Fast Go-based web fuzzer — directory busting, parameter discovery, virtual host enumeration. Fastest in class.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Go install
go install github.com/ffuf/ffuf/v2@latest
Linux (apt)
sudo apt install ffuf
Docker
docker run --rm -it secsi/ffuf -u https://target.com/FUZZ -w wordlist.txt
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Directory enumeration
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Subdomain (vhost) enum
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 0
Parameter discovery (GET)
ffuf -u "https://target.com/api?FUZZ=test" -w params.txt -fc 404
POST data fuzz
ffuf -u https://target.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fc 401
Multi-wordlist (cluster bomb)
ffuf -u "https://target.com/FUZZ/USER" -w paths:FUZZ -w users:USER -mode clusterbomb
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
-t 100default. Bump to-t 200on robust targets, drop to-t 20on production.-rate 100caps requests/sec absolutely — predictable for SLA-constrained scans.-fc 404,400filters by status.-fs SIZEfilters by response size — essential for vhost enum where 404s come back as 200.-mc all -acauto-calibrates filters from baseline 404s — powerful for soft-404 sites.- Output JSON (
-of json -o results.json) for jq processing; ffuf log lines are huge. -recursion -recursion-depth 2for cascading directory busts — but watch wall-clock time explode.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default wordlists in seclists are massive (700k+ entries). Pick raft-medium for sane runtime.
-fs 0filters empty responses — important for vhost enum but accidentally hides legitimate empty 200s.- Some WAFs serve identical-size 200s to hide directories — combine size + word-count filters:
-fw 50,55. - Rate-limit responses (429) get treated as findings unless explicitly filtered — clutter.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- gobuster — slightly slower, more options for DNS modes.
- dirsearch — Python, larger wordlists bundled.
- feroxbuster — Rust, recursive by default.
India context and engagement notes
ffuf is the bug-bounty hunter’s grunt-work tool. For Indian DPDP scoping: ffuf against subdomains finds open admin panels, exposed /backup/, /old/, /test/ directories that shouldn’t be there. Half of all DPDP breaches start at one of these.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.