Web enumeration tools send a high volume of requests to web servers. Only use these tools against systems you own or have explicit written authorization to test. Unauthorized scanning may violate the Computer Fraud and Abuse Act (CFAA) and equivalent legislation.
Photo by panumas nikhomkhai on Pexels
ffuf is more flexible — the FUZZ keyword can go anywhere in a request, filtering is richer (-ac, -fs, -fr), and it handles custom 404 pages cleanly. gobuster is simpler and has dedicated DNS and cloud storage (S3/GCS) modes. For directory and vhost fuzzing: ffuf. For DNS subdomain enumeration: gobuster dns. For most CTF work: pick one and learn it well — both get the job done.
gobuster and ffuf solve the same core problem: you have a web server, you don’t know what paths or subdomains are on it, and you need to find out by trying a wordlist. Both are written in Go, both are fast, both are standard in CTF and penetration testing toolkits. The question is: which one for which task?
Architecture Differences
gobuster (by OJ Reeves) uses a mode-based design — you pick a mode (dir, dns, vhost, fuzz, s3, gcs) and it performs that specific type of enumeration. Each mode has dedicated flags and logic. Simpler to use; less flexible.
ffuf (Fuzz Faster U Fool, by joohoi) uses a single paradigm: the FUZZ keyword. Place it anywhere in a request — URL path, Host header, request body, query string — and ffuf replaces it with wordlist entries. More complex at first; more flexible in practice.
gobuster’s fuzz mode (added in v3.2) brings a FUZZ-style keyword to gobuster, but it’s less mature than ffuf’s implementation and lacks the rich filtering options.
Side-by-Side Comparison
| Feature | gobuster | ffuf |
|---|---|---|
| Language | Go | Go |
| Design pattern | Mode-based (dir, dns, vhost, fuzz, s3, gcs) | FUZZ keyword anywhere in request |
| Directory fuzzing | dir mode TIE | -u with FUZZ in path TIE |
| Virtual host fuzzing | vhost mode | -H “Host: FUZZ…” FFUF WINS |
| DNS subdomain enum | dns mode (actual DNS resolution) GOBUSTER WINS | No dedicated DNS mode |
| POST body fuzzing | Limited (fuzz mode) | -X POST -d “FUZZ” FFUF WINS |
| Parameter fuzzing | Limited | -u “url?FUZZ=val” FFUF WINS |
| Auto-calibration (custom 404s) | Not available | -ac flag FFUF WINS |
| Filter by size | Not directly | -fs / -ms FFUF WINS |
| Filter by regex | Not available | -fr / -mr FFUF WINS |
| Multi-wordlist | Not available | -w file1:FUZZ -w file2:W2 FFUF WINS |
| Cloud storage (S3/GCS) | s3 and gcs modes GOBUSTER WINS | Not available |
| Output formats | stdout, -o file | json, csv, html, md, ejson |
| Default threads | 10 (dir mode) | 40 |
| Ease of use | Simpler, mode-guided GOBUSTER WINS | More flags, more flexibility |
| Install (Kali) | apt install gobuster |
apt install ffuf |
Directory Fuzzing — Side-by-Side Commands
Both tools handle directory brute forcing well. Equivalent commands:
gobuster dir \
-u http://target.com \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-x php,html,txt \
-t 40 \
-s 200,301,302,403 \
-o gobuster-dir.txt
ffuf \
-u http://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-e .php,.html,.txt \
-t 40 \
-mc 200,301,302,403 \
-o ffuf-dir.json -of json
-x appends extensions. ffuf’s -e does the same. One practical difference: ffuf’s -ac auto-calibration handles custom 404 pages cleanly — gobuster doesn’t have an equivalent, requiring manual size-based filtering with gobuster’s --exclude-length flag.When the target has a custom 404 page
gobuster dir \
-u http://target.com \
-w wordlist.txt \
--exclude-length 1587
ffuf \
-u http://target.com/FUZZ \
-w wordlist.txt \
-ac
For custom 404 pages, ffuf’s -ac is significantly more convenient — no need to pre-check the error response size.
Virtual Host Enumeration
Both tools can discover virtual hosts by sending Host header variations. There’s a practical difference though:
gobuster vhost \
-u http://target.htb \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
--append-domain \
-t 40
ffuf \
-u http://10.10.10.X/ \
-H "Host: FUZZ.target.htb" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-ac \
-t 40
--append-domain flag (added in recent versions) appends the base domain to each wordlist entry, producing subdomain.target.htb. In older gobuster versions, you needed a pre-formatted wordlist. ffuf’s explicit Host header construction is more transparent — you can see exactly what’s being sent.DNS Subdomain Enumeration
This is gobuster’s clearest advantage — dedicated DNS resolution mode:
$ gobuster dns modegobuster dns \
-d target.com \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-t 40 \
--timeout 5s
gobuster dns performs actual DNS A/CNAME lookups for each subdomain. Results include the resolved IP address. No equivalent in ffuf — ffuf’s vhost mode sends HTTP Host headers, not DNS queries.
The distinction matters:
- gobuster dns: finds subdomains that exist in public DNS. Good for external attack surface mapping.
- ffuf vhost / gobuster vhost: finds virtual hosts configured on a specific web server. Good for CTF machines where subdomains are in
/etc/hostsbut not public DNS.
Filtering Capabilities
This is where ffuf has a clear advantage:
| Filter Type | gobuster | ffuf |
|---|---|---|
| Status code match | -s 200,301,302 | -mc 200,301,302 |
| Status code exclude | --exclude-status 404 | -fc 404 |
| Response size exclude | --exclude-length SIZE | -fs SIZE |
| Response size match | Not available | -ms SIZE |
| Auto-calibration | Not available | -ac |
| Regex filter | Not available | -fr "pattern" |
| Regex match | Not available | -mr "pattern" |
| Word count filter | Not available | -fw / -mw |
| Line count filter | Not available | -fl / -ml |
Output and Integration
gobuster outputs to stdout by default, with -o file for file output. The format is human-readable text — easy to grep, difficult to parse programmatically.
ffuf outputs structured formats — JSON is the most useful for piping into other tools:
$ ffuf JSON output → extract found pathsffuf -u http://target.com/FUZZ -w wordlist.txt -ac -o results.json -of json
# Extract just the found URLs
cat results.json | python3 -c "
import json, sys
data = json.load(sys.stdin)
for r in data.get('results', []):
print(r['url'])
"
Scenario Guide — Which Tool to Use
Both work fine. Use whichever you’re more practiced with. If the target has a custom 404 page, ffuf’s -ac saves time over gobuster’s manual --exclude-length.
Use ffuf with the Host header approach: ffuf -u http://IP/ -H "Host: FUZZ.target.htb" -w subdomains.txt -ac. The target subdomains are in /etc/hosts, not public DNS — gobuster dns mode won’t find them.
gobuster dns mode resolves subdomains via actual DNS queries and shows the resolved IPs. This tells you what’s in public DNS and what IP each subdomain points to — more valuable than vhost fuzzing for external scope.
ffuf’s -X POST -d "user=FUZZ" handles this natively. gobuster doesn’t have a clean equivalent in its current modes.
gobuster has a dedicated s3 mode that checks for accessible S3 buckets. ffuf doesn’t.
ffuf’s -ac flag handles this automatically. gobuster requires you to check the error response size first and pass it as --exclude-length.
gobuster’s mode-based design is simpler to understand — gobuster dir -u URL -w wordlist is immediately readable. ffuf’s flexibility is a learning curve.
Defensive Context
Detection signatures: Both tools generate recognizable traffic patterns. gobuster’s user agent defaults to gobuster/VERSION — trivially detectable and blockable by WAF or CDN rules. ffuf defaults to ffuf/VERSION. Custom user agents (-H "User-Agent: Mozilla/5.0..." in both tools) are trivially bypassed at the UA level, but the underlying request pattern — high volume of 404s from one IP in rapid succession — remains detectable regardless of UA.
WAF and rate limiting: Both tools are caught by rate-limiting rules that track requests per IP per time window. Cloudflare, AWS WAF, and similar products have directory brute-force detection built in. The -rate flag in ffuf and --delay in gobuster can reduce request rates, but a sufficiently aggressive security tool will still detect the pattern over a longer window.
