# Install ffuf with Homebrew, apk, apt, dnf, MacPorts, Nix, scoop, winget

Fast web fuzzer written in Go. Version 2.1.0 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:ffuf
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install ffuf
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install ffuf
```

  Evidence: MacPorts ports tree: security/ffuf/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add ffuf
```

  Evidence: Alpine Linux edge package indexes: ffuf from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install ffuf
```

  Evidence: Debian stable package indexes: ffuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install ffuf
```

  Evidence: Fedora Rawhide package metadata: ffuf from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#ffuf
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ff/ffuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- Scoop (92%):

```sh
scoop install main/ffuf
```

  Evidence: Scoop official bucket manifest trees: bucket/ffuf.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id ffuf.ffuf -e
```

  Evidence: Windows Package Manager source index: ffuf.ffuf from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:ffuf
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/ffuf>
- **Version:** 2.1.0
- **Source summary:** Fast web fuzzer written in Go
- **Homepage:** <https://github.com/ffuf/ffuf>
- **Repository:** <https://github.com/ffuf/ffuf>
- **Upstream docs:** <https://github.com/ffuf/ffuf#readme>
- **License:** MIT
- **Source archive:** <https://github.com/ffuf/ffuf/archive/refs/tags/v2.1.0.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- ffuf (cli)
- ffuf (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.1.0
- Local data: ok
- Upstream repository: https://github.com/ffuf/ffuf
- Upstream latest detected: v2.1.0 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

ffuf is a Go-based web fuzzer whose name expands to Fuzz Faster U Fool. It became a standard CLI in web-security workflows because it makes content discovery, virtual-host discovery, parameter fuzzing, request mutation, filtering, replay, and automation fit into one fast binary.

### Project history

The GitHub project was created in November 2018, and the first release listed by the GitHub API is v0.1 on the same date. The README has consistently described the tool as a fast web fuzzer written in Go, with examples centered on the `FUZZ` keyword embedded in URLs, headers, and request bodies.

By the v2 release line, the README documented a broad set of operational features: recursive discovery, multiple matchers and filters, auto-calibration, rate limiting, request replay through a proxy, JSON output, external input commands, and an interactive mode.

### Adoption history

ffuf is packaged widely for security practitioners, including Homebrew, Debian/Ubuntu, Fedora, MacPorts, Nix, Scoop, winget, and Alpine according to the package facts in this batch. The repository metadata also shows a large public GitHub audience for a focused security CLI.

Its adoption follows a familiar package-manager path for Go security tools: a single static-friendly executable, a clear upstream release page, documented `go install` support, and examples that map directly to common bug-bounty and penetration-testing tasks.

### How it is used

The core usage pattern is `ffuf -w wordlist -u https://target/FUZZ`, then refine results with status-code, size, word, line, regex, or timing matchers and filters. The README also documents virtual-host fuzzing with a Host header, GET and POST parameter fuzzing, external mutators such as Radamsa, recursion, per-job time limits, and JSON output.

ffuf reads a default config file from `$XDG_CONFIG_HOME/ffuf/ffufrc` when present. Command-line options override values from that default file, while repeatable flags such as headers are appended.

### Why package nerds care

ffuf matters in package collections because it is a small, high-demand security tool with frequent real-world use and simple installation expectations. Users expect it to be present in developer laptops, security workstations, and reproducible lab environments without compiling Go code by hand.

### Timeline

- 2018: GitHub project created and v0.1 released.
- 2023: v2.1.0 released in the GitHub release stream cited for this record.
- 2026: Repository metadata showed continued activity and broad public adoption.

### Related projects

- The README documents external mutator use with Radamsa and practice targets such as ffufme. In package culture it sits near other web-content discovery and fuzzing tools used by penetration testers.

### Sources

- <https://github.com/ffuf/ffuf>
- <https://api.github.com/repos/ffuf/ffuf>
- <https://api.github.com/repos/ffuf/ffuf/releases>
- <https://github.com/ffuf/ffuf/wiki>
- <https://formulae.brew.sh/formula/ffuf>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: $XDG_CONFIG_HOME/ffuf/ffufrc
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** ffuf
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - ffuf - 2.1.0-1+b9: normalized package name match | Debian stable package indexes: ffuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Fast web fuzzer written in Go (program) | https://github.com/ffuf/ffuf
- Nix - ffuf: normalized package name match | nixpkgs package indexes: pkgs/by-name/ff/ffuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - ffuf - 2.1.0-1: normalized package name match | Ubuntu 24.04 LTS package indexes: ffuf from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Fast web fuzzer written in Go (program) | https://github.com/ffuf/ffuf
- apk - ffuf - 2.1.0-r22: normalized package name match | Alpine Linux edge package indexes: ffuf from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | fast web fuzzer written in Go | https://github.com/ffuf/ffuf
- apk - ffuf-doc - 2.1.0-r22: normalized package name match | Alpine Linux edge package indexes: ffuf-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | fast web fuzzer written in Go (documentation) | https://github.com/ffuf/ffuf
- dnf - ffuf - 2.1.0-7.fc44: normalized package name match | Fedora Rawhide package metadata: ffuf from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Fast web fuzzer written in Go | https://github.com/ffuf/ffuf
- MacPorts - ffuf: normalized package name match | MacPorts ports tree: security/ffuf/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/ffuf: normalized package name match | Scoop official bucket manifest trees: bucket/ffuf.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - ffuf.ffuf: normalized package name match | Windows Package Manager source index: ffuf.ffuf from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [gobuster](https://www.automicvault.com/pkg/brew/gobuster/) - Shares av.db curated category or tags: cli, go, security, web-security.
- [dalfox](https://www.automicvault.com/pkg/brew/dalfox/) - Shares av.db curated category or tags: cli, security, web-security.
- [feroxbuster](https://www.automicvault.com/pkg/brew/feroxbuster/) - Shares av.db curated category or tags: cli, security, web-security.
- [forbidden](https://www.automicvault.com/pkg/brew/forbidden/) - Shares av.db curated category or tags: cli, pentesting, security, web-security.
- [h26forge](https://www.automicvault.com/pkg/brew/h26forge/) - Shares av.db curated category or tags: cli, fuzzing, security.
- [katana](https://www.automicvault.com/pkg/brew/katana/) - Shares av.db curated category or tags: cli, go, security, web-security.
- [wuppiefuzz](https://www.automicvault.com/pkg/brew/wuppiefuzz/) - Shares av.db curated category or tags: cli, fuzzing, security.
- [goshs](https://www.automicvault.com/pkg/brew/goshs/) - Shares av.db curated category or tags: cli, go, pentesting, security.

## Combined YAML source

View the package source record on GitHub. [combined/ffuf.yml](https://github.com/automic-vault/db/blob/main/combined/ffuf.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
