ffuf
Fast web fuzzer for directories, virtual hosts, parameters, and raw HTTP—common in bug bounty playbooks.
Why it is included
Minimal, fast, and widely adopted successor spirit to classic dirbusters.
Best for
Content discovery and filter tuning in scoped web tests.
Strengths
- Speed
- Recursion
- Multiple fuzz modes
Limitations
- Can overwhelm fragile apps without throttling
Good alternatives
Gobuster · feroxbuster
Related tools
Security & Privacy
Gobuster
Go-based directory/DNS/vhost brute-forcer with threading tuned for pentest wordlists.
Security & Privacy
feroxbuster
Recursive content discovery written in Rust with intelligent filtering and replay-friendly output.
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Security & Privacy
sqlmap
Automatic SQL injection and database takeover helper with fingerprinting, data exfiltration, and OS-shell paths.
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.
Security & Privacy
WPScan
WordPress security scanner: version fingerprinting, plugin/theme vuln DB, weak creds, and user enumeration.