ffuf v0.9 releases: Fast web fuzzer written in Go

ffuf – Fuzz Faster U Fool

A fast web fuzzer written in Go.

Heavily inspired by the great projects gobuster and wfuzz.


  • Fast!
  • Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
  • Silent mode (-s) for clean output that’s easy to use in pipes to other processes.
  • Modularized architecture that allows integration with existing toolchains with reasonable effort
  • Easy-to-add filters and matchers (they are interoperable)

Changelog v0.9

4ba3433 Release 0.9 (#27)
5cae980 Add wildcard option to status code matcher (#26)
87c4e11 Correctly add entries without extension identifier
4b0be68 Add -e flag to append extensions to wordlist entries and -D for DirSearch wordlist format compatiiblity
d1e87c3 Add -e flag for Extensions. Replaces %EXT% in the given wordlist
950a9e8 Fix verifytls (#22)
404e413 skip ssl check by default (#17)
ddf2a4d Fixed typo. (#16)
b9c9c92 Connection error handling, and options to stop execution (#15)
d5fe00e Update README.md (#14)
5336135 Add option to follow redirects (#13)
9934cfd Add output to CSV file (#12)
ab09685 Add go.mod (#11)
a8b7b56 Bump version (#10)
504a87e Merge pull request #9 from ffuf/update_readme
9aa7e3c Update README


  • Download a prebuilt binary from releases page, unpack and run! or
  • If you have Go compiler installed: go get github.com/ffuf/ffuf


To define the test case for ffuf, use the keyword FUZZ anywhere in the URL (-u), headers (-H), or POST data (-d).

 -H "Name: Value"
    	Header "Name: Value", separated by colon. Multiple -H flags are accepted.
  -V	Show version information.
  -X string
    	HTTP method to use. (default "GET")
  -c	Colorize output.
  -d string
    	POST data.
  -fc string
    	Filter HTTP status codes from response
  -fr string
    	Filter regexp
  -fs string
    	Filter HTTP response size
  -fw string
    	Filter by amount of words in response
  -k	Skip TLS identity verification (insecure)
  -mc string
    	Match HTTP status codes from respose (default "200,204,301,302,307,401,403")
  -mr string
    	Match regexp
  -ms string
    	Match HTTP response size
  -mw string
    	Match amount of words in response
  -p delay
    	Seconds of delay between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
  -s	Do not print additional information (silent mode)
  -t int
    	Number of concurrent threads. (default 40)
  -u string
    	Target URL
  -w string
    	Wordlist path






Typical directory discovery


By using the FUZZ keyword at the end of URL (-u):

ffuf -w /path/to/wordlist -u https://target/FUZZ

Virtual host discovery (without DNS records)


Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242) while fuzzing the Host – header:

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

GET parameter fuzzing

GET parameter name fuzzing is very similar to directory discovery and works by defining the FUZZ keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

If the parameter name is known, the values can be fuzzed in the same way. This example assumes a wrong parameter value returning HTTP response code 401.

ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401

POST data fuzzing

This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We’re again filtering out the 401 responses.

ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401




Copyright (c) 2018 Joona Hoikkala

Source: https://github.com/ffuf/