ffuf

Fast web fuzzer written in Go. Excellent for directories, files, parameters, vhosts.

Install:

go install github.com/ffuf/ffuf/v2@latest

Basic Usage

ffuf -w WORDLIST -u http://TARGET/FUZZ

The FUZZ keyword is replaced with each word from the wordlist.

Directory Fuzzing

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -u http://TARGET/FUZZ

# With status code filtering
ffuf -w wordlist.txt -u http://TARGET/FUZZ -mc 200,301,302

File Fuzzing

Recursive Fuzzing

Automatically fuzz discovered directories:

-ic = Ignore comments (lines starting with #)

Parameter Fuzzing

GET Parameters

POST Parameters

JSON Body

VHost / Subdomain Fuzzing

Filtering Output

Match Filters (include results)

Filter Filters (exclude results)

Examples

Multiple Wordlists

Use different keywords for multiple positions:

Authentication

Performance Options

Output

Proxy

Common Wordlists

Quick Reference Commands