ENNAENNA

ffuf

FeaturedMIT

🕸 Web Scanning · Go

ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's designed to be versatile, allowing you to fuzz any part of an HTTP request including URLs, headers, POST data, and more. ffuf supports multiple wordlists, custom matchers and filters, recursive scanning, and output in multiple formats. Its speed and flexibility have made it the go-to tool for directory discovery, parameter fuzzing, and virtual host enumeration in bug bounty and penetration testing.

16.0kstars
1.6kforks
226issues
Updated 18d ago
+I use this
▶ Video Tutorial
View on GitHubDocumentation

Installation

go install

$ go install github.com/ffuf/ffuf/v2@latest

brew (macOS)

$ brew install ffuf

apt (Kali)

$ sudo apt install ffuf

Use Cases

  • Directory and file discovery on web servers
  • GET/POST parameter fuzzing
  • Virtual host enumeration
  • API endpoint discovery
  • Custom header and cookie fuzzing

Tags

fuzzingdirectory-brutefastflexiblefuzzerinfosecpentestingweb

Details

Category
🕸 Web Scanning
Language
Go
Repository
ffuf/ffuf
License
MIT
Platforms
🐧linux🍎macos🪟windows

Links

GitHub Repository

github.com/ffuf/ffuf

Documentation

github.com/ffuf/ffuf/wiki

Releases

github.com/ffuf/ffuf/releases

Issues

github.com/ffuf/ffuf/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Used in 2 Workflows

🕸

Web Application Penetration Test

Intermediate · 6 steps · 1-5 days

🎯

Bug Bounty Recon Pipeline

Beginner · 7 steps · 2-4 hours

Community Reviews

Alternatives & Comparisons

Gobuster

Go

Directory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.

Compare ffuf vs Gobuster

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

Compare ffuf vs Feroxbuster

Burp Suite Community

Java

Web vulnerability scanner and proxy. Intercept, modify, and replay HTTP/S traffic for web app testing.

Compare ffuf vs Burp Suite Community

Wfuzz

Python

Web application fuzzer. Brute force parameters, directories, headers, and authentication credentials.

Compare ffuf vs Wfuzz

CRLFuzz

Go

CRLF injection scanner. Fast detection of HTTP response splitting vulnerabilities across multiple URLs.

Compare ffuf vs CRLFuzz

Smuggler

Python

HTTP request smuggling tester. Detects CL.TE, TE.CL, and TE.TE desync vulnerabilities in web servers and proxies.

Compare ffuf vs Smuggler

boofuzz

Python

Network protocol fuzzing framework and successor to the Sulley fuzzer.

Compare ffuf vs boofuzz

More in Web Scanning

httpx

Go

Fast multi-purpose HTTP toolkit. Probes for running HTTP servers with retries and fallbacks.

http-probetech-detectionprojectdiscovery

Nikto

Perl

Classic web server scanner. Tests for dangerous files, outdated server software, and version-specific problems.

web-serverclassiccgi-scan

Gobuster

Go

Directory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.

directory-brutedns-brutevhost

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

directory-bruterecursiverust

Burp Suite Community

Java

Web vulnerability scanner and proxy. Intercept, modify, and replay HTTP/S traffic for web app testing.

proxyweb-appinterceptor

Katana

Go

Next-gen crawling and spidering framework. Headless browser and standard mode with automatic form fill.

crawlerspiderheadless