Gobuster vs ffuf vs feroxbuster — Speed & Accuracy Benchmark 2026

Mr Elite 18 min read
Gobuster vs ffuf vs feroxbuster — Speed & Accuracy Benchmark 2026

Which directory fuzzer do you use most?




Gobuster vs Ffuf vs Feroxbuster in 2026 :— Three Go-based directory fuzzers, all fast, all capable, all on every hacker’s Kali Linux install, and all producing completely different results on the same target if you don’t know which tool fits which scenario. The debate in bug bounty communities goes in circles partly because everyone is comparing apples and oranges: raw speed, wildcard handling, recursion depth, and fuzzing flexibility are four different dimensions. This article gives you the actual benchmark numbers, the real-world scenarios where each tool wins, and the professional workflow that uses all three at different phases of reconnaissance.

🎯 What You’ll Learn

Side-by-side speed benchmarks: requests per second for each tool on the same target
How each tool handles wildcard responses and false positives
feroxbuster’s automatic recursion vs gobuster’s manual approach
Why ffuf is the only tool you need for parameter and header fuzzing
The professional three-phase recon workflow using all three tools

⏱️ 30 min read · 3 exercises

📋 Gobuster vs ffuf vs feroxbuster — Contents

  1. Tool Overview — Strengths and Design Philosophy
  2. Speed Benchmark — Real Numbers
  3. Wildcard Handling — The False Positive Problem
  4. Recursive Scanning — feroxbuster’s Winning Feature
  5. ffuf’s FUZZ Flexibility — Beyond Directory Scanning
  6. The Three-Phase Professional Recon Workflow

Gobuster vs ffuf vs feroxbuster — Tool Overview

All three tools launched in the same era and share a common design: written in Go for performance, thread-based parallelism for speed, and a focus on web directory and resource discovery. Their differences reflect different philosophy about what a fuzzer should optimise for.

Gobuster prioritises simplicity and reliability. Clear syntax, predictable behaviour, minimal configuration. It does directory and DNS enumeration well. It doesn’t recurse deeply by default. It’s the tool you reach for when you want results in under two minutes without thinking about configuration. Pre-installed on Kali Linux. Stable. Fast enough for most cases.

ffuf prioritises flexibility. The FUZZ placeholder can appear anywhere in the HTTP request — URL path, query parameters, request body, headers. This makes it a general-purpose HTTP fuzzer rather than just a directory scanner. Parameter discovery, virtual host enumeration, API endpoint discovery, header injection testing — ffuf handles all of these with the same syntax. Its filtering system is the most powerful of the three. Slightly higher learning curve but the most versatile tool in the set.

feroxbuster prioritises completeness. Automatic recursion means it doesn’t stop at the top level — it queues discovered directories for their own scan immediately, building a complete map of the site’s directory structure without manual intervention. Its wildcard detection is the most automatic. Its output is the most detailed — showing the full discovered path hierarchy in real time. The tool of choice when thoroughness matters more than raw speed.

securityelites.com
Tool Comparison Matrix — Gobuster vs ffuf vs feroxbuster
FeatureGobusterffufferoxbuster
Raw speed~500 req/s~1,400 req/s ✓~950 req/s
RecursionManual (-r flag)Manual (-recursion)Automatic ✓
Wildcard detectionBasicManual filters ✓Automatic ✓
FUZZ placementURL path onlyAnywhere ✓URL path only
Learning curveLow ✓MediumMedium
Kali pre-installedYes ✓Yes ✓apt install
📸 Feature comparison matrix. The ✓ marks highlight each tool’s strongest capability. No single tool wins across all dimensions — gobuster wins on simplicity and Kali default availability, ffuf wins on flexibility and raw speed, feroxbuster wins on automatic recursion and wildcard handling. The professional approach is selecting the right tool for each phase of reconnaissance rather than picking one and using it exclusively for everything.

Speed Benchmark — Real Numbers

Speed benchmarks for directory fuzzers are consistently misunderstood in online comparisons. The raw requests-per-second numbers (ffuf fastest, feroxbuster second, gobuster third) reflect local network performance against a fast responding server. Against real internet targets, network round-trip time becomes the dominant factor — all three tools spend most of their time waiting for responses rather than processing them. On a target with 100ms response latency, the throughput difference between ffuf and gobuster shrinks to near-irrelevant levels.

Where speed differences are meaningful: large wordlists (SecLists Big.txt at 20,000+ entries), internal network assessments with low latency, and localhost scans. In these scenarios, ffuf’s higher thread efficiency produces a measurable advantage. For typical bug bounty internet targets with 50-200ms latency and a standard medium wordlist (4,600-10,000 entries), any of the three tools completes the scan in 1-4 minutes — a difference that rarely matters.

CORE SYNTAX — ALL THREE TOOLS
# GOBUSTER — directory mode
gobuster dir \
-u https://target.com \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-t 50 -x php,html,txt -o gobuster-results.txt
# FFUF — directory mode
ffuf \
-u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-t 100 -e .php,.html,.txt -mc 200,301,302,403 -o ffuf-results.json
# FEROXBUSTER — recursive directory mode
feroxbuster \
-u https://target.com \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-t 50 -x php,html,txt –depth 3 -o ferox-results.txt

🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Explore Tool Documentation and SecLists Wordlists

⏱️ 15 minutes · Browser only

Step 1: Read the official GitHub pages for each tool
gobuster: github.com/OJ/gobuster
ffuf: github.com/ffuf/ffuf
feroxbuster: github.com/epi052/feroxbuster
Note the star count, last commit date, and open issues.
Which is most actively maintained in 2026?

Step 2: Explore SecLists wordlists for web content discovery
github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
What wordlist files are available?
What is the difference between:
– directory-list-2.3-small.txt (~87k lines)
– directory-list-2.3-medium.txt (~220k lines)
– raft-large-directories.txt (~62k lines)
When would you use each?

Step 3: Compare the filter options for each tool
gobuster: –exclude-length, -s (status codes)
ffuf: -fc, -fs, -fw, -fl, -fr (filter by code/size/words/lines/regex)
feroxbuster: –filter-size, –filter-status, –filter-words

Which tool has the most granular filtering?
Which filter type is most useful for wildcard targets?

Step 4: Check the OWASP Testing Guide section on fuzzing
owasp.org/www-project-web-security-testing-guide/
Find the section on “Testing for Sensitive Information in Files”
What wordlists do they recommend?

✅ What you just learned: The wordlist choice matters as much as the tool choice. A 220,000-entry wordlist against a 200ms-latency target takes 10-15 minutes with any tool — the small wordlist (4,600 entries) completes in under 2 minutes. Professional recon workflow: start with the small wordlist for quick wins, then run the medium wordlist overnight on interesting targets. The right wordlist paired with any of these three tools beats the fastest tool with the wrong wordlist every time.

📸 Screenshot the SecLists web-content directory listing. Share in #bug-bounty on Discord.

Wildcard Handling — The False Positive Problem

Wildcard responses are the primary source of useless output from directory fuzzers. A wildcard target returns a 200 OK response for every URL path — whether it exists or not. Some web frameworks return 200 with an error message embedded in the body. Some redirect all paths to a landing page with 301. Without wildcard detection, a fuzzer reports thousands of false positives that all look like legitimate discoveries.

feroxbuster handles this automatically: it sends requests for randomly generated non-existent paths before the main scan. If those return 200, feroxbuster fingerprints the response (size, word count, content hash) and automatically filters responses matching that fingerprint during the real scan. gobuster has basic wildcard detection but it triggers a manual prompt rather than automatic filtering. ffuf relies on manual filter configuration: you must identify the wildcard response size or word count and specify -fs [size] or -fw [wordcount] as filters before the scan is useful.

WILDCARD FILTERING — EACH TOOL
# STEP 1: Detect wildcard manually (works for all tools)
curl -s -o /dev/null -w “%{http_code} %{size_download}” https://target.com/randomstringxyz123
# If returns 200, target has wildcard responses
# Note the response size — use for filters below
# GOBUSTER — –wildcard flag to continue despite wildcard
gobuster dir -u https://target.com -w wordlist.txt –wildcard –exclude-length [size]
# FFUF — filter by response size (after checking wildcard size above)
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs [wildcard_size]
# Or filter by word count
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw [wildcard_wordcount]
# FEROXBUSTER — automatic (no flags needed in most cases)
feroxbuster -u https://target.com -w wordlist.txt
# feroxbuster auto-detects and filters wildcards before scanning

Recursive Scanning — feroxbuster’s Winning Feature

Recursion is the feature that matters most for thorough web reconnaissance. Non-recursive directory scanning only discovers paths one level deep from the starting URL. A target with the structure /admin/users/active/ requires three levels of recursion to discover — a flat scan finds /admin/ but misses /admin/users/ and everything below it. In real web applications, the most interesting content — admin panels, API endpoints, configuration files — is often nested several levels deep.

