ffuf — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Fast Go-based web fuzzer — directory busting, parameter discovery, virtual host enumeration. Fastest in class.

Use case: Web ApplicationDifficulty: Beginner → IntermediateHomepage: https://github.com/ffuf/ffuf

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Go install

go install github.com/ffuf/ffuf/v2@latest

Linux (apt)

sudo apt install ffuf

Docker

docker run --rm -it secsi/ffuf -u https://target.com/FUZZ -w wordlist.txt

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Directory enumeration

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

Subdomain (vhost) enum

ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 0

Parameter discovery (GET)

ffuf -u "https://target.com/api?FUZZ=test" -w params.txt -fc 404

POST data fuzz

ffuf -u https://target.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fc 401

Multi-wordlist (cluster bomb)

ffuf -u "https://target.com/FUZZ/USER" -w paths:FUZZ -w users:USER -mode clusterbomb

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -t 100 default. Bump to -t 200 on robust targets, drop to -t 20 on production.
  • -rate 100 caps requests/sec absolutely — predictable for SLA-constrained scans.
  • -fc 404,400 filters by status. -fs SIZE filters by response size — essential for vhost enum where 404s come back as 200.
  • -mc all -ac auto-calibrates filters from baseline 404s — powerful for soft-404 sites.
  • Output JSON (-of json -o results.json) for jq processing; ffuf log lines are huge.
  • -recursion -recursion-depth 2 for cascading directory busts — but watch wall-clock time explode.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Default wordlists in seclists are massive (700k+ entries). Pick raft-medium for sane runtime.
  • -fs 0 filters empty responses — important for vhost enum but accidentally hides legitimate empty 200s.
  • Some WAFs serve identical-size 200s to hide directories — combine size + word-count filters: -fw 50,55.
  • Rate-limit responses (429) get treated as findings unless explicitly filtered — clutter.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • gobuster — slightly slower, more options for DNS modes.
  • dirsearch — Python, larger wordlists bundled.
  • feroxbuster — Rust, recursive by default.

India context and engagement notes

ffuf is the bug-bounty hunter’s grunt-work tool. For Indian DPDP scoping: ffuf against subdomains finds open admin panels, exposed /backup/, /old/, /test/ directories that shouldn’t be there. Half of all DPDP breaches start at one of these.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants