Overview
The URL Fuzzer discovers hidden content on web servers by testing file and directory names from wordlists. It finds backup files, admin panels, configuration files, and other resources not linked from the main application. The URL Fuzzer is a discovery tool: it identifies hidden resources but does not test them for vulnerabilities. It does not add data to your Attack Surface or generate findings.Scan types
| Scan type | Wordlist size | Features |
|---|---|---|
| Light | 146 words | Quick scan with mutation enabled, no dynamic wordlist |
| Deep | 43,005 words | Comprehensive scan with dynamic wordlist and mutation enabled |
| Custom | Variable | Full control over all parameters |
Parameters
Target
The URL to fuzz. You can optionally specify where to insert payloads using theFUZZ marker:
The
FUZZ marker can be placed in the URL path or query string, but not in the hostname. Only one FUZZ marker is allowed per scan.Request options (Custom scan only)
| Option | Description | Default |
|---|---|---|
| Method | HTTP method (GET or POST) | GET |
| POST data | POST body data, can contain FUZZ marker | - |
| Custom headers | Additional headers sent with each request | - |
| Thread count | Number of parallel requests (1-10) | 7 |
| Request timeout | Timeout per request in seconds (0-43,200) | 4 |
| Delay between requests | Delay in seconds (only when thread count is 1) | 0 |
| Max retries | Maximum retries on connection error (0-10) | 3 |
| Retry delay factor | Exponential backoff factor (0-120) | 1 |
| Force retry on HTTP codes | Status codes that trigger a retry (e.g., 429, 500-505) | - |
Payload options (Custom scan only)
Payload type
| Type | Description |
|---|---|
| Wordlist | Use a wordlist file. Select from default wordlists or your own custom wordlists. |
| Sequence | Generate a numeric sequence with configurable start, end, and step values (max 50,000 numbers). |
Extension categories
Each wordlist entry is tested with selected extension categories appended:| Category | Extensions |
|---|---|
| No extension | Tests entries as-is (directories, extensionless files) |
| Configuration files | .conf, .cfg, .txt, .xml, .json, .ini |
| Source code files | .bat, .c, .java, .cpp, .cs, .h |
| Archives | .zip, .tar, .tar.gz, .tgz, .gz, .7z, .bzip, .rar, .jar, .apk |
| Database files | .sql, .mdb, .db, .nsf, .csv, .dbf |
| Logs | .log, .err, .journal |
| Backup files | .old, .back, .bkp, .bak, .tmp, .test, .dev, .prod |
| Documents | .doc, .docx, .odt, .xls, .xlsx, .rtf, .pdf, .ppt, .pptx |
| Web files | .asp, .aspx, .php, .jsp, .shtml, .htm, .html, .dll, .pl, .py, .cgi, .cfm, .sh, .js |
| Custom extensions | Your own extensions (up to 10, max 10 characters each) |
Additional options
| Option | Description |
|---|---|
| Add words from HTML | Extends the wordlist with words extracted from the target page (links, text). Enabled by default for Deep scans. |
| Mutate words found | Generates variations of discovered files (e.g., config.php → config2.php, config_old.php, config-dev.php, config.php.bak). Enabled by default. |
| Recursion | For each discovered directory (status 200 or 403), starts a new search with the original wordlist. Up to 3 levels deep. |
Response filtering (Custom scan only)
| Mode | Description |
|---|---|
| Auto | Discards 404 responses and auto-detects soft 404 pages (error pages that return 200, redirects to login, etc.) |
| Manual | Apply custom match/ignore conditions |
Manual filter conditions
| Condition | Match | Ignore |
|---|---|---|
| HTTP codes | Only show responses with these codes (e.g., 200-205,301) | Discard responses with these codes |
| Response size | Only show responses matching size condition (e.g., < 2 KB) | Discard responses matching size condition |
| Content contains | Only show responses containing this string | Discard responses containing this string |
How it works
Parse target URL
The fuzzer identifies where to insert payloads. If no
FUZZ marker is specified, it’s added at the end of the URL path.Prepare wordlist
Loads the selected wordlist. If “Add words from HTML” is enabled, extracts additional words from the target page (links, text content) and prepends them to the wordlist.
Fuzz each extension category
For each selected extension category, sends requests for every word in the wordlist with the extension appended.
Filter responses
In Auto mode, discards 404 pages and detects soft 404s using an in-house heuristic detector. An AI classifier then runs a second pass on any response the heuristic marks as valid, to reduce false positives. In Manual mode, applies custom match/ignore conditions.
Recursion (if enabled)
For each discovered directory with status 200 or 403, starts a new scan using the original wordlist. Repeats up to the configured depth.
Mutation patterns
When mutation is enabled, the fuzzer generates variations like:| Original | Mutations generated |
|---|---|
config.php | config.php.old, config.php.bak, config.php.bkp |
data.sql | data1.sql, data2.sql, …, data10.sql |
admin/ | admin-old/, admin_dev/, admin-test/, admins/ |
1-10, old, back, bkp, bak, tmp, test, dev, prod
Separators used: none, -, _
Authentication
For scanning authenticated endpoints, add custom headers in Custom scan mode:- Select Custom scan type
- Navigate to Request options > Headers
- Add your authentication headers
Follow-up actions
Based on discovered content:| Discovery | Recommended action |
|---|---|
| Any discovered page (admin panels, login pages, etc.) | Test with Website Scanner |
| API endpoints, Swagger docs | Run API Scanner |
| Configuration files | Review for exposed credentials and sensitive data |
.git directory | Extract and analyze the repository for secrets |
| Any web content | Run Website Recon for technology fingerprinting |
| Indexed content suspected | Use Google Hacking to find publicly indexed sensitive content |