ffuf

Fast web fuzzer written in Go

12,220

1,261

12,220

204

View on GitHub

Top Related Projects

gobuster

9,540

Directory/File, DNS and VHost busting tool written in Go

httpx

7,441

httpx is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library.

assetfinder

2,964

Find domains and subdomains related to a given domain

nuclei

19,837

Fast and customizable vulnerability scanner based on simple YAML based DSL.

Quick Overview

FFUF is a fast web fuzzer written in Go. It is designed to be a powerful tool for web application security testing, allowing users to discover hidden web content and potential vulnerabilities. FFUF supports a wide range of input types, including wordlists, payloads, and custom headers, and can be used to perform various types of web application testing, such as directory/file discovery, parameter fuzzing, and more.

Pros

Fast and Efficient: FFUF is written in Go, which makes it a fast and efficient tool for web application testing.
Highly Configurable: FFUF offers a wide range of configuration options, allowing users to customize their testing workflows to suit their specific needs.
Extensive Functionality: FFUF supports a wide range of input types and can be used to perform various types of web application testing, making it a versatile tool for security professionals.
Active Development: FFUF is actively maintained and developed, with regular updates and improvements.

Cons

Learning Curve: FFUF may have a steeper learning curve compared to some other web fuzzing tools, especially for users who are new to the command-line interface.
Limited GUI: FFUF is primarily a command-line tool, which may not be preferred by some users who prefer a graphical user interface (GUI).
Potential False Positives: Like any web fuzzing tool, FFUF may generate false positive results, which can require additional manual verification.
Potential Legal/Ethical Concerns: Web application testing can potentially be considered a form of hacking, so users should be aware of the legal and ethical implications of using FFUF.

Getting Started

To get started with FFUF, you can follow these steps:

Install Go on your system if you haven't already. You can download the latest version of Go from the official website: https://golang.org/dl/
Install FFUF using the Go package manager:

go install github.com/ffuf/ffuf@latest

Once FFUF is installed, you can run it with the following command to perform a basic directory/file discovery:

ffuf -w /path/to/wordlist.txt -u http://example.com/FUZZ

This command will use the wordlist specified by the -w flag to test for the existence of directories and files on the target website.

You can customize the FFUF command with various options to suit your specific testing needs. For example, you can use the -c flag to enable color output, the -t flag to set the number of concurrent requests, and the -o flag to save the results to a file.

ffuf -w /path/to/wordlist.txt -u http://example.com/FUZZ -c -t 50 -o results.txt

For more information on using FFUF, you can refer to the project's documentation: https://github.com/ffuf/ffuf

Competitor Comparisons

gobuster

9,540

Directory/File, DNS and VHost busting tool written in Go

Pros of Gobuster

Built-in DNS and VHOST enumeration modes
Supports multiple wordlist formats (line-based, JSON, CSV)
Extensive CLI options for fine-tuned control

Cons of Gobuster

Slower performance compared to ffuf
Less flexible output formatting options
Limited support for custom HTTP headers

Code Comparison

ffuf:

for scanner.Scan() {
    word := strings.TrimSpace(scanner.Text())
    if len(word) > 0 {
        ch <- word
    }
}

Gobuster:

for scanner.Scan() {
    line := scanner.Text()
    if line != "" {
        wordChan <- line
    }
}

Both projects use similar approaches for reading wordlists, but ffuf's implementation includes trimming whitespace.

Key Differences

ffuf focuses on high-performance fuzzing with extensive customization options
Gobuster offers a broader range of enumeration modes (directory, DNS, VHOST)
ffuf provides more advanced output formatting and reporting features
Gobuster has a simpler codebase and may be easier for beginners to understand

Use Cases

Choose ffuf for high-speed web fuzzing and complex payload generation
Opt for Gobuster when DNS or VHOST enumeration is required alongside directory brute-forcing
ffuf is better suited for advanced users who need fine-grained control over requests and responses
Gobuster is a good choice for users who prefer a straightforward tool with built-in enumeration modes

dirsearch

11,823

Web path scanner

Pros of dirsearch

Built-in wordlists and extensive configuration options
Supports multiple output formats (plain text, JSON, CSV, XML)
Includes a web-based reporting interface for easier result analysis

Cons of dirsearch

Generally slower performance compared to ffuf
Less flexible in terms of custom payload generation
More complex setup and usage for advanced scenarios

Code Comparison

dirsearch:

def setup_reports(self):
    report_types = self.arguments.output_format or ["plain"]
    for output in report_types:
        if output not in self.output:
            self.output[output] = getattr(self, f"{output.lower()}_output")()

ffuf:

func (j *Job) prepareRequest() (*fflib.Request, error) {
    req, err := fflib.NewRequest(j.Method, j.Url, j.Data)
    if err != nil {
        return nil, err
    }
    return req, nil
}

Both projects aim to perform directory and file brute-forcing, but they differ in implementation and features. dirsearch offers more built-in options and reporting capabilities, while ffuf focuses on speed and flexibility. The code snippets showcase dirsearch's Python-based approach with output formatting, contrasting with ffuf's Go implementation emphasizing efficient request preparation.

httpx

7,441

httpx is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library.

Pros of httpx

Faster and more efficient for large-scale HTTP probing and analysis
Built-in support for various HTTP-based technologies and protocols
More comprehensive output options and data extraction capabilities

Cons of httpx

Less focused on fuzzing and directory/file discovery
May require additional tools for more specialized web application testing
Steeper learning curve for users familiar with simpler tools

Code Comparison

httpx:

package main

import "github.com/projectdiscovery/httpx/runner"

func main() {
    options := runner.Options{}
    runner.New(&options).Run()
}

ffuf:

package main

import "github.com/ffuf/ffuf/pkg/ffuf"

func main() {
    opts := ffuf.NewOptions()
    f := ffuf.New(opts)
    f.Run()
}

Both tools are written in Go and have similar high-level structures. However, httpx is designed for broader HTTP analysis, while ffuf focuses on fuzzing and discovery tasks. httpx offers more built-in features for HTTP interactions, while ffuf provides a simpler interface for fuzzing-specific operations.

assetfinder

2,964

Find domains and subdomains related to a given domain

Pros of assetfinder

Specifically designed for discovering subdomains and related assets
Lightweight and fast, focusing on a single task
Integrates multiple data sources for comprehensive results

Cons of assetfinder

Limited to asset discovery, lacks the versatility of ffuf
May require additional tools for further enumeration or testing
Less actively maintained compared to ffuf

Code Comparison

assetfinder:

func main() {
    domain := flag.String("domain", "", "The domain to find assets for")
    flag.Parse()
    for result := range assetfinder.Run(*domain) {
        fmt.Println(result)
    }
}

ffuf:

func main() {
    flag.Parse()
    if err := ffuf.New().Run(); err != nil {
        log.Fatalf("Encountered error: %v", err)
    }
}

Key Differences

assetfinder is focused on asset discovery, while ffuf is a versatile fuzzing tool
ffuf offers more customization options and supports various fuzzing techniques
assetfinder is simpler to use for quick subdomain enumeration
ffuf has a larger community and more frequent updates
assetfinder is better suited for specific asset discovery tasks, while ffuf excels in broader web application testing scenarios

nuclei

19,837

Fast and customizable vulnerability scanner based on simple YAML based DSL.

Pros of Nuclei

More versatile with support for various protocols (HTTP, DNS, TCP, etc.)
Extensive template library for detecting vulnerabilities and misconfigurations
Community-driven with a large number of contributors and regular updates

Cons of Nuclei

Steeper learning curve due to its more complex template system
Can be slower for simple fuzzing tasks compared to ffuf's focused approach
Requires more setup and configuration for basic use cases

Code Comparison

ffuf example:

ffuf -w wordlist.txt -u https://example.com/FUZZ

Nuclei example:

id: example-template
info:
  name: Example Template
  severity: info
requests:
  - method: GET
    path:
      - "{{BaseURL}}/{{.Word}}"
    payloads:
      word: wordlist.txt

While ffuf excels in straightforward fuzzing tasks with a simple command-line interface, Nuclei offers a more comprehensive security testing framework with its template-based approach. ffuf is generally faster and easier to use for basic fuzzing, while Nuclei provides greater flexibility and depth for complex security assessments across multiple protocols.

aquatone

5,601

A Tool for Domain Flyovers

Pros of Aquatone

Specialized in web screenshot and visual reconnaissance
Integrates with other tools for comprehensive web application scanning
Provides visual output for easier analysis of results

Cons of Aquatone

More focused on visual aspects, less versatile for general fuzzing
May require additional tools for comprehensive security testing
Less actively maintained compared to ffuf

Code Comparison

Aquatone (Go):

func takeScreenshot(url string, timeout int) (*[]byte, error) {
    ctx, cancel := chromedp.NewContext(context.Background())
    defer cancel()
    ctx, cancel = context.WithTimeout(ctx, time.Duration(timeout)*time.Second)
    defer cancel()
    // ... (screenshot capture logic)
}

ffuf (Go):

func (j *Job) runTask(ctx context.Context, task Task) Result {
    var res Result
    res.Input = task.Input
    res.Position = task.Position
    // ... (fuzzing logic)
    return res
}

Summary

Aquatone specializes in visual reconnaissance of web applications, offering screenshot capabilities and integration with other tools. It's particularly useful for visual analysis but may be less versatile for general fuzzing tasks. ffuf, on the other hand, is a more versatile and actively maintained fuzzing tool, focusing on various types of web fuzzing without the visual component. The choice between the two depends on the specific requirements of the security testing or reconnaissance task at hand.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

ffuf mascot

ffuf - Fuzz Faster U Fool

A fast web fuzzer written in Go.

Installation

Download a prebuilt binary from releases page, unpack and run!

or
If you are on macOS with homebrew, ffuf can be installed with: brew install ffuf

or
If you have recent go compiler installed: go install github.com/ffuf/ffuf/v2@latest (the same command works for updating)

or
git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build

Ffuf depends on Go 1.16 or greater.

Example usage

The usage examples below show just the simplest tasks you can accomplish using ffuf.

More elaborate documentation that goes through many features with a lot of examples is available in the ffuf wiki at https://github.com/ffuf/ffuf/wiki

For more extensive documentation, with real life usage examples and tips, be sure to check out the awesome guide: "Everything you need to know about FFUF" by Michael Skelton (@codingo).

You can also practise your ffuf scans against a live host with different lessons and use cases either locally by using the docker container https://github.com/adamtlangley/ffufme or against the live hosted version at http://ffuf.me created by Adam Langley @adamtlangley.

Typical directory discovery

By using the FUZZ keyword at the end of URL (-u):

ffuf -w /path/to/wordlist -u https://target/FUZZ

Virtual host discovery (without DNS records)

Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242)while fuzzing the Host - header:

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

GET parameter fuzzing

GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.

ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401

POST data fuzzing

This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.

ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

Maximum execution time

If you don't want ffuf to run indefinitely, you can use the -maxtime. This stops the entire process after a given time (in seconds).

ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60

When working with recursion, you can control the maxtime per job using -maxtime-job. This will stop the current job after a given time (in seconds) and continue with the next one. New jobs are created when the recursion functionality detects a subdirectory.

ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2

It is also possible to combine both flags limiting the per job maximum execution time as well as the overall execution time. If you do not use recursion then both flags behave equally.

Using external mutator to produce test cases

For this example, we'll fuzz JSON data that's sent over POST. Radamsa is used as the mutator.

When --input-cmd is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable $FFUF_NUM. We'll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code 400 - Bad request:

ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400

It of course isn't very efficient to call the mutator for each payload, so we can also pre-generate the payloads, still using Radamsa as an example:

# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt

# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf

ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400

Configuration files

When running ffuf, it first checks if a default configuration file exists. Default path for a ffufrc file is $XDG_CONFIG_HOME/ffuf/ffufrc. You can configure one or multiple options in this file, and they will be applied on every subsequent ffuf job. An example of ffufrc file can be found here.

A more detailed description about configuration file locations can be found in the wiki: https://github.com/ffuf/ffuf/wiki/Configuration

The configuration options provided on the command line override the ones loaded from the default ffufrc file. Note: this does not apply for CLI flags that can be provided more than once. One of such examples is -H (header) flag. In this case, the -H values provided on the command line will be appended to the ones from the config file instead.

Additionally, in case you wish to use bunch of configuration files for different use cases, you can do this by defining the configuration file path using -config command line flag that takes the file path to the configuration file as its parameter.

Usage

To define the test case for ffuf, use the keyword FUZZ anywhere in the URL (-u), headers (-H), or POST data (-d).

Fuzz Faster U Fool - v2.1.0

HTTP OPTIONS:
  -H                  Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
  -X                  HTTP method to use
  -b                  Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
  -cc                 Client cert for authentication. Client key needs to be defined as well for this to work
  -ck                 Client key for authentication. Client certificate needs to be defined as well for this to work
  -d                  POST data
  -http2              Use HTTP2 protocol (default: false)
  -ignore-body        Do not fetch the response content. (default: false)
  -r                  Follow redirects (default: false)
  -raw                Do not encode URI (default: false)
  -recursion          Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
  -recursion-depth    Maximum recursion depth. (default: 0)
  -recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
  -replay-proxy       Replay matched requests using this proxy.
  -sni                Target TLS SNI, does not support FUZZ keyword
  -timeout            HTTP request timeout in seconds. (default: 10)
  -u                  Target URL
  -x                  Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080

