FFUF — Everything You Need To Know
FFUF, short for “Fuzz Faster you Fool” is an open-source web fuzzing tool written in Go programming language, intended for discovering elements and content within web applications, or web servers and can be found at https://github.com/ffuf/ffuf.
The tool is versatile and can be used for a variety of purposes. Some of its use cases are:
- General Directory discovery with the option to fuzz at any place in the URL.
- VHOST discovery without DNS Records
- Fuzzing using various HTTP methods.
What is Fuzzing?
Fuzzing is the automatic process of giving random input to an application to look for any errors or any unexpected behavior. But finding hidden directories and files on a web server can also be categorized under fuzzing.
Let’s talk about its installation then we will dive into the key features along with the examples.
Installation
Installation from Source
If you wish to install the latest stable build from the main
branch of the ffuf project, you can do so with:
go get github.com/ffuf/ffuf
After installing, ffuf will be available in ~/go/bin/ffuf
.
Installation from APT Repositories
You’ll also find FFUF in the apt repositories, allowing you to install by running:
sudo apt-get install ffuf
Basic Usage
The usage examples below show just the simplest tasks you can accomplish using ffuf
.
Directory Bruteforcing
At its core, one of the main functions that people use FFUF for is directory brute-forcing. With that in mind, let’s fuzz! It will simply replace the value of FUZZ
with the values in your wordlist.
{kiran@parrot} ~$ ffuf -c -w /usr/share/wordlists/dirb/small.txt -u https://ffuf.io.fi/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-dev
________________________________________________
:: Method : GET
:: URL : https://ffuf.io.fi/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
secure [Status: 301, Size: 185, Words: 6, Lines: 8]
:: Progress: [959/959] :: Job [1/1] :: 163 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
Note that a result ‘secure’ has come up with a 301(redirect) response code. As none of the other endpoints responded, we will investigate this directory further.
Note that the -c flag means to colorize the output. The default was false.
Recursive Scanning
We can add recursion levels to our directory scanning to mention how much deep the scan should be performed. This is usually associated with the recursion-depth flag that tells FFUF how many times to perform this action (for example, if we find another layer under admin, should we proceed to another layer or stop?).
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -recursion -recursion-depth 2
Extensions
Often we may also want to look at files with extensions rather than only scanning for the directories. This can be invaluable for finding bugs when there’s a zip file or backup file of the same name.
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -e .bak, .zip
Fuzzing Multiple Locations
FFUF easily allows us to fuzz at multiple locations of the URL. This is done by assigning W1 to the directories wordlist and W2 to the domains wordlist, then using these two parameters in the URL replacing the FUZZ parameter.
ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2
Subdomains hunting
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -H "Host: FUZZ.ffuf.io.fi"
We can then filter out the results to match only 200 response code.
Matchers and Filters
Using matchers, FFUF will only output those results that match the conditions specified i.e it will remove all responses that do not match the matcher. You should use this option if you know what you want to keep.
Matching certain HTTP status codes only. (200 and 301 in this case.)
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mc 200,301
Matching according to the amount of lines in response
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ml 50
Matching according to HTTP response size
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ms 350
Matching according to the words count in response
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mw 200
Matching the regular expressions is also a beast feature of FFUF.
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mr "root:"
As useful as matches are, filters being the inverse of matches can be just as, if not more useful. It will remove all the responses which match the filter. This is useful when you know what you want to remove (eg: if you have a default error page).
The filter flags and their usage are similar to the matchers i.e, -fc in place for -mc, -fr in place for -mr and likewise.
Requests Rate-Limiting
With the production servers and real-life bug hunting, you could easily end up overwhelming the servers with the enormous requests rate of FFUF. Thus we need request throttling and delays.
The p
flag specifies the seconds of delay between requests.
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -p 0.1
We can also control the rate of requests i.e, maximum number of requests that can be sent per second.
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -rate 10
Filter Auto-Calibration
This is really a useful feature integrated in FFUF that helps a lot in eliminating false positives.
The automatic calibration (ac) flag tells FFUF to send a number of pre-flight checks before brute forcing begins and to quantify common elements of those requests for further filtering. For example, FFUF may send random strings, and if each of those responses were a 200
response code, with a common content length, then that content length would be automatically filtered from future results.
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ac
Another method is custom auto-calibration filtering in which instead of sending random pre-flight checks, we send a custom keyword to test (eg: “www”) and capture its content length and response code. Thus the only responses which have a different content length than the above will be highlighted in the output.
ffuf -w vhostnames.txt -u https://target -H "Host: FUZZ.target" -acc "www"
HTTP Options
Cookie-based Authentication
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -b "sessionId=cookie_val"
GET parameter fuzzing
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi?FUZZ=test_value
POST data fuzzing
ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php
JSON POST data fuzzing
ffuf -w wordlist.txt -X PUT -u http://test.site/api/users/6 -H "Content-Type: application/json" -d "{'FUZZ':'test_val'}"
Input and Output Options
Raw HTTP request as the input
One of the easiest ways to work with complex queries is to simply save the request you’re working with from your intercepting proxy (such as Burp Suite), set your fuzzing paths, and then import it into FFUF for usage. You can do this with the request
flag in FFUF, as explained below.
First of all, save the raw request from Burp suite to a file let’s say request.txt.

Now we will add fuzzing points inside this request file. I will be brute-forcing the directories in this scene.

We can then open our request in FFUF, and instead of passing cookie information as an argument, we can use request
flag to pass all the required infos to FFUF. In this case, this would look like the following:
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -u http://site.com
Write output to a file
We can save the output in a variety of formats with the help of -of flag. The available formats are json, ejson, html, md, csv, ecsv (or, ‘all’ for all formats) (default: json).
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -of csv
Replay-Proxy
FFUF has a command within it, replay-proxy
to dictate. This will reroute successful commands (ones that hit your matches, and not your filters) to Burp Suite proxy for further investigation. Notably, this does mean that you’re doubling your requests, and this should be used in situations where it makes sense to do so.
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -replay-proxy http://127.0.0.1:8080
If you need to send all the traffic regardless successful or not, then you can instead use –x
which will replay all requests via the Burp Suite project.
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -x http://127.0.0.1:8080
There are still various features that I haven’t mentioned in this post. Details on everything can be found on their GitHub repository https://github.com/ffuf/ffuf.

Founder of cybersecnerds.com. Cybersecurity professional with 3+ years experience in offensive web security, cloud security and building systems.
I am a Linux envagelist and highly interested in source-code auditing. You will find me reading InfoSec blogs most of the time.