ffuf — Fast Web Fuzzer Written in Go

Introduction

ffuf (Fuzz Faster U Fool) is a web fuzzer written in Go that has become the standard tool for content discovery in penetration testing. Its speed, flexibility, and clean output make it a preferred alternative to older tools like DirBuster and wfuzz.

What ffuf Does

• Discovers hidden directories and files on web servers via wordlist-based fuzzing
• Brute-forces GET and POST parameters to find hidden endpoints
• Enumerates virtual hosts and subdomains by fuzzing the Host header
• Filters results by status code, response size, word count, or line count
• Supports multiple FUZZ keywords for multi-position fuzzing in a single request

Architecture Overview

ffuf is a single Go binary that sends HTTP requests in parallel using a configurable number of goroutines. Each request replaces the FUZZ keyword with entries from one or more wordlists. A matcher/filter pipeline processes responses to suppress noise and surface interesting results. Results are output to stdout or saved in JSON, CSV, HTML, or Markdown format.

Self-Hosting & Configuration

• Install via go install, download a release binary, or use package managers
• Provide wordlists via -w (supports multiple wordlists with different FUZZ keywords)
• Configure request rate with -rate to avoid overwhelming targets
• Set up ffufrc config file at ~/.ffufrc for persistent default options
• Use -replay-proxy to send interesting matches through Burp Suite for further analysis

Key Features

• Multi-position fuzzing with FUZZ, FUZZ2, etc. for complex request templates
• Matcher and filter chains for status codes, sizes, words, lines, and regex
• Recursive scanning mode for automatic depth-first directory exploration
• HTTP/2 support and configurable timeouts for modern web targets
• Silent mode and machine-readable output for pipeline integration

Comparison with Similar Tools

• gobuster — Go-based directory scanner, simpler but less flexible (no POST fuzzing, no multi-keyword)
• wfuzz — Python-based fuzzer with similar features but slower due to Python overhead
• DirBuster — legacy Java GUI tool, largely superseded by ffuf and gobuster
• feroxbuster — Rust-based recursive content discovery tool, strong at recursive crawling

FAQ

Q: How fast is ffuf compared to other fuzzers? A: ffuf typically outperforms Python-based fuzzers by 5-10x. With default settings it runs 40 concurrent threads, adjustable via -t.

Q: Can ffuf be used for API endpoint discovery? A: Yes. Use POST method with -X POST, add headers with -H, and fuzz request bodies with -d to test API endpoints.

Q: How do I reduce false positives? A: Use -fc to filter status codes, -fs to filter by response size, or -fw/-fl for word/line count. Run a calibration request first to identify baseline responses.

Q: Does ffuf support authentication? A: Yes. Pass cookies with -b, headers with -H, or use -replay-proxy to route through an authenticated proxy.

Sources

• https://github.com/ffuf/ffuf
• https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html