Favicon of ffuf

ffuf

Fast web fuzzer for discovering directories, virtual hosts, and API endpoints through systematic HTTP request generation with wordlist payloads and intelligent filtering.

ffuf is a high-performance web fuzzer written in Go that helps security professionals identify hidden web application resources through rapid HTTP request generation. It uses the FUZZ keyword to inject payloads from wordlists into URLs, headers, and POST data, enabling comprehensive testing of web applications.

Key capabilities include:

  • Flexible fuzzing with custom keywords and multiple concurrent wordlists
  • Smart filtering by HTTP status codes, response sizes, and timing patterns
  • Recursive discovery to automatically explore nested directories and endpoints
  • High-speed execution with configurable threading and rate limiting
  • Multiple output formats including JSON and HTML for integration with security tools like Burp Suite
  • Auto-calibration to reduce false positives and improve accuracy

Common use cases include directory discovery, virtual host enumeration, parameter fuzzing, and API endpoint testing. The tool supports external mutators for advanced payload generation and configuration files for consistent testing profiles. Whether conducting authorized penetration tests or bug bounty assessments, ffuf delivers the speed and flexibility needed for thorough web application reconnaissance.

Features

Config fileJSON outputScriptable

Media

asciinema
asciinema

Pros

4
  • Fast web fuzzer written in Go
  • Supports directory, vhost, and API endpoint discovery
  • Intelligent filtering of responses
  • Can fuzz GET parameters, POST data, and virtual hosts

Related tools

Categories:

Share:

Auto-fetched .

Recent releases

Similar to ffuf

Favicon

 

  
 
Favicon

 

  
 
Favicon