to quickly identify hidden resources and potential vulnerabilities by testing large wordlists against web applications using highly customizable filters and matchers.
Navigation
- Installation
- Basic Usage
- Directory & File Discovery
- Recursive Directory Discovery
- Virtual Host Discovery
- Subdomain Fuzzing
- GET Parameter Fuzzing
- POST Parameter Fuzzing
- JSON API Fuzzing
- HTTP Header Fuzzing
- Filtering Results
- Rate Limiting & Performance
- Output Options
- Proxy Usage (Burp/ZAP)
- Recursive Web Content Discovery
- Multiple Wordlists
Installation
Install ffuf on Kali Linux
sudo apt install ffuf
Install ffuf on Debian/Ubuntu
sudo apt install ffuf
Install using Go (recommended latest version)
go install github.com/ffuf/ffuf/v2@latest
Install with Homebrew (macOS / Linux)
brew install ffuf
Install using Snap
sudo snap install ffuf
Download precompiled binary (Linux)
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_Linux_amd64.tar.gz tar -xvf ffuf_Linux_amd64.tar.gz chmod +x ffuf sudo mv ffuf /usr/local/bin/
Download precompiled binary (Windows)
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_Windows_amd64.zip
From Source
git clone https://github.com/ffuf/ffuf.git cd ffuf go build ffuf -h ffuf -V
Basic Usage
ffuf -u https://target.com/FUZZ -w wordlist.txt #Basic directory fuzzing ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200 #Show only successful results ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302 #Show successful results and 30x redirects ffuf -u https://target.com/FUZZ -w wordlist.txt -s #Silent mode ffuf -u https://target.com/FUZZ -w wordlist.txt -v #Verbose output ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json #Save results
Directory & File Discovery
ffuf -u https://target.com/FUZZ -w directories.txt #Directory brute force ffuf -u https://target.com/FUZZ -w directories.txt -mc 200,301,302,403 #Directory scan with common status codes ffuf -u https://target.com/FUZZ.bak -w wordlist.txt #Scan for backup files ffuf -u https://target.com/FUZZ.conf -w wordlist.txt #Scan for config files ffuf -u https://target.com/.FUZZ -w wordlist.txt #Find hidden files
Recursive Directory Discovery
ffuf -u https://target.com/FUZZ -w directories.txt -recursion #Enable recursion ffuf -u https://target.com/FUZZ -w directories.txt -recursion -recursion-depth 3 #Recursive scan with depth ffuf -u https://target.com/FUZZ -w directories.txt -recursion -mc 200,301,302 #Recursive scan with filtering
Virtual Host Discovery
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt #Vhost fuzzing ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -mc 200 #Vhost discovery with filtering ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242 #Vhost fuzzing with size filter
Subdomain Fuzzing
ffuf -u https://FUZZ.target.com -w subdomains.txt #Subdomain brute force ffuf -u https://FUZZ.target.com -w subdomains.txt -mc 200 #Subdomain scan with status filter ffuf -u https://FUZZ.target.com -w subdomains.txt -fs 1234 #Subdomain scan ignoring page size
GET Parameter Fuzzing
ffuf -u "https://target.com/page.php?id=FUZZ" -w payloads.txt #Fuzz GET parameter values ffuf -u "https://target.com/page.php?id=FUZZ&cat=test" -w payloads.txt #Fuzz multiple parameters ffuf -u "https://target.com/page.php?FUZZ=test" -w params.txt #Fuzz parameter names
POST Parameter Fuzzing
ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt #Basic POST fuzzing ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -w passwords.txt #POST fuzzing with headers ffuf -u https://target.com/login -X POST -d "username=FUZZ&password=test" -w users.txt #Multiple parameter fuzzing
JSON API Fuzzing
ffuf -u https://target.com/api/login -X POST -d '{"username":"admin","password":"FUZZ"}' -H "Content-Type: application/json" -w passwords.txt #JSON key value fuzzing
ffuf -u https://target.com/api/auth -X POST -d '{"token":"FUZZ"}' -H "Content-Type: application/json" -w tokens.txt #JSON token fuzzing
HTTP Header Fuzzing
ffuf -u https://target.com -H "User-Agent: FUZZ" -w useragents.txt #User agent Header fuzzing ffuf -u https://target.com -H "Authorization: Bearer FUZZ" -w tokens.txt #Authorization header fuzzing ffuf -u https://target.com -H "Cookie: session=FUZZ" -w sessions.txt #Cookie fuzzing
Filtering Results
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200 #Match status codes ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302 #Match multiple status codes ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 4242 #Filter by response size ffuf -u https://target.com/FUZZ -w wordlist.txt -ms 1024 #Match by response size ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 50 #Filter by word count ffuf -u https://target.com/FUZZ -w wordlist.txt -fl 20 #Filter by line count
Rate Limiting & Performance
ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 100 #Limit request rate per second ffuf -u https://target.com/FUZZ -w wordlist.txt -t 50 #Set thread count ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.1 #Delay between requests in seconds ffuf -u https://target.com/FUZZ -w wordlist.txt -timeout 10 #Timeout setting in seconds
Output Options
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json #Save results to json file ffuf -u https://target.com/FUZZ -w wordlist.txt -od /home -o results.json #Save results to json file in custom directory ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv #Save results in CSV ffuf -u https://target.com/FUZZ -w wordlist.txt -o report.html -of html #Save results in HTML ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -or #Creates a file only if there are results
Proxy Usage (Burp/ZAP)
ffuf -u https://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080 #Send traffic through Burp ffuf -u https://target.com/FUZZ -w wordlist.txt -x socks5://127.0.0.1:9050 #Use SOCKS proxy
Recursive Web Content Discovery
ffuf -u https://target.com/FUZZ -w directories.txt -recursion #Recursive directory brute force ffuf -u https://target.com/FUZZ -w directories.txt -recursion -recursion-depth 2 #Recursive with depth limit
Multiple Wordlists
ffuf -u https://target.com/FUZZ1/FUZZ2 -w directory.txt:FUZZ1 -w file.txt:FUZZ2 -mode clusterbomb #Clusterbomb attack ffuf -u https://target.com/FUZZ1/FUZZ2 -w directory.txt:FUZZ1 -w file.txt:FUZZ2 -mode pitchfork #Pitchfork attack