ffuf

Fast web fuzzer — discover directories, files, and parameters

Web FuzzerGo

Installation

1go install github.com/ffuf/ffuf/v2@latestInstall via Go

2git clone https://github.com/ffuf/ffuf.git && cd ffuf && go build .Clone and build from source

3ffuf -hVerify installation

Basic Usage

Discover files and directories

ffuf -u https://site.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

Parameter fuzzing in URL

ffuf -u "https://site.com/api?FUZZ=test" -w params.txt

Password fuzzing via POST

ffuf -u "https://site.com" -X POST -d "user=admin&pass=FUZZ" -w passwords.txt

Subdomain fuzzing

ffuf -w subdomains.txt -u "https://FUZZ.site.com"

Fuzzing with specific extensions

ffuf -u https://site.com/FUZZ -w files.txt -e .php,.html,.js

Key Options

-u

Target URL with FUZZ placeholder

-w

Wordlist file

-X

Request method (GET, POST, PUT...)

-d

POST data

-e

File extensions to append

-mc

Filter by response status codes

-fc

Exclude specific status codes

-fs

Filter by response size

-t

Number of concurrent threads

-rate

Request rate per second

-recursion

Recursive scanning

-recursion-depth

Recursion depth

When to Use ffuf?

Discover hidden web files and directories

Parameter fuzzing

Virtual host discovery

Password brute forcing

Discover hidden API endpoints

Fast scanning compared to other tools

Notes & Tips

One of the fastest web fuzzing tools — written in Go

Supports recursive scanning for multi-level discovery

Supports clusterbomb and pitchfork modes for multi-parameter

Requires a good wordlist like SecLists

Supports multiple output formats: HTML, JSON, CSV

Can be used with Burp Suite via proxy

Uses FUZZ placeholder to specify injection point

Supports custom headers and cookies

Suitable for both API fuzzing and web fuzzing

Common Errors & Solutions

403 Forbidden or request blocking

Add a custom User-Agent with -H or reduce request rate

Too many open files

Reduce threads with -t or increase system limit: ulimit -n 65535

WAF detection / IP blocking

Use a proxy or reduce rate with the -rate flag

wordlist parsing error

Ensure the file encoding is UTF-8 and there are no empty lines

ffuf

Fast web fuzzer — discover directories, files, and parameters

Web FuzzerGo

Installation

1go install github.com/ffuf/ffuf/v2@latestInstall via Go

2git clone https://github.com/ffuf/ffuf.git && cd ffuf && go build .Clone and build from source

3ffuf -hVerify installation

Basic Usage

Discover files and directories

ffuf -u https://site.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

Parameter fuzzing in URL

ffuf -u "https://site.com/api?FUZZ=test" -w params.txt

Password fuzzing via POST

ffuf -u "https://site.com" -X POST -d "user=admin&pass=FUZZ" -w passwords.txt

Subdomain fuzzing

ffuf -w subdomains.txt -u "https://FUZZ.site.com"

Fuzzing with specific extensions

ffuf -u https://site.com/FUZZ -w files.txt -e .php,.html,.js

Key Options

-u

Target URL with FUZZ placeholder

-w

Wordlist file

-X

Request method (GET, POST, PUT...)

-d

POST data

-e

File extensions to append

-mc

Filter by response status codes

-fc

Exclude specific status codes

-fs

Filter by response size

-t

Number of concurrent threads

-rate

Request rate per second

-recursion

Recursive scanning

-recursion-depth

Recursion depth

When to Use ffuf?

Discover hidden web files and directories

Parameter fuzzing

Virtual host discovery

Password brute forcing

Discover hidden API endpoints

Fast scanning compared to other tools

Notes & Tips

One of the fastest web fuzzing tools — written in Go

Supports recursive scanning for multi-level discovery

Supports clusterbomb and pitchfork modes for multi-parameter

Requires a good wordlist like SecLists

Supports multiple output formats: HTML, JSON, CSV

Can be used with Burp Suite via proxy

Uses FUZZ placeholder to specify injection point

Supports custom headers and cookies

Suitable for both API fuzzing and web fuzzing

Common Errors & Solutions

403 Forbidden or request blocking

Add a custom User-Agent with -H or reduce request rate

Too many open files

Reduce threads with -t or increase system limit: ulimit -n 65535

WAF detection / IP blocking

Use a proxy or reduce rate with the -rate flag

wordlist parsing error

Ensure the file encoding is UTF-8 and there are no empty lines