GENERAL OPTIONS:
  -V                  Show version information. (default: false)
  -ac                 Automatically calibrate filtering options (default: false)
  -acc                Custom auto-calibration string. Can be used multiple times. Implies -ac
  -ach                Per host autocalibration (default: false)
  -ack                Autocalibration keyword (default: FUZZ)
  -acs                Custom auto-calibration strategies. Can be used multiple times. Implies -ac
  -c                  Colorize output. (default: false)
  -config             Load configuration from a file
  -json               JSON output, printing newline-delimited JSON records (default: false)
  -maxtime            Maximum running time in seconds for entire process. (default: 0)
  -maxtime-job        Maximum running time in seconds per job. (default: 0)
  -noninteractive     Disable the interactive console functionality (default: false)
  -p                  Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
  -rate               Rate of requests per second (default: 0)
  -s                  Do not print additional information (silent mode) (default: false)
  -sa                 Stop on all error cases. Implies -sf and -se. (default: false)
  -scraperfile        Custom scraper file path
  -scrapers           Active scraper groups (default: all)
  -se                 Stop on spurious errors (default: false)
  -search             Search for a FFUFHASH payload from ffuf history
  -sf                 Stop when > 95% of responses return 403 Forbidden (default: false)
  -t                  Number of concurrent threads. (default: 40)
  -v                  Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS:
  -mc                 Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)
  -ml                 Match amount of lines in response
  -mmode              Matcher set operator. Either of: and, or (default: or)
  -mr                 Match regexp
  -ms                 Match HTTP response size
  -mt                 Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -mw                 Match amount of words in response

FILTER OPTIONS:
  -fc                 Filter HTTP status codes from response. Comma separated list of codes and ranges
  -fl                 Filter by amount of lines in response. Comma separated list of line counts and ranges
  -fmode              Filter set operator. Either of: and, or (default: or)
  -fr                 Filter regexp
  -fs                 Filter HTTP response size. Comma separated list of sizes and ranges
  -ft                 Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -fw                 Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS:
  -D                  DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
  -e                  Comma separated list of extensions. Extends FUZZ keyword.
  -enc                Encoders for keywords, eg. 'FUZZ:urlencode b64encode'
  -ic                 Ignore wordlist comments (default: false)
  -input-cmd          Command producing the input. --input-num is required when using this input method. Overrides -w.
  -input-num          Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
  -input-shell        Shell to be used for running command
  -mode               Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
  -request            File containing the raw http request
  -request-proto      Protocol to use along with raw request (default: https)
  -w                  Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:
  -debug-log          Write all of the internal logging to the specified file.
  -o                  Write output to file
  -od                 Directory path to store matched results to.
  -of                 Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
  -or                 Don't create the output file if we don't have results (default: false)

EXAMPLE USAGE:
  Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
  Colored, verbose output.
    ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

  Fuzz Host-header, match HTTP 200 responses.
    ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

  Fuzz POST JSON data. Match all responses not containing text "error".
    ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
      -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

  Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
    ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

  More information and examples: https://github.com/ffuf/ffuf

Interactive mode

By pressing ENTER during ffuf execution, the process is paused and user is dropped to a shell-like interactive mode:

entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help

available commands:
 afc  [value]             - append to status code filter 
 fc   [value]             - (re)configure status code filter 
 afl  [value]             - append to line count filter 
 fl   [value]             - (re)configure line count filter 
 afw  [value]             - append to word count filter 
 fw   [value]             - (re)configure word count filter 
 afs  [value]             - append to size filter 
 fs   [value]             - (re)configure size filter 
 aft  [value]             - append to time filter 
 ft   [value]             - (re)configure time filter 
 rate [value]             - adjust rate of requests per second (active: 0)
 queueshow                - show job queue
 queuedel [number]        - delete a job in the queue
 queueskip                - advance to the next queued job
 restart                  - restart and resume the current ffuf job
 resume                   - resume current ffuf job (or: ENTER) 
 show                     - show results for the current job
 savejson [filename]      - save current matches to a file
 help                     - you are looking at it
>

in this mode, filters can be reconfigured, queue managed and the current state saved to disk.

When (re)configuring the filters, they get applied posthumously and all the false positive matches from memory that would have been filtered out by the newly added filters get deleted.

The new state of matches can be printed out with a command show that will print out all the matches as like they would have been found by ffuf.

As "negative" matches are not stored to memory, relaxing the filters cannot unfortunately bring back the lost matches. For this kind of scenario, the user is able to use the command restart, which resets the state and starts the current job from the beginning.

License

ffuf is released under MIT license. See LICENSE.

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot