# Web fuzzers review

## Intro

This is a web fuzzing tools review. Originally written in December 2020, this page has been updated with current tool status and new additions as of 2025.

Why? Because I have been a ffuf user since version 0.9 (13 Apr 2019) and recently I thought that maybe it was time to review the rest of the tools.

{% hint style="info" %}
This is not intended to be a serious investigation, a technical paper, or anything like that, just a series of tests that I have done for fun. The results shown are my opinion and if at any time you do not like them or you don't agree, you can stop reading or explain to me how I could have done it better :)
{% endhint %}

Original 2020 test results: [Google Sheets](https://docs.google.com/spreadsheets/d/14eFVYoYxMOTZ1tI2jADnvNw_0S6HHJMQXcp5NelhtY0/edit?usp=sharing)

{% embed url="<https://docs.google.com/spreadsheets/d/14eFVYoYxMOTZ1tI2jADnvNw_0S6HHJMQXcp5NelhtY0/edit?usp=sharing>" %}

## 2025 Tool Recommendations

### Quick Summary

| Tool            | Best For                        | Language | Status         |
| --------------- | ------------------------------- | -------- | -------------- |
| **ffuf**        | General fuzzing, API testing    | Go       | ✅ Active       |
| **feroxbuster** | Recursive directory discovery   | Rust     | ✅ Active       |
| **gobuster**    | Quick directory/DNS/vhost scans | Go       | ✅ Active       |
| **dirsearch**   | Beginners, pretty output        | Python   | ✅ Active       |
| **wfuzz**       | Complex fuzzing scenarios       | Python   | ⚠️ Maintenance |
| **katana**      | Crawling + fuzzing workflow     | Go       | ✅ Active (New) |
| **caido**       | GUI-based testing               | Rust     | ✅ Active (New) |

### New Tools Since 2020

| Tool           | Description                              | Link                                                 |
| -------------- | ---------------------------------------- | ---------------------------------------------------- |
| **katana**     | Modern web crawler by projectdiscovery   | [GitHub](https://github.com/projectdiscovery/katana) |
| **caido**      | Lightweight Burp alternative with fuzzer | [Website](https://caido.io)                          |
| **x8**         | Hidden parameter discovery               | [GitHub](https://github.com/Sh1Yo/x8)                |
| **kiterunner** | API endpoint discovery                   | [GitHub](https://github.com/assetnote/kiterunner)    |

### Tool Updates Since 2020

**feroxbuster** - Massive improvements:

* Much more stable (no crashes)
* Added rate limiting
* Better recursion handling
* Scan management/resume
* Now one of the top recommendations

**ffuf** - Still the king:

* Added request rate limiting
* Better output formats
* Improved recursion
* Plugin system

**gobuster** - Steady improvements:

* Added TFTP mode
* Better vhost detection
* Improved pattern matching

## Tools

Small summary of each tool with the features and results that I got. This section not follows any special order.

### [wfuzz](https://github.com/xmendez/wfuzz)

* Author: [@x4vi\_mendez](https://twitter.com/x4vi_mendez)
* Language: Python

GitHub's first release 2014, it's like a tank for web fuzzing, it has a lot of (really a lot) customizations and does almost everything very well. Everybody knows it, he was the best until Golang came.

#### Pros

* Lot of customization.
* Maybe most versatile.

#### Cons

* RAM eater.
* High CPU usage even with sort lists.
* Slow.

### [ffuf](https://github.com/ffuf/ffuf)

* Author: [@joohoi](https://twitter.com/joohoi)
* Language: Go

GitHub's first release Nov 2018. For me, it has become the best, it is fast, versatile, many options and does not give problems.

#### Pros

* Fast.
* Multiple options.
* Low resource usage.

#### Cons

* Fancy/non-relevant features like:
  * Pause/resume.
  * ETA.
* Ugly recursion output.
* Only errors count, to check them you must run again with -debug file flag.

### [feroxbuster](https://github.com/epi052/feroxbuster)

* Author: [@epi052](https://twitter.com/epi052)
* Language: Rust

GitHub's first release Oct 2020. It's the youngest in the list and I really wanted to try it because it looks great and comes with some features that I didn't see in other tools.

