ffuf

Enumerate directories using [c]olored output and a [w]ordlist specifying a target [u]RL

$ ffuf -c -w [path/to/wordlist.txt] -u [http://example.com/FUZZ]

$ ffuf -w [path/to/subdomains.txt] -u [http://FUZZ.example.com]

$ ffuf -o -w [path/to/wordlist.txt] -u [http://example.com/FUZZ] -t [500] -x [http://127.0.0.1:8080]

$ ffuf -w [path/to/wordlist.txt] -u [http://example.com] -H "[Host: FUZZ]" -mc [200]

$ ffuf -w [path/to/postdata.txt] -X [POST] -d "[username=admin\&password=FUZZ]" -u [http://example.com/login.php] -fc [401,403]

$ ffuf -w [path/to/keys:KEY] -w [path/to/values:VALUE] -mode [pitchfork|clusterbomb] -u [http://example.com/id?KEY=VALUE]

$ ffuf -w [path/to/wordlist] -x [http://127.0.0.1:8080] -u [http://example.com/FUZZ]

ffuf -w WORDLIST -u URL [OPTIONS]

-w, --wordlist
    Path to the wordlist

-u, --url
    Target URL with FUZZ placeholder
e.g., https://example.com/FUZZ

-H, --header
    Custom header
e.g., "Authorization: Bearer TOKEN"

-X, --method
    HTTP method (default: GET)

-d, --data
    POST data, supports FUZZ

-r, --follow-redirects
    Follow redirects

-recursion
    Recurse discovered directories

-e, --extensions
    Append file extensions
e.g., php,html,txt

-mc, --match-codes
    Match HTTP status codes
e.g., 200,301,302

-ml, --match-lines
    Match response lines count

-mw, --match-words
    Match response words count

-mr, --match-regex
    Match response content regex

-fs, --filter-size
    Filter by response size

-fw, --filter-words
    Filter by response words

-fl, --filter-lines
    Filter by response lines

-fc, --filter-codes
    Filter HTTP status codes

-t, --threads
    Number of concurrent threads (default: 40)

-timeout
    HTTP request timeout in seconds

-p, --delay
    Delay between requests

-rate
    Max requests per second

-o, --output
    Output file

-of, --output-format
    Output format: json, csv, ejson, html (default: json)

-v, --verbosity
    Verbosity level (0-9)

-s, --stop-on-spurious
    Stop on first non-2XX/3XX/4XX/5XX

-D, --stop-duplicates
    Do not stop on duplicate responses

-input-cmd
    Input from stdin command

-input-pipe
    Input from stdin pipe

FFUF (Fuzz Faster U Fool) is a high-performance, open-source web fuzzer written in Go, designed for discovering hidden directories, files, parameters, and vulnerabilities in web applications.

It excels in speed due to its multi-threaded architecture, handling thousands of requests per second. Users specify a target URL with a FUZZ placeholder and a wordlist, allowing rapid brute-forcing. Advanced features include HTTP method customization, custom headers, POST data fuzzing, recursion, extensions appending, and powerful filters based on response size, words, lines, status codes, or regex matches.

Filters reduce noise by excluding known false positives (e.g., auto-complete pages). Output supports multiple formats like JSON, CSV, EJSON for easy parsing. It's lightweight, portable, and widely used in penetration testing, bug bounties, and security assessments on distributions like Kali Linux.

High request rates can trigger WAFs or rate limits; use responsibly. Requires wordlists like SecLists. Not for production sites without permission.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ -mc 200,204,301,302,307,401,403

ffuf -w params.txt -u https://target.com/api -X POST -d 'param=FUZZ' -fs 0

Add -recursion -recursion-depth 2 to fuzz subdirectories

Developed by ffuf project lead in 2018 as a faster alternative to tools like gobuster. Open-source on GitHub (projectdiscovery/ffuf), actively maintained with v2+ introducing input modes, better performance, and JSON output. Popular in Kali Linux repos since 2020.

gobuster(1), dirb(1), wfuzz(1), feroxbuster(1)