ffuf
FeaturedMIT🕸 Web Scanning · Go
ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's designed to be versatile, allowing you to fuzz any part of an HTTP request including URLs, headers, POST data, and more. ffuf supports multiple wordlists, custom matchers and filters, recursive scanning, and output in multiple formats. Its speed and flexibility have made it the go-to tool for directory discovery, parameter fuzzing, and virtual host enumeration in bug bounty and penetration testing.
Installation
go install
$ go install github.com/ffuf/ffuf/v2@latestbrew (macOS)
$ brew install ffufapt (Kali)
$ sudo apt install ffufUse Cases
- Directory and file discovery on web servers
- GET/POST parameter fuzzing
- Virtual host enumeration
- API endpoint discovery
- Custom header and cookie fuzzing
Tags
Details
- Category
- 🕸 Web Scanning
- Language
- Go
- Repository
- ffuf/ffuf
- License
- MIT
Platforms
Alternatives & Comparisons
Gobuster
GoDirectory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.
Feroxbuster
RustFast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.
Wfuzz
PythonWeb application fuzzer. Brute force parameters, directories, headers, and authentication credentials.
More in Web Scanning
httpx
GoFast multi-purpose HTTP toolkit. Probes for running HTTP servers with retries and fallbacks.
Nikto
PerlClassic web server scanner. Tests for dangerous files, outdated server software, and version-specific problems.
Gobuster
GoDirectory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.
Feroxbuster
RustFast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.
Burp Suite Community
JavaWeb vulnerability scanner and proxy. Intercept, modify, and replay HTTP/S traffic for web app testing.
Katana
GoNext-gen crawling and spidering framework. Headless browser and standard mode with automatic form fill.