#### Pros

* Response link extractor.
* Pause and resume.
* Low CPU usage.

#### Cons

* Tool has crashed in some tests.
* Feels buggy.
* RAM eater.
* No FUZZ keyword.
* No rate/time limits.

### [gobuster](https://github.com/OJ/gobuster)

* Author: [@OJ](https://twitter.com/TheColonial)
* Language: Go

GitHub's first release 2015. For me, it was the predecessor of fuff, I used it on OSCP exam, and it took me a while to get rid of it.

#### Pros

* Really fast.
* Low CPU and RAM.
* S3 enum.
* Patterns usage.

#### Cons

* No recursion.
* No colors.
* No filters.
* Lack of features.

### [rustbuster](https://github.com/phra/rustbuster)

* Author: [@phra](https://twitter.com/phraaaaaaa)
* Language: Rust

GitHub's first release May 2019. I got to this one because I read about it on the feroxbuster page and I found it very interesting.

#### Pros

* The fastest.
* Best in CPU and RAM.
* IIS Shortname scanner

#### Cons

* No recursion.
* No colors.
* The one with the least features.
* Last commit sept 2019, maybe abandoned.
* Sometimes crashes with many threads.

### [dirsearch](https://github.com/maurosoria/dirsearch)

* Author: [@maurosoria](https://twitter.com/_maurosoria)
* Language: Python

GitHub's first release Jul 2014. It was the first fuzzing tool I used, it comes with custom wordlist, pretty output and a lot of options.

#### Pros

* Prettiest output imo.
* Quality options by default.
* Easy of use, recommended for noobs.
* Wordlists mutation.

#### Cons

* The slowest.
* No FUZZ keyword.

## Results

### Time

1. rustbuster
2. ffuf
3. gobuster
4. feroxbuster
5. wfuzz
6. dirsearch

### CPU

1. feroxbuster
2. dirsearch
3. gobuster
4. ffuf
5. rustbuster
6. wfuzz

### RAM

1. gobuster
2. rustbuster
3. ffuf
4. dirsearch
5. feroxbuster
6. wfuzz

### Features

1. ffuf
2. wfuzz
3. dirsearch
4. feroxbuster
5. gobuster
6. rustbuster

### General

1. ffuf
2. gobuster
3. feroxbuster
4. rustbuster
5. dirsearch
6. wfuzz

## Final thoughts

I will continue using ffuf because it seems that it's the tool with the best balance between functionalities and performance.

### 2025 Update

**What's Changed:**

* **feroxbuster** has matured significantly and is now a top-tier choice, especially for recursive scanning
* **ffuf** remains the most versatile and feature-rich option
* **wfuzz** is showing its age but still useful for complex scenarios
* **Rust-based tools** (feroxbuster, caido) have proven themselves
* **rustbuster** appears abandoned (no updates since 2019)

**Current Recommendations by Use Case:**

| Use Case                      | Recommended Tool |
| ----------------------------- | ---------------- |
| General web fuzzing           | ffuf             |
| Recursive directory discovery | feroxbuster      |
| Quick scans, OSCP             | gobuster         |
| API endpoint discovery        | kiterunner, ffuf |
| Hidden parameter discovery    | x8, arjun        |
| Beginners                     | dirsearch        |
| Complex multi-payload         | wfuzz            |
| GUI-based testing             | caido            |

**Modern Workflow Example:**

```bash
# Quick directory scan
feroxbuster -u https://target.com -w /path/to/wordlist.txt

# API fuzzing with ffuf
ffuf -u https://api.target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,401,403

# Parameter discovery
x8 -u https://target.com/endpoint -w params.txt

# Crawl then fuzz
katana -u https://target.com -jc | sort -u > endpoints.txt
```

**Pro Tips:**

* Use `-rate` in ffuf to avoid WAF blocks
* feroxbuster's `--collect-extensions` is great for finding hidden file types
* Combine with `httpx` for live filtering before fuzzing
* Use Caido for interactive testing when Burp is overkill