Automic VaultAutomic Vault

brew

Install ffuf with Homebrew, apk, apt, dnf, MacPorts, Nix, scoop, winget

Fast web fuzzer written in Go. Version 2.1.0 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install ffuf

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install ffuf

MacPorts ports tree · security/ffuf/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add ffuf

Alpine Linux edge package indexes · ffuf · source: dl-cdn.alpinelinux.org

Debian aptverified · 92%
sudo apt install ffuf

Debian stable package indexes · ffuf · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install ffuf

Fedora Rawhide package metadata · ffuf · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#ffuf

nixpkgs package indexes · pkgs/by-name/ff/ffuf/package.nix · source: api.github.com

Windows

Scoopverified · 92%
scoop install main/ffuf

Scoop official bucket manifest trees · bucket/ffuf.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id ffuf.ffuf -e

Windows Package Manager source index · ffuf.ffuf · source: cdn.winget.microsoft.com

overview

Package summary

Fast web fuzzer written in Go

Commands and aliases

  • ffuf

history

Project history and usage

ffuf is a Go-based web fuzzer whose name expands to Fuzz Faster U Fool. It became a standard CLI in web-security workflows because it makes content discovery, virtual-host discovery, parameter fuzzing, request mutation, filtering, replay, and automation fit into one fast binary.

Project history

The GitHub project was created in November 2018, and the first release listed by the GitHub API is v0.1 on the same date. The README has consistently described the tool as a fast web fuzzer written in Go, with examples centered on the `FUZZ` keyword embedded in URLs, headers, and request bodies.

By the v2 release line, the README documented a broad set of operational features: recursive discovery, multiple matchers and filters, auto-calibration, rate limiting, request replay through a proxy, JSON output, external input commands, and an interactive mode.

Adoption history

ffuf is packaged widely for security practitioners, including Homebrew, Debian/Ubuntu, Fedora, MacPorts, Nix, Scoop, winget, and Alpine according to the package facts in this batch. The repository metadata also shows a large public GitHub audience for a focused security CLI.

Its adoption follows a familiar package-manager path for Go security tools: a single static-friendly executable, a clear upstream release page, documented `go install` support, and examples that map directly to common bug-bounty and penetration-testing tasks.

How it is used

The core usage pattern is `ffuf -w wordlist -u https://target/FUZZ`, then refine results with status-code, size, word, line, regex, or timing matchers and filters. The README also documents virtual-host fuzzing with a Host header, GET and POST parameter fuzzing, external mutators such as Radamsa, recursion, per-job time limits, and JSON output.

ffuf reads a default config file from `$XDG_CONFIG_HOME/ffuf/ffufrc` when present. Command-line options override values from that default file, while repeatable flags such as headers are appended.

Why package nerds care

ffuf matters in package collections because it is a small, high-demand security tool with frequent real-world use and simple installation expectations. Users expect it to be present in developer laptops, security workstations, and reproducible lab environments without compiling Go code by hand.

Timeline

  • 2018: GitHub project created and v0.1 released.
  • 2023: v2.1.0 released in the GitHub release stream cited for this record.
  • 2026: Repository metadata showed continued activity and broad public adoption.

Related projects

  • The README documents external mutator use with Radamsa and practice targets such as ffufme. In package culture it sits near other web-content discovery and fuzzing tools used by penetration testers.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 12 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
$XDG_CONFIG_HOME/ffuf/ffufrc

executables

Installed executables

CommandKindExposureNote
ffufcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.1.0
manager updated
local dataok
upstreamcurrent
latest detectedv2.1.0

https://github.com/ffuf/ffuf

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:ffuf
Version2.1.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/ffuf
Homepagehttps://github.com/ffuf/ffuf
Repositoryhttps://github.com/ffuf/ffuf
Upstream docshttps://github.com/ffuf/ffuf#readme
LicenseMIT
Source archivehttps://github.com/ffuf/ffuf/archive/refs/tags/v2.1.0.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameffuf
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

ffuf 2.1.0-1+b9

Fast web fuzzer written in Go (program)

https://github.com/ffuf/ffuf

sudo apt install ffuf
  • Section: devel
  • Architecture: amd64
  • Source Package: ffuf
  • 1 dependencies
  • normalized package name match
  • Matched by: Ffuf
Debian stable package indexes · deb.debian.org · Debian stable package indexes: ffuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

ffuf

nix profile install nixpkgs#ffuf
  • normalized package name match
  • Matched by: Ffuf
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ff/ffuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

ffuf 2.1.0-1

Fast web fuzzer written in Go (program)

https://github.com/ffuf/ffuf

sudo apt install ffuf
  • Section: universe/devel
  • Architecture: amd64
  • 1 dependencies
  • normalized package name match
  • Matched by: Ffuf
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: ffuf from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
apk95%

ffuf 2.1.0-r22

fast web fuzzer written in Go

https://github.com/ffuf/ffuf

sudo apk add ffuf
  • License: MIT
  • Architecture: x86_64
  • Source Package: ffuf
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Ffuf
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: ffuf from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

ffuf-doc 2.1.0-r22

fast web fuzzer written in Go (documentation)

https://github.com/ffuf/ffuf

sudo apk add ffuf-doc
  • License: MIT
  • Architecture: x86_64
  • Source Package: ffuf
  • normalized package name match
  • Matched by: Ffuf
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: ffuf-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
dnf95%

ffuf 2.1.0-7.fc44

Fast web fuzzer written in Go

https://github.com/ffuf/ffuf

sudo dnf install ffuf
  • License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND MIT
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: ffuf
  • 3 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Ffuf
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: ffuf from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
MacPorts95%

ffuf

sudo port install ffuf
  • normalized package name match
  • Matched by: Ffuf
MacPorts ports tree · api.github.com · MacPorts ports tree: security/ffuf/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/ffuf

scoop install main/ffuf
  • normalized package name match
  • Matched by: Ffuf
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/ffuf.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

ffuf.ffuf

winget install --id ffuf.ffuf -e
  • normalized package name match
  • Matched by: Ffuf
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: ffuf.ffuf from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment