What is FFuf?
FFuf (Fuzz Faster U Fool) is a high-performance web fuzzer written in Go. It uses the keyword FUZZ as a placeholder anywhere in a request — URL path, headers, POST body, or parameters — and replaces it with entries from a wordlist. Security professionals use it for directory and file discovery, subdomain enumeration, parameter fuzzing, and virtual host scanning during authorized web application assessments.
⚠ Legal Notice
Only use on systems you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# Update packages sudo apt update # Install (pre-installed on Kali, otherwise:) sudo apt install ffuf -y # Verify installation ffuf -V
Basic Usage
# Directory and file discovery (most common) ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt # Specify file extensions ffuf -u http://example.com/FUZZ -w common.txt -e .php,.html,.txt # Filter out 404 responses (or any unwanted status code) ffuf -u http://example.com/FUZZ -w common.txt -fc 404 # Filter by response size (hide responses of 1234 bytes) ffuf -u http://example.com/FUZZ -w common.txt -fs 1234 # Subdomain enumeration ffuf -u http://FUZZ.example.com -w subdomains.txt -H "Host: FUZZ.example.com" # GET parameter fuzzing ffuf -u http://example.com/page?id=FUZZ -w /usr/share/wordlists/dirb/common.txt # POST body fuzzing ffuf -u http://example.com/login -w passwords.txt \ -X POST -d "username=admin&password=FUZZ" \ -H "Content-Type: application/x-www-form-urlencoded" # Increase threads and add a delay (be polite) ffuf -u http://example.com/FUZZ -w common.txt -t 50 -p 0.1 # Save output to a file ffuf -u http://example.com/FUZZ -w common.txt -o results.json -of json
Key Flags
-u— Target URL (place FUZZ anywhere in the URL)-w— Wordlist path-e— File extensions to append to each word-fc— Filter by HTTP status code (e.g.-fc 404,403)-fs— Filter by response size in bytes-fw— Filter by number of words in response-t— Number of concurrent threads (default: 40)-p— Delay between requests in seconds-H— Add a custom HTTP header-X— HTTP method (GET, POST, PUT, etc.)-o— Output file;-ofsets format (json, csv, html)
Common Use Cases
- Authorized penetration testing engagements
- CTF (Capture The Flag) challenges
- Internal security audits
- Bug bounty reconnaissance and testing
Further Reading
Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.