Web Application Analysisweb fuzzerdirectory discoveryvirtual host discoveryparameter fuzzingpentesting

ffuf

ffuf is a fast web fuzzer written in Go that allows typical directory discovery, virtual host discovery without DNS records, and GET and POST parameter fuzzing.

Description

ffuf is a fast web fuzzer written in Go. This program is useful for pentesters, ethical hackers and forensics experts. It also can be used for security tests.

It supports fuzzing file paths, host headers, POST JSON data, and multiple locations with different wordlists and keywords. Features include matching and filtering responses based on status codes, size, lines, words, regex, and timing.

Auto-calibration, colorized output, and various output formats like JSON, HTML, and CSV are available.

How It Works

ffuf fuzzes web applications by replacing keywords like FUZZ in URLs, headers, or POST data with wordlist entries. It sends HTTP requests (GET, POST, etc.) using specified methods, headers, and protocols (HTTP/1.1 or HTTP/2). Responses are matched or filtered using criteria such as status codes, response size, line/word counts, regex patterns, or timing to first byte. Multi-wordlist modes (clusterbomb, pitchfork, sniper) enable fuzzing multiple parameters simultaneously. Auto-calibration adjusts filters based on baseline responses.

Installation

bash

sudo apt install ffuf

Flags

-HHeader "Name: Value", separated by colon. Multiple -H flags are accepted.

-XHTTP method to use

-bCookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.

-ccClient cert for authentication. Client key needs to be defined as well for this to work

-ckClient key for authentication. Client certificate needs to be defined as well for this to work

-dPOST data

-http2Use HTTP2 protocol (default: false)

-ignore-bodyDo not fetch the response content. (default: false)

-VShow version information. (default: false)

-acAutomatically calibrate filtering options (default: false)

-accCustom auto-calibration string. Can be used multiple times. Implies -ac

-achPer host autocalibration (default: false)

-ackAutocalibration keyword (default: FUZZ)

-acsCustom auto-calibration strategies. Can be used multiple times. Implies -ac

-cColorize output. (default: false)

-configLoad configuration from a file

-mcMatch HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)

-mlMatch amount of lines in response

-mmodeMatcher set operator. Either of: and, or (default: or)

-mrMatch regexp

-msMatch HTTP response size

-mtMatch how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100

-mwMatch amount of words in response

-fcFilter HTTP status codes from response. Comma separated list of codes and ranges

-flFilter by amount of lines in response. Comma separated list of line counts and ranges

-fmodeFilter set operator. Either of: and, or (default: or)

-frFilter regexp

-fsFilter HTTP response size. Comma separated list of sizes and ranges

-ftFilter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100

-fwFilter by amount of words in response. Comma separated list of word counts and ranges

-DDirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)

-eComma separated list of extensions. Extends FUZZ keyword.

-encEncoders for keywords, eg. 'FUZZ:urlencode b64encode'

-icIgnore wordlist comments (default: false)

-input-cmdCommand producing the input. --input-num is required when using this input method. Overrides -w.

-input-numNumber of inputs to test. Used in conjunction with --input-cmd. (default: 100)

-input-shellShell to be used for running command

-modeMulti-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)

-debug-logWrite all of the internal logging to the specified file.

-oWrite output to file

-odDirectory path to store matched results to.

-ofOutput file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)

-orDon't create the output file if we don't have results (default: false)

Examples

Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output.

ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

Fuzz Host-header, match HTTP 200 responses.

ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

Fuzz POST JSON data. Match all responses not containing text "error".

ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.

ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

Show help and all available flags.

ffuf -h

Show version information.

ffuf -V

Updated 2026-04-16kali.org ↗