feroxbuster’s approach: when it discovers a directory (a 301 or a path that looks like a directory based on trailing slash), it immediately adds that directory to the scan queue and runs the full wordlist against it. The depth can be limited with --depth [n] to prevent infinite recursion on sites with generated URLs. gobuster’s -r flag enables recursion but the implementation is less automatic — it doesn’t always queue new directories immediately. ffuf’s -recursion flag works similarly. In practice, feroxbuster’s recursive output is typically 2-3× more complete than gobuster on complex targets with nested directory structures.

securityelites.com
feroxbuster Recursive Output — Directory Tree Discovery
200 GET /admin/ (253 words)
200 GET /admin/users/ (412 words)
200 GET /admin/users/active/ (389 words)
200 GET /admin/users/inactive/ (201 words)
200 GET /admin/config/ (178 words)
200 GET /admin/config/database.php (45 words) ← HIGH VALUE
200 GET /api/ (88 words)
200 GET /api/v1/ (92 words)
200 GET /api/v1/users/ (2,341 words) ← USER DATA EXPOSURE

gobuster (non-recursive) would have found: /admin/, /api/ — then stopped.

📸 feroxbuster recursive output showing multi-level directory discovery. The two high-value findings — /admin/config/database.php and /api/v1/users/ — are three and four levels deep respectively. A non-recursive gobuster scan would have found /admin/ and /api/ only, missing both critical findings entirely. This is the practical case for recursive scanning: the most interesting content is never at the surface level, and flat directory scanning leaves the majority of the site’s structure unexplored.

ffuf’s FUZZ Flexibility — Beyond Directory Scanning

ffuf’s defining capability is FUZZ placement. In gobuster and feroxbuster, the wordlist is substituted into the URL path. In ffuf, the FUZZ keyword can be placed anywhere in the HTTP request — the URL path, query string, POST body, or any HTTP header. This makes ffuf the only general-purpose HTTP fuzzer of the three, not just a directory scanner.

FFUF ADVANCED USAGE — FUZZ ANYWHERE
# Standard directory fuzzing
ffuf -u https://target.com/FUZZ -w wordlist.txt
# GET parameter fuzzing — discover hidden parameters
ffuf -u “https://target.com/page?FUZZ=value” -w params.txt -mc 200
# POST parameter fuzzing — login form or API
ffuf -u https://target.com/api/login \
-X POST -d “username=admin&FUZZ=value” \
-H “Content-Type: application/x-www-form-urlencoded” \
-w passwords.txt -mc 200 -fr “Invalid”
# Virtual host enumeration — FUZZ in Host header
ffuf -u https://target.com \
-H “Host: FUZZ.target.com” \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs [default_response_size]
# API endpoint discovery — FUZZ in URL path
ffuf -u https://api.target.com/v1/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-H “Authorization: Bearer [token]” -mc 200,201,400

⚡ EXERCISE 2 — KALI TERMINAL (25 MIN)
Benchmark All Three Tools Against DVWA on Localhost

⏱️ 25 minutes · Kali Linux + DVWA required

# Setup: DVWA must be running at http://127.0.0.1/dvwa/

# Wordlist for all tests (small for speed)
WL=”/usr/share/wordlists/dirb/common.txt”
TARGET=”http://127.0.0.1″

# GOBUSTER TEST
echo “=== GOBUSTER ===” && date
time gobuster dir -u $TARGET -w $WL -t 50 -q 2>/dev/null | tee gobuster_out.txt
echo “Gobuster found: $(wc -l < gobuster_out.txt) paths"# FFUF TEST echo "=== FFUF ===" && date time ffuf -u $TARGET/FUZZ -w $WL -t 100 -mc 200,301,302,403 \ -o ffuf_out.json -of json -s 2>/dev/null
echo “ffuf found: $(cat ffuf_out.json | python3 -c ‘import json,sys; d=json.load(sys.stdin); print(len(d[“results”]))’ 2>/dev/null || echo “check ffuf_out.json”) paths”

# FEROXBUSTER TEST
echo “=== FEROXBUSTER ===” && date
time feroxbuster -u $TARGET -w $WL -t 50 –depth 2 -q \
-o ferox_out.txt 2>/dev/null
echo “feroxbuster found: $(wc -l < ferox_out.txt) paths"# COMPARISON echo "" echo "=== RESULTS COMPARISON ===" echo "Gobuster: $(wc -l < gobuster_out.txt) paths discovered" echo "feroxbuster unique (deeper): $(comm -13 <(sort gobuster_out.txt) <(sort ferox_out.txt) | wc -l) additional paths"# Check if feroxbuster found any paths gobuster missed echo "" echo "Paths feroxbuster found that gobuster missed:" diff <(grep "http" gobuster_out.txt | awk '{print $1}' | sort) \ <(grep "http" ferox_out.txt | awk '{print $1}' | sort) 2>/dev/null | grep “^>” | head -10

✅ What you just learned: On localhost DVWA you will see ffuf is fastest in raw time, but feroxbuster with –depth 2 finds more paths in the DVWA directory tree by recursing automatically into /dvwa/ and its subdirectories. gobuster without -r finds only the top-level paths. This is the concrete demonstration of why “fastest” doesn’t mean “most thorough.” For DVWA specifically, feroxbuster recursing into /dvwa/vulnerabilities/ reveals the individual vulnerability pages that gobuster misses in a flat scan.

📸 Screenshot the results comparison table. Share in #kali-tools on Discord.

securityelites.com
ffuf Advanced — Virtual Host Enumeration via Host Header Fuzzing
ffuf -u https://target.com -H “Host: FUZZ.target.com” -w subdomains-5k.txt -fs 1270
/’___\ /’___\ /’___\
/\ \__/ /\ \__/ __ __ /\ \__/
[Status: 200, Size: 4521, Words: 312, Lines: 89] :: admin.target.com
[Status: 200, Size: 3102, Words: 241, Lines: 67] :: dev.target.com
[Status: 200, Size: 8834, Words: 621, Lines: 142] :: staging.target.com ← INTERNAL ENV
[Status: 200, Size: 2891, Words: 198, Lines: 54] :: api.target.com

-fs 1270 filtered 4,996 wildcard responses. 4 real vhosts discovered.

📸 ffuf virtual host enumeration using FUZZ in the Host header. Gobuster and feroxbuster cannot do this — it requires the FUZZ placeholder in a header position rather than the URL path. The -fs flag filters the default response size (1270 bytes) that appears for non-existent vhosts, leaving only responses with different sizes — real virtual hosts. The staging.target.com discovery is the highest-value finding: internal/staging environments frequently have debug endpoints, weaker authentication, and verbose error messages that the production environment doesn’t expose.

The Three-Phase Professional Recon Workflow

The debate “which tool is best” misses the point that experienced bug bounty hunters and penetration testers use all three tools in sequence, each filling the role it’s best suited for.

Phase 1 — Quick Surface Scan (gobuster): Start every new target with gobuster + small wordlist (4,600 entries). Completes in 1-2 minutes. Gives you a quick map of the obvious surface — admin paths, login pages, API prefixes, backup files. This informs what to pursue in Phase 2.

Phase 2 — Deep Recursive Scan (feroxbuster): Run feroxbuster + medium wordlist with –depth 3 against any interesting directories found in Phase 1. Let it run — this takes 10-30 minutes on a real target but discovers the nested structure that gobuster’s flat scan missed. Set it running and investigate Phase 1 findings while it works.

Phase 3 — Targeted Parameter and Header Fuzzing (ffuf): Once you have a map from Phases 1-2, use ffuf for specific targeted tests: parameter fuzzing on interesting endpoints, virtual host enumeration, POST body fuzzing against login and API endpoints. ffuf’s FUZZ flexibility handles everything Phase 1 and 2 can’t.

🧠 EXERCISE 3 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Design a Complete Recon Workflow for a Bug Bounty Target

⏱️ 15 minutes · No tools required

Scenario: You’ve started on a bug bounty target — app.company.com.
It’s a SaaS application with a web interface, mobile app, and API.
You’ve already done subdomain enumeration and found:
– app.company.com (main web app)
– api.company.com (API server)
– admin.company.com (admin panel — responds with login page)
– dev.company.com (dev environment — 200 responses on some paths)

Design your complete directory/path fuzzing workflow:

For each target, answer:
1. Which tool runs first and why?
2. What wordlist for the first pass?
3. Does this target need recursive scanning? Why?
4. What ffuf-specific tests would you run on each?
5. What findings from each tool inform the next tool?

Specifically for api.company.com:
– What wordlist is most appropriate for API endpoints?
(hint: SecLists has API-specific wordlists)
– How do you handle authentication for authenticated endpoints?
– Would gobuster or ffuf be more useful for REST vs GraphQL APIs?

For admin.company.com:
– What does a login page on admin suggest to try next?
– After discovering admin paths, what tool handles POST body fuzzing?

