Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Web fuzzers review

Intro

This is a December 2020 web fuzzing tools review made by myself. I have measured times, CPU usage and RAM consumption in three different lists, 10K, 100K and 400K lines and putting each tool with three different sets of threads: 40, 100 and 400 threads.
Why? Because I have been a ffuf user since version 0.9 (13 Apr 2019) and recently I thought that maybe it was time to review the rest of the tools.
This is not intended to be a serious investigation, a technical paper, or anything like that, just a series of tests that I have done for fun. The results shown are my opinion and if at any time you do not like them or you don't agree, you can stop reading or explain to me how I could have done it better :)
All the results of my runs and tests are posted here, it has three sheets (info, performance and features).

Tools

Small summary of each tool with the features and results that I got. This section not follows any special order.

​wfuzz​

GitHub's first release 2014, it's like a tank for web fuzzing, it has a lot of (really a lot) customizations and does almost everything very well. Everybody knows it, he was the best until Golang came.

Pros

  • Lot of customization.
  • Maybe most versatile.

Cons

  • RAM eater.
  • High CPU usage even with sort lists.
  • Slow.

​ffuf​

  • Author: @joohoi​
  • Language: Go
GitHub's first release Nov 2018. For me, it has become the best, it is fast, versatile, many options and does not give problems.

Pros

  • Fast.
  • Multiple options.
  • Low resource usage.

Cons

  • Fancy/non-relevant features like:
    • Pause/resume.
    • ETA.
  • Ugly recursion output.
  • Only errors count, to check them you must run again with -debug file flag.

​feroxbuster​

  • Author: @epi052​
  • Language: Rust
GitHub's first release Oct 2020. It's the youngest in the list and I really wanted to try it because it looks great and comes with some features that I didn't see in other tools.

Pros

  • Response link extractor.
  • Pause and resume.
  • Low CPU usage.

Cons

  • Tool has crashed in some tests.
  • Feels buggy.
  • RAM eater.
  • No FUZZ keyword.
  • No rate/time limits.

​gobuster​

  • Author: @OJ​
  • Language: Go
GitHub's first release 2015. For me, it was the predecessor of fuff, I used it on OSCP exam, and it took me a while to get rid of it.

Pros

  • Really fast.
  • Low CPU and RAM.
  • S3 enum.
  • Patterns usage.

Cons

  • No recursion.
  • No colors.
  • No filters.
  • Lack of features.

​rustbuster​

  • Author: @phra​
  • Language: Rust
GitHub's first release May 2019. I got to this one because I read about it on the feroxbuster page and I found it very interesting.

Pros

  • The fastest.
  • Best in CPU and RAM.
  • IIS Shortname scanner

Cons

  • No recursion.
  • No colors.
  • The one with the least features.
  • Last commit sept 2019, maybe abandoned.
  • Sometimes crashes with many threads.

​dirsearch​

GitHub's first release Jul 2014. It was the first fuzzing tool I used, it comes with custom wordlist, pretty output and a lot of options.

Pros

  • Prettiest output imo.
  • Quality options by default.
  • Easy of use, recommended for noobs.
  • Wordlists mutation.

Cons

  • The slowest.
  • No FUZZ keyword.

Results

Time

  1. 1.
    rustbuster
  2. 2.
    ffuf
  3. 3.
    gobuster
  4. 4.
    feroxbuster
  5. 5.
    wfuzz
  6. 6.
    dirsearch

CPU

  1. 1.
    feroxbuster
  2. 2.
    dirsearch
  3. 3.
    gobuster
  4. 4.
    ffuf
  5. 5.
    rustbuster
  6. 6.
    wfuzz

RAM

  1. 1.
    gobuster
  2. 2.
    rustbuster
  3. 3.
    ffuf
  4. 4.
    dirsearch
  5. 5.
    feroxbuster
  6. 6.
    wfuzz

Features

  1. 1.
    ffuf
  2. 2.
    wfuzz
  3. 3.
    dirsearch
  4. 4.
    feroxbuster
  5. 5.
    gobuster
  6. 6.
    rustbuster

General

  1. 1.
    ffuf
  2. 2.
    gobuster
  3. 3.
    feroxbuster
  4. 4.
    rustbuster
  5. 5.
    dirsearch
  6. 6.
    wfuzz

Final thoughts

I will continue using ffuf because it seems that it's the tool with the best balance between functionalities and performance. I was very surprised by Rust and I really want Feroxbuster to continue growing and become a worthy rival for ffuf and finally it seems that the fathers of fuzzing tools are left behind, the world advances!
Others - Previous
Internal Pentest
Next - Others
Recon suites review
Last modified 1yr ago
Export as PDF
Copy link
Edit on GitHub
Outline
Intro
Tools
wfuzz
ffuf
feroxbuster
gobuster
rustbuster
dirsearch
Results
Time
CPU
RAM
Features
General
Final thoughts