macOS
brew install ffuflocal Homebrew formula metadata
sudo port install ffufMacPorts ports tree · security/ffuf/Portfile · source: api.github.com
brew
Fast web fuzzer written in Go. Version 2.1.0 via Homebrew; verified from local package data.
install
brew install ffuflocal Homebrew formula metadata
sudo port install ffufMacPorts ports tree · security/ffuf/Portfile · source: api.github.com
sudo apk add ffufAlpine Linux edge package indexes · ffuf · source: dl-cdn.alpinelinux.org
sudo apt install ffufDebian stable package indexes · ffuf · source: deb.debian.org
sudo dnf install ffufFedora Rawhide package metadata · ffuf · source: dl.fedoraproject.org
nix profile install nixpkgs#ffufnixpkgs package indexes · pkgs/by-name/ff/ffuf/package.nix · source: api.github.com
scoop install main/ffufScoop official bucket manifest trees · bucket/ffuf.json · source: api.github.com
winget install --id ffuf.ffuf -eWindows Package Manager source index · ffuf.ffuf · source: cdn.winget.microsoft.com
overview
Fast web fuzzer written in Go
history
ffuf is a Go-based web fuzzer whose name expands to Fuzz Faster U Fool. It became a standard CLI in web-security workflows because it makes content discovery, virtual-host discovery, parameter fuzzing, request mutation, filtering, replay, and automation fit into one fast binary.
The GitHub project was created in November 2018, and the first release listed by the GitHub API is v0.1 on the same date. The README has consistently described the tool as a fast web fuzzer written in Go, with examples centered on the `FUZZ` keyword embedded in URLs, headers, and request bodies.
By the v2 release line, the README documented a broad set of operational features: recursive discovery, multiple matchers and filters, auto-calibration, rate limiting, request replay through a proxy, JSON output, external input commands, and an interactive mode.
ffuf is packaged widely for security practitioners, including Homebrew, Debian/Ubuntu, Fedora, MacPorts, Nix, Scoop, winget, and Alpine according to the package facts in this batch. The repository metadata also shows a large public GitHub audience for a focused security CLI.
Its adoption follows a familiar package-manager path for Go security tools: a single static-friendly executable, a clear upstream release page, documented `go install` support, and examples that map directly to common bug-bounty and penetration-testing tasks.
The core usage pattern is `ffuf -w wordlist -u https://target/FUZZ`, then refine results with status-code, size, word, line, regex, or timing matchers and filters. The README also documents virtual-host fuzzing with a Host header, GET and POST parameter fuzzing, external mutators such as Radamsa, recursion, per-job time limits, and JSON output.
ffuf reads a default config file from `$XDG_CONFIG_HOME/ffuf/ffufrc` when present. Command-line options override values from that default file, while repeatable flags such as headers are appended.
ffuf matters in package collections because it is a small, high-demand security tool with frequent real-world use and simple installation expectations. Users expect it to be present in developer laptops, security workstations, and reproducible lab environments without compiling Go code by hand.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
$XDG_CONFIG_HOME/ffuf/ffufrcexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
ffuf | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
install metadata
| Package key | brew:ffuf |
|---|---|
| Version | 2.1.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/ffuf |
| Homepage | https://github.com/ffuf/ffuf |
| Repository | https://github.com/ffuf/ffuf |
| Upstream docs | https://github.com/ffuf/ffuf#readme |
| License | MIT |
| Source archive | https://github.com/ffuf/ffuf/archive/refs/tags/v2.1.0.tar.gz |
| Build dependencies | go |
| Bottle | available (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | ffuf |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
ffuf 2.1.0-1+b9
Fast web fuzzer written in Go (program)
sudo apt install ffufffuf
nix profile install nixpkgs#ffufffuf 2.1.0-1
Fast web fuzzer written in Go (program)
sudo apt install ffufffuf 2.1.0-r22
fast web fuzzer written in Go
sudo apk add ffufffuf-doc 2.1.0-r22
fast web fuzzer written in Go (documentation)
sudo apk add ffuf-docffuf 2.1.0-7.fc44
Fast web fuzzer written in Go
sudo dnf install ffufffuf
sudo port install ffufmain/ffuf
scoop install main/ffufffuf.ffuf
winget install --id ffuf.ffuf -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.