FFUZZ is a web application security testing tool that combines MITM proxy traffic recording with intelligent mutation-based fuzzing. It captures HTTP/HTTPS traffic, replays it with various mutations, and detects anomalies that may indicate security vulnerabilities.
- Go 1.25+
- Node.js 20+ (for UI development)
- PostgreSQL 16+ (or use Docker Compose)
git clone git@github.com:v0lka/ffuuzz.git
cd ffuuzz
# Configure your environment (copy and edit .env.example)
cp .env.example .env
# Start PostgreSQL
docker-compose up -d postgres
# Build the application
make build
# Run the server
./ffuuzz serve- Proxy:
http://localhost:8080 - Web UI:
http://localhost:8081
FFUZZ loads configuration from .env, environment variables, and CLI flags (in that priority). Copy .env.example to .env to get started with all available options and detailed comments. Variable expansion syntax (${VAR}) is supported for referencing other environment variables within the file.
Configuration can also be edited through the Web UI via the Configuration page in the left sidebar. The form displays all FFUUZZ_* settings grouped by category (Server, Database, Storage, Performance, TLS, Certificate Cache, LLM) with inline validation. Changes are written directly to the .env file and take effect on the next server restart.
make dev-frontend # Frontend dev server with HMR
make dev-backend # Backend via go run
make test # Run tests with race detector
make lint # Run linters- User Guide -- Installation, configuration, usage workflow, mutation operators, anomaly detection, LLM-assisted triage (with UI controls for single-finding and batch analysis), campaign editing, and full REST API reference.
- Contributing -- Development setup, project structure, architecture overview, key packages, and guidelines for adding new features.