Fuzz Faster U Fool: A fast web fuzzer written in Go.

To update or switch versions, run webi ffuf@stable (or @v2, @beta, etc).


These are the files / directories that are created and/or modified with this install:


Cheat Sheet

ffuf is a powerful web fuzzer written in Go. With a range of functionalities and fast performance, it's a must-have tool for penetration testers and security researchers.

ffuf mascot

Rotate through wordlists to discover and report exposed URLs, domains, etc.

# fuff -w <list>[:VAR] -u 'https://<target>/<VAR>'
fuff -w ./fuzz-Bo0oM.txt -u 'https://ffuf.io.fi/FUZZ
fuff \
    -w ./fuzz-Bo0oM.txt:'FUZZ_PATH' \
    -w ./subdomains-top1million-5000.txt:'FUZZ_SUB' \
    -u  'https://FUZZ_SUB.ffuf.io.fi/FUZZ_PATH'

How to get ffuf wordlists

Download   Source   Desc
onelistforallmicro.txt OneListForAll   Words, Paths, Files
fuzz-Bo0oM.txt SecLists/Fuzzing   Words, Paths, Files
subdomains-top1million-5000.txt SecLists/.../DNS   Common Subdomains
burp-parameter-names.txt SecLists/.../Web-Content   HTTP Query Params
urls-wordpress-3.3.1.txt SecLists/.../URLs   WordPress v3 Paths

These were pulled from the resources mentioned in ffuf wiki: Wordlistt Resources:

How to Discover Exposed Content

For typical directory discovery:

ffuf -w ./onelistforallmicro.txt:'FUZZ' -u https://example.com/FUZZ

How to check for Domain Fronting (VHost Discovery)

Assuming a default virtualhost response size:

ffuf \
    -w ./subdomains-top1million-5000.txt:'SUB' \
    -u https://example.com \
    -H "Host: SUB.example.com" \
    -fs 4242

How to Fuzz GET Parameters

For fuzzing GET parameter names:

ffuf \
    -w ./burp-parameter-names.txt:'KEY' \
    -u https://example.com/script.php?KEY=test_value \
    -fs 4242

More Resources

See ffuf wiki: https://github.com/ffuf/ffuf/wiki.


Report an Issue Submit Installer Star on GitHub