The ffuf fuzzing tool (short for Fuzz Faster U Fool) is a Go-based web fuzzer that security professionals use to find hidden directories, parameters, and vulnerabilities in web applications. It is fast, flexible, and one of my go-to tools during any penetration test. This guide covers 10 practical examples that show what the ffuf fuzzing tool can do on a real engagement.
1. Basic Directory Discovery with the ffuf fuzzing tool
Directory discovery is the most common task for the ffuf fuzzing tool, and it handles it well. You give it a target URL and a wordlist, and the FUZZ keyword marks where each word from the list gets inserted.
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
This scans https://example.com/ using every entry in common.txt. Each hit gets a status code, size, and URL. I usually start here before moving to more targeted scans. Results come back in seconds, not minutes, because ffuf is built for speed.
2. Virtual Host Discovery
Web servers often host multiple sites on the same IP. You can use ffuf to find internal or staging hosts that are not publicly linked. The trick is fuzzing the Host header instead of the URL path.
ffuf -u https://target.com -w /usr/share/wordlists/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"
Any vhost that returns a different status code or page size is worth investigating. Internal admin panels and dev environments often show up this way.
3. GET and POST Parameter Fuzzing
Hidden parameters can unlock functionality the developer did not intend to expose. Ffuf lets you fuzz both GET query strings and POST body fields.
ffuf -u https://target.com/admin?FUZZ=test -w params.txt
The ffuf fuzzing tool handles POST requests with the -d flag and explicit method:
ffuf -u https://target.com/login -w params.txt -X POST -d "FUZZ=admin&password=test" -H "Content-Type: application/x-www-form-urlencoded"
Common hidden parameters include debug, test, source, and admin. I have found live debug endpoints this way more times than I can count.
4. File Extension Discovery with the ffuf fuzzing tool
After finding a directory, you often want to know what file types it serves. The ffuf fuzzing tool handles this with the -e flag, which appends extensions to each wordlist entry.
ffuf -u https://example.com/backup/FUZZ -w common.txt -e .php,.bak,.txt,.sql,.zip
This tries every word with each extension in turn. Backup files, database dumps, and configuration files are common finds. A single run can reveal sensitive data that was never meant to be public.
5. POST Login Brute Forcing
You can use ffuf to test weak credentials against login forms. Combine parameter fuzzing with a username and password wordlist.
ffuf -u https://target.com/login -w users.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS&submit=Login" -H "Content-Type: application/x-www-form-urlencoded" -fc 401
The -fc 401 flag filters out responses that return a 401 status code, leaving only successful logins. Ffuf supports multiple wordlists at once using colon-separated custom keywords like USER and PASS instead of the default FUZZ.
6. Recursive Directory Scanning
Some tools require separate commands for each directory level. The ffuf fuzzing tool can follow discovered directories automatically using recursion. This saves a lot of time on deeper assessments.
ffuf -u https://example.com/FUZZ -w common.txt -recursion -recursion-depth 2
The -recursion flag tells ffuf to scan each found directory using the same wordlist. The -recursion-depth parameter sets how many levels deep to go. A depth of 2 catches most interesting paths without running forever.
7. Filtering Results by Status Code, Size, and Words
Raw ffuf output can be noisy. Default responses like 404 pages and redirects clutter the results. Filter flags clean this up fast.
ffuf -u https://example.com/FUZZ -w common.txt -fc 404,403 -fs 1234
The -fc flag filters by HTTP status code. -fs filters by response size in bytes. You can also use -fw for word count and -fl for line count. I run a quick baseline scan first, note the size of the 404 page, then filter it out in subsequent runs. This cuts noise by 90 percent.
8. Rate Limiting and Concurrency Control
Ffuf is fast. Sometimes too fast. Sending thousands of requests per second can crash fragile applications or trigger rate limits and WAF blocks. Use the -rate and -t flags to stay under the radar.
ffuf -u https://example.com/FUZZ -w common.txt -t 10 -rate 50
The -t flag sets the number of concurrent threads. Start at 10 and adjust up or down. The -rate flag limits requests per second. For production targets I keep it under 100 to avoid detection.
9. Saving Output to Files
When running a full assessment you need to save results for the report. Ffuf supports multiple output formats.
ffuf -u https://example.com/FUZZ -w common.txt -o results.json -of json
The -o flag specifies the output file. The -of flag selects the format. Options include json, csv, md (markdown), html, and ejson (for easier parsing). I use JSON for scripting and markdown for client reports. The CSV format works well for importing into spreadsheets.
10. Why the ffuf fuzzing tool Beats Gobuster and Dirb
Gobuster and dirb are fine tools. They get the job done. But the ffuf fuzzing tool has a few clear advantages.
First, speed. Ffuf’s Go concurrency model handles hundreds of threads without breaking a sweat. Second, flexibility. You can fuzz any part of the request including headers, cookies, POST bodies, and URL paths using custom keyword placeholders. Third, filtering. The combination of -fc, -fs, -fw, and -fl gives you precise control over what results to show. Gobuster has some of these features but none match ffuf’s filter flexibility.
Installing Ffuf
Installation is straightforward on any Linux system. If you have Go installed, you can build from source. The easier route is grabbing a pre-built binary from the ffuf GitHub repository.
# Download the latest release
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_1.5.0_linux_amd64.tar.gz
tar -xzf ffuf_1.5.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/
# Or use go install
go install github.com/ffuf/ffuf/v2@latest
On Kali Linux and Parrot OS, ffuf comes pre-installed. Run ffuf -h to confirm it is available and see all options.
Getting Good Wordlists
Ffuf is only as good as the wordlist you feed it. The default SecLists collection by Daniel Miessler is the industry standard. You can clone it directly.
git clone https://github.com/danielmiessler/SecLists.git /usr/share/wordlists/SecLists
The most useful lists for ffuf are Discovery/Web-Content/common.txt, Discovery/Web-Content/directory-list-2.3-medium.txt, and Discovery/DNS/subdomains-top1million-5000.txt. For API testing, try Discovery/Web-Content/api/. For parameter fuzzing, use the burp-parameter-names.txt list in the same directory.
The ffuf fuzzing tool belongs in every penetration tester’s toolkit. It is fast, flexible, and handles everything from basic directory discovery to complex multi-wordlist parameter fuzzing. If you are doing web security assessments and have not tried it yet, now is the time. Pair it with tools like Nmap for network reconnaissance and SQLMap for database testing, and you have a solid foundation for any web application test. Check the official ffuf repository for the full documentation and more advanced usage patterns.