What these tools find that matters for defenders: The directories and files that gobuster and ffuf surface — /.git, /backup, /.env, /admin, /config.php.bak — represent content that shouldn’t be accessible. Running periodic web content audits against your own applications (using these same tools in authorized contexts) is a useful defensive practice. If the tool finds it, an attacker will too.
🔍 Things to Consider
The choice between gobuster and ffuf in practice is often habitual — practitioners learn one and stick with it unless the specific task demands the other. The areas where the choice actually matters: custom 404 handling (ffuf wins clearly), DNS enumeration (gobuster wins clearly), and POST fuzzing (ffuf wins). For standard directory brute forcing, the tools are equivalent enough that the wordlist matters more than the tool. Worth knowing: if you’re going to learn one deeply, learn ffuf — the FUZZ keyword paradigm applies to a wider range of tasks and the filtering options handle more of the environments you’ll encounter. If you’re new and want something simpler to start, gobuster’s mode-based design is easier to internalize on day one.
~Cipherceval
Frequently Asked Questions
Should I use gobuster or ffuf for directory brute forcing?
Both work well. ffuf has richer filtering (auto-calibration with -ac, size filtering with -fs, regex filtering with -fr), making it more adaptable when targets return custom 404 pages. gobuster’s dir mode is simpler for straightforward cases. For CTF where custom 404 pages are common, ffuf’s -ac flag is a practical time-saver. In standard HTTP 404 environments, either tool works equally well.
What modes does gobuster have?
gobuster has six modes: dir (HTTP directory/file brute forcing), dns (subdomain enumeration via DNS resolution), vhost (virtual host enumeration via Host header), fuzz (general fuzzing with FUZZ keyword, added v3.2), s3 (AWS S3 bucket enumeration), and gcs (Google Cloud Storage enumeration). The dns and cloud storage modes are the clearest differentiators from ffuf.
How does gobuster dns mode differ from ffuf vhost mode?
gobuster dns performs actual DNS resolution — it queries DNS servers to check if subdomains exist in DNS. ffuf vhost (and gobuster vhost) sends HTTP requests with different Host headers to check if a web server responds differently. These answer different questions: gobuster dns finds subdomains in public DNS; ffuf vhost finds virtual hosts on a specific server that may not be in public DNS. For CTF machines with entries only in /etc/hosts: use ffuf/gobuster vhost. For external mapping: use gobuster dns.
Is gobuster faster than ffuf?
At equivalent thread counts, both tools perform similarly — both are Go-based and well-optimized. gobuster defaults to 10 threads (dir mode); ffuf defaults to 40. Set equivalent thread counts (-t 40 on both) and throughput differences are negligible in practice. The meaningful difference is filtering efficiency: ffuf’s auto-calibration reduces false positive processing, which has practical impact when running large wordlists against noisy targets.
Can ffuf replace gobuster completely?
For most HTTP web enumeration tasks: yes. The two areas where gobuster has dedicated functionality that ffuf lacks: DNS subdomain enumeration (gobuster dns mode does actual DNS resolution) and cloud storage bucket enumeration (s3, gcs modes). For pure HTTP content discovery, parameter fuzzing, and vhost enumeration, ffuf is more flexible. Many practitioners keep both installed.
Full ffuf tutorial with all flags and filtering options: ffuf Tutorial. For the recon step that comes before web enumeration: theHarvester OSINT Tutorial.
Stay vigilant, stay curious, and update your stuff.
— Cipherceval / Forgebound Research
Exploit Brokers by Forgebound Research
Disclaimer: The content presented by Exploit Brokers by Forgebound Research is for educational and informational purposes only. Cipherceval is a cybersecurity educator and commentator — not your personal security consultant, legal counsel, or professional advisor. Always consult qualified professionals for security decisions affecting your systems.
Technical Disclaimer: Web enumeration tools require explicit written authorization before use on systems you don’t own. Unauthorized scanning may violate the Computer Fraud and Abuse Act (CFAA) and equivalent legislation worldwide.
Leave a Reply