✅ What you just learned: The right tool and wordlist combination depends entirely on what you know about the target’s technology stack. API targets need API-specific wordlists (SecLists /Discovery/Web-Content/api/). Admin panels warrant feroxbuster recursion to find nested configuration pages. ffuf handles the POST parameter fuzzing that gobuster and feroxbuster can’t touch. The three-tool workflow built around these roles consistently outperforms any single-tool approach.

📸 Share your workflow design in #bug-bounty on Discord.

Rate Limiting Awareness: High thread counts (100+ for ffuf) against production targets can trigger WAF rate limiting, create false negatives (responses differ under load), and generate noise in the target’s logs that alerts their security team. In bug bounty, start conservative: 50 threads, pause between scans, and check whether the programme restricts automated scanning in their policy. Being rate limited mid-scan is also a finding — note it in your report.

🧠 QUICK CHECK — Directory Fuzzer Selection

You’re testing an API at api.target.com/v2/. Every non-existent endpoint returns 200 OK with body {“error”: “endpoint not found”} (200 words). Gobuster reports 4,000 findings from a 4,000-entry wordlist. What’s happening and how do you fix it?



📋 Directory Fuzzer Quick Reference 2026

gobuster dirgobuster dir -u [url] -w wordlist.txt -t 50 -x php,html
ffuf dirffuf -u [url]/FUZZ -w wordlist.txt -t 100 -mc 200,301,403
feroxbusterferoxbuster -u [url] -w wordlist.txt -t 50 –depth 3
ffuf POST fuzzingffuf -u [url] -X POST -d “user=admin&FUZZ=test” -w wordlist.txt
ffuf vhost enumffuf -u [url] -H “Host: FUZZ.target.com” -w subdomains.txt -fs [size]
wildcard filterTest one random path first: curl -sw “%{size_download}” [url]/random123 → filter that size

🏆 Mark as Read — Gobuster vs ffuf vs feroxbuster 2026


❓ Frequently Asked Questions — Gobuster vs ffuf vs feroxbuster 2026

What is the difference between Gobuster, ffuf, and feroxbuster?
Gobuster: fast, simple, URL-path only, pre-installed on Kali. ffuf: FUZZ placeholder works anywhere in the HTTP request — URL, headers, POST body — making it a general-purpose fuzzer. feroxbuster: automatic recursive scanning and wildcard detection, best for thorough multi-level directory discovery.
Which is fastest — Gobuster, ffuf, or feroxbuster?
ffuf leads in raw req/s (~1,400), feroxbuster second (~950), gobuster third (~500) on local network benchmarks. On real internet targets with latency, the difference is minimal. Speed matters most on large wordlists or internal network assessments.
How does feroxbuster handle wildcards?
Automatically — feroxbuster sends random path probes before the main scan, fingerprints wildcard responses by size/word count, and filters matching responses during the scan. No manual filter configuration required in most cases.
When should I use ffuf instead of Gobuster?
Use ffuf for: POST parameter fuzzing, HTTP header fuzzing, virtual host enumeration, API parameter discovery, or any scenario where the wordlist entry needs to appear somewhere other than the URL path. gobuster is URL-path only; ffuf is position-agnostic.
Is feroxbuster better than Gobuster for recursive scanning?
Yes — feroxbuster queues discovered directories for automatic recursive scanning, building a complete multi-level directory map. gobuster’s recursion is less automatic and less thorough in practice. For deep recursive discovery, feroxbuster consistently outperforms gobuster.
Which directory fuzzer should beginners start with?
Start with gobuster — simple syntax, pre-installed, clean output. Add ffuf once comfortable for its FUZZ flexibility. Use feroxbuster for thorough recursive scans on complex targets. Professionals use all three in a sequential three-phase recon workflow.
← Previous

Burp Suite Community vs Professional 2026

Next →

TryHackMe vs HackTheBox 2026

📚 Further Reading

ME
Mr Elite
Owner, SecurityElites.com
My most embarrassing early bug bounty mistake involved gobuster. Ran a flat directory scan, got a list of top-level directories, reported zero findings after an hour of manual testing, and closed the target. Three months later another researcher found a critical admin panel at /admin/management/users/export/ — four levels deep. I had found /admin/ with gobuster but never recursed. That target paid $3,500 for that finding. I’ve run feroxbuster on every single target since, with –depth 4, even when it takes longer. The extra twenty minutes of scan time has paid for itself hundreds of times over. Fast and shallow is not a recon strategy — it’s an excuse to call a target “clean” when you’ve barely looked at it.

best directory fuzzer 2026 directory enumeration tools comparison feroxbuster recursive scan ffuf fuzzer kali linux gobuster directory brute force gobuster ffuf speed test web directory fuzzing 2026
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *