FFuf (Fuzz Faster U Fool) is one of the fastest web fuzzing tools available. Written in Go, it outperforms older tools like DirBuster and Gobuster in speed and flexibility. This tutorial walks you through using FFuf to discover hidden directories, endpoints, subdomains, and parameters during a penetration test or bug bounty engagement.
Installing FFuf
FFuf ships as a single binary with no dependencies.
# From GitHub releases
wget https://github.com/ffuf/ffuf/releases/latest/download/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/
# Or via Go
go install github.com/ffuf/ffuf/v2@latest
# Kali/Parrot
sudo apt install ffuf
Verify with ffuf -V.
Wordlists
FFuf is only as good as your wordlists. The best sources:
- SecLists (
/usr/share/seclists/ on Kali): Discovery/Web-Content/directory-list-2.3-medium.txt
- dirbuster wordlists:
common.txt, small.txt
- assetnote: large curated lists available at wordlists.assetnote.io
Install SecLists on Debian/Ubuntu:
sudo apt install seclists
Basic Directory Fuzzing
The FUZZ keyword is a placeholder FFuf replaces with wordlist entries.
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
Useful flags
| Flag | Purpose |
|---|
-u | Target URL with FUZZ keyword |
-w | Wordlist path |
-t | Threads (default 40, increase carefully) |
-fc | Filter by HTTP status code (e.g., -fc 404) |
-mc | Match specific status codes (e.g., -mc 200,301) |
-fs | Filter by response size |
-fw | Filter by word count |
-o | Output file |
-of | Output format: json, csv, html |
Filter noise
Most scans return thousands of 404s. Filter them:
ffuf -u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-fc 404,403 \
-t 50
If the 404 page is dynamic (different size each time), filter by size:
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
File Extension Fuzzing
Discover backup files, PHP sources, and config files:
ffuf -u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.bak,.txt,.zip,.old,.conf
This appends each extension to every wordlist entry — great for finding config.php.bak, index.php~, and similar developer mistakes.
Subdomain Fuzzing
ffuf -u https://FUZZ.target.com \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.target.com" \
-fs 0
Using the Host header technique works even when subdomains don’t have separate DNS entries (virtual hosting).
GET Parameter Fuzzing
Discover hidden query parameters:
ffuf -u "https://target.com/page?FUZZ=value" \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-fw 39
Then fuzz parameter values once you find interesting parameters:
ffuf -u "https://target.com/page?id=FUZZ" \
-w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
POST Body Fuzzing
ffuf -u https://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
-H "Content-Type: application/x-www-form-urlencoded" \
-mc 302
Multiple FUZZ Keywords
FFuf supports multiple keywords using -w wordlist1:W1 -w wordlist2:W2:
ffuf -u https://target.com/W1/W2 \
-w dirs.txt:W1 \
-w files.txt:W2 \
-fc 404
Saving and Reviewing Output
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-o results.json \
-of json \
-fc 404
Parse with jq:
cat results.json | jq '.results[] | {url, status, length}'
Rate Limiting and Stealth
Avoid triggering WAFs or getting banned:
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-t 10 \
-p 0.1 \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120"
-p 0.1: 100ms delay between requests
-t 10: reduce thread count
- Use
-replay-proxy to send interesting results through Burp Suite for further analysis
Practical Bug Bounty Workflow
- Passive recon: identify in-scope subdomains
- Subdomain fuzzing: find virtual hosts
- Directory fuzzing: common.txt first (fast), then medium wordlist
- File extension sweep: on discovered directories
- Parameter discovery: on dynamic pages
- Manual review: investigate all 200/301/302 results in Burp
FFuf’s speed makes it ideal for running multiple concurrent scans across different endpoints. Pair it with httpx for probing live hosts and nuclei for automated vulnerability checks on discovered paths.
Legal Reminder
Only fuzz systems you own or have explicit written permission to test. Unauthorized scanning is illegal and unethical.