Ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It has become a favorite tool among bug bounty hunters and penetration testers for its speed and flexibility. This guide covers ffuf installation, usage, and practical examples.
Installing Ffuf
# Using Go
go install github.com/ffuf/ffuf/v2@latest
# Kali Linux
sudo apt install ffuf
# From releases
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_linux_amd64.tar.gz
tar -xzf ffuf_linux_amd64.tar.gzBasic Syntax
ffuf -u http://target.com/FUZZ -w wordlist.txt
# FUZZ keyword is replaced with each word from the wordlistDirectory Fuzzing
# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# With extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak
# Recursive fuzzing
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
# Follow redirects
ffuf -u http://target.com/FUZZ -w wordlist.txt -rFiltering Results
# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404,403,500
# Match status codes
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302
# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234
# Filter by word count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 50
# Filter by line count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 10
# Filter by regex
ffuf -u http://target.com/FUZZ -w wordlist.txt -fr "error|not found"Subdomain Fuzzing
# Subdomain enumeration
ffuf -u http://FUZZ.target.com -w subdomains.txt
# Filter common false positive size
ffuf -u http://FUZZ.target.com -w subdomains.txt -fs 0
# With Host header
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242Virtual Host Discovery
# Discover virtual hosts
ffuf -u http://192.168.1.100 -H "Host: FUZZ.target.com" -w vhosts.txt
# Filter by response size (find the default and filter it)
ffuf -u http://192.168.1.100 -H "Host: FUZZ" -w vhosts.txt -fs 10918Parameter Fuzzing
# GET parameter names
ffuf -u "http://target.com/page?FUZZ=test" -w params.txt -fs 4242
# GET parameter values
ffuf -u "http://target.com/page?id=FUZZ" -w values.txt
# POST parameters
ffuf -u http://target.com/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt
# POST with JSON
ffuf -u http://target.com/api -X POST -H "Content-Type: application/json" -d '{"user":"FUZZ"}' -w users.txtMultiple Wordlists
# Two fuzzing points
ffuf -u http://target.com/FUZZ1/FUZZ2 -w wordlist1.txt:FUZZ1 -w wordlist2.txt:FUZZ2
# Username:password combinations
ffuf -u http://target.com/login -X POST -d "user=USER&pass=PASS" -w users.txt:USER -w passwords.txt:PASS
# Clusterbomb mode (all combinations)
ffuf -u http://target.com/FUZZ1/FUZZ2 -w list1.txt:FUZZ1 -w list2.txt:FUZZ2 -mode clusterbombAuthentication
# With cookies
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123"
# With headers
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"
# Basic auth
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Basic BASE64"Output Options
# Save to file
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json
# Different formats
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html
# Quiet mode (only results)
ffuf -u http://target.com/FUZZ -w wordlist.txt -sPerformance Tuning
# Threads (default 40)
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 100
# Rate limiting
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100
# Timeout
ffuf -u http://target.com/FUZZ -w wordlist.txt -timeout 5
# Delay between requests
ffuf -u http://target.com/FUZZ -w wordlist.txt -p 0.1Practical Examples
Find Backup Files
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .bak,.old,.backup,.zip,.tar.gz -fc 404API Endpoint Discovery
ffuf -u http://target.com/api/v1/FUZZ -w api-endpoints.txt -mc 200,201,204,301,302,307,401,403Credential Stuffing
ffuf -u http://target.com/login -X POST -d "[email protected]&password=PASS" -w users.txt:USER -w passwords.txt:PASS -fc 401 -mode clusterbombLFI Testing
ffuf -u "http://target.com/page?file=FUZZ" -w lfi-payloads.txt -fr "error|warning|failed"Summary
Ffuf is an incredibly fast and flexible fuzzing tool that should be in every pentester’s toolkit. Its filtering capabilities make it easy to find what you need, and the multiple wordlist feature enables complex fuzzing scenarios. Master the filtering options to efficiently handle different response patterns.
