About this tool
Discover hidden files and directories (which are not linked in the HTML pages): .conf, .bak, .bkp, .zip, .xls, etc. Get easy access to hidden content hosted on your target web server.
Fuzz the target with your custom wordlist in the specified location.
The URL Fuzzer can be used to find hidden files and directories on a web server by fuzzing.
This is a discovery activity that allows you to discover resources that were not meant to be publicly accessible (e.g. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc.).
Since 'security by obscurity' is not a good practice, you can often find sensitive information in the hidden locations identified by the URL Fuzzer.
This is the template URL on the target server that will be fuzzed. You can (optionally) insert your payload in a custom location specified by a 'FUZZ' marker.
You can place it in the path or in the query strings, but NOT in the domain or subdomain.
The default location is at the end of the URL.
Request options - Method:
Choose the HTTP method for the requests made (GET or POST) and specify POST data
Request options - Custom headers:
Specify custom headers to be sent with every request
Request options - Retry - Max retries for a request:
Maximum number of retries in case of connection error for a HTTP request, default 3
Request options - Retry - Retry delays factor:
The delay between retries increases exponentially. The factor can be a float between 0 and 120. If the factor is 1 (default), the first retry is sent immediately (after 0s), the second one after 1s, then 2s, 4s... If the factor is 0.1, the sleeps between the retries are: 0s, 0.1s, 0.2s, 0.4s...
Request options - Retry - Force retry on HTTP codes:
By default, the retry policy is only applied on connection errors. With this option, you can enforce retrying on responses with these status codes. They can be integers between 100 and 599
Request options - Timing - Number of parallel requests (threads):
Number of threads for this scan, default 7
Request options - Timing - Delay between requests:
Thread count must be 1 in order for this to work properly. It represents the delay between the requests (in seconds), default 0
Request options - Timing - Request Timeout:
Set the timeout for a HTTP request, measured in seconds, default 4
Payload type - Wordlist:
Specify a custom wordlist for the payloads that will replace the 'FUZZ' marker
Payload type - Sequence of numbers:
Generate a sequence of numbers with a given start, end and step to be used as payload that will replace the 'FUZZ' marker
Payload options - Add words from HTML:
This option extends the default wordlist with words from the HTML page located at the base URL (including existing links). Non-applicable with the Sequence of numbers payload type
Payload options - Extensions:
Append different extensions to every item in the input wordlist. You can also specify custom extensions that you want to search for (up to 10 custom extensions per scan), including double extensions (e.g. .php.old, .jsp.bak, .tgz, etc.)
Payload options - Recursion:
For each found directory in the URL path, with the status code 200 or 403, start a new search with the initial wordlist. It can go up to three recursion levels.
Payload options - Mutate words found:
Apply various mutations to the identified files in order to find other resources (e.g. config.php, config2.php, config_old.php, config-dev.php, etc.)
Filter results - Auto:
Discard responses with the 404 status code and (only for the GET method) auto-detect soft 404 pages: non-existing resources, error pages, redirects (false positives)
Filter results - Manual:
Results will be filtered according to the Match/Ignore conditions that you specify
Filter results - Match/Ignore HTTP Codes:
Match/Ignore responses with the specified status codes. They should be integers between 100 and 599
Filter results - Match/Ignore Response Size:
Match/Ignore responses with the size matching the specified condition. The size used for comparing should be an integer between 0 and 10240 and is measured in KB
Filter results - Match/Ignore HTML contains string:
Match/Ignore responses that contain the specified string in the HTML content
How it works
The URL Fuzzer uses a custom-built wordlist for discovering hidden files and directories. The wordlist contains more than 1000 common names of known files and directories. For each WORD in the wordlist, it will make an HTTP request to Base_URL/WORD/ or to Base_URL/WORD.EXT in case you chose to fuzz a certain EXTension.
The files and directories that are found, are returned together with their HTTP response code and the page size.