FFUF (Fuzz Faster U Fool) has become one of the defining tools of modern web application penetration testing. Written in Go by joohoi, it is blindingly fast, highly configurable, and flexible enough to replace several specialized tools with a single binary. Whether you are hunting for hidden directories, brute-forcing GET/POST parameters, enumerating subdomains, or testing for injection points, FFUF handles it all through a simple FUZZ keyword substitution model.
This guide walks through installation, core usage patterns, filtering techniques, and real-world workflows used in bug bounty and professional pentesting engagements.
Installing FFUF
FFUF is preinstalled on Kali Linux. To install or update it manually:
go install github.com/ffuf/ffuf/v2@latest
Or grab a prebuilt binary from the GitHub releases page:
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/
Verify:
ffuf -V
The FUZZ Keyword
FFUF’s core concept is simple: place the FUZZ keyword anywhere in a URL, header, body, or parameter name, and FFUF replaces it with entries from your wordlist. This single mechanism covers dozens of use cases.
Directory and File Fuzzing
The most common use case is discovering hidden directories and files:
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
Adding File Extensions
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -e .php,.html,.txt,.bak,.old
Recursive Fuzzing
FFUF can recurse into discovered directories automatically:
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
Filtering Responses
Without filtering, FFUF returns everything. Filtering is where FFUF truly shines over simpler tools.
Filter by HTTP Status Code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404,403
Filter by Response Size
Useful when a 200 response always returns the same “not found” page with a consistent size:
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234
Filter by Word Count or Line Count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 10
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 52
Match Instead of Filter
Use -mc to only show specific status codes:
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,204,301,302
Subdomain Enumeration
Point the FUZZ keyword at the subdomain position and use the Host header:
ffuf -u http://target.com -H "Host: FUZZ.target.com" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs 4242
The -fs filter removes the default “no such host” page size so only real subdomains appear.
GET Parameter Fuzzing
Discover hidden GET parameters on a known endpoint:
ffuf -u "http://target.com/page?FUZZ=value" \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-fs 1024
POST Data Fuzzing
Fuzz the body of POST requests:
ffuf -u http://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-w /usr/share/wordlists/rockyou.txt \
-fc 401
For JSON bodies:
ffuf -u http://target.com/api/login \
-X POST \
-d '{"username":"admin","password":"FUZZ"}' \
-H "Content-Type: application/json" \
-w passwords.txt \
-fc 401
Multiple Wordlists (Cluster Bomb Mode)
FFUF supports multiple FUZZ positions using named keywords. Use FUZZ, W2, W3, etc., or define custom names with -input-cmd:
ffuf -u http://target.com/FUZZ/W2 \
-w /wordlist1.txt:FUZZ \
-w /wordlist2.txt:W2 \
-mode clusterbomb
Modes available:
clusterbomb — every combination of all wordlists (default)pitchfork — parallel iteration, entry 1 from each list together
Rate Limiting and Throttling
FFUF is aggressively fast by default. Control the rate to avoid crashing servers or triggering WAF blocks:
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100 -t 10
| Flag | Description |
|---|
-rate | Maximum requests per second |
-t | Number of concurrent goroutines (threads) |
-p | Delay between requests (e.g., 0.1 for 100ms) |
Saving and Resuming Output
Save results in multiple formats:
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
Using FFUF with a Proxy
Route traffic through Burp Suite for inspection:
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080
This lets you replay and inspect interesting requests manually.
Real-World Workflow Example
Here is a typical FFUF workflow for a web application assessment:
# Step 1: Quick directory discovery
ffuf -u http://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-mc 200,204,301,302,403 \
-o dirs.json -of json
# Step 2: File discovery with extensions
ffuf -u http://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.bak,.txt,.conf \
-mc 200,204 \
-o files.json -of json
# Step 3: Parameter discovery on a specific endpoint
ffuf -u "http://target.com/api/search?FUZZ=test" \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-fs 512
Tips for Bug Bounty Programs
- Start with small, fast wordlists (
raft-small) and escalate to larger ones only when needed
- Always filter by response size — most applications return a consistent “not found” page
- Check the
-ac auto-calibration flag — FFUF can auto-detect and filter the baseline response:
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac
- Use
-v for verbose output to see full URLs and redirect chains
- Combine with Burp Suite to manually validate every interesting finding
Summary
FFUF is the Swiss Army knife of web fuzzing. Its FUZZ keyword model, powerful filtering options, and raw speed make it the preferred choice over older tools like Nikto or DirBuster for content discovery. Invest time learning its filter flags — the difference between a useful scan and an unusable wall of noise is almost entirely in how well you filter your results.