URL Fuzzer

Scan type
  • Light scan

Read the Terms of Service

You can use the URL Fuzzer to find hidden files and directories on a web server by fuzzing.

Quickly identify hidden attack surfaces on web applications by fuzz testing for unlinked or obscure directories, parameters, and hidden files.

The built-in ML Classifier cuts false positives by 50%, removing junk data and duplicates. You get faster, clearer results: real directories, hidden parameters, and high-value files. All from one smart, ML-powered web URL fuzzer.

Essential for a unified offensive security workflow

The URL Fuzzer does more than recon.

It’s fully integrated into our cybersecurity toolkit to help you find hidden web content quickly and follow up with focused validation.

Use it to map the attack surface in a vulnerability assessment or lay the groundwork for targeted exploitation in a penetration testing scenario.

You get the visibility and control you need, but with cleaner, more reliable results amped up by our proprietary ML Classifier.

Accuracy is the new product illustration
  • Uncover what scanners can’t see

    • Vulnerability scanners follow visible links, but ethical hackers (and attackers) dig deeper. Our URL Fuzzer expands your visibility before vuln scanning begins - it brute-forces hidden directories, paths, backup files, and parameters that aren’t exposed in normal scans. It’s especially useful in recon stages of a penetration testing scenario, where subdomain discovery or web page enumeration matters.

    Side by side illustration
  • Handle rigorous security workflows

    • Use URL Fuzzer at the recon stage to map entry points, pivot to the Website Scanner to validate vulnerabilities, or combine it with other tools to build a clear proof of concept. This workflow mirrors the real process of web app security testing - from discovery to validation - in one place.

    Side by side illustration
  • Get 50% fewer false positives with every scan

    • Irrelevant findings slow you down and dilute your results. The embedded ML Classifier automatically categorizes fuzzing results, so you can cut down the time spent on misleading findings. This structured triage helps you get 50% fewer false positives with every scan, so you work not only smarter, but way faster.

    Side by side illustration
  • Customize fuzzing to fit your target

    • Every target is different, whether it's a custom PHP app, Python-based microservice, or Linux-hosted CMS. Choose from curated wordlists or upload your own payloads to customize your scan. Adjust extensions, tweak directories, or inject parameters using GET, POST, or any supported HTTP method. Our URL fuzzing tool supports both generic and template-driven testing inspired by open source tools like ffuf.

    Side by side illustration
  • Easily export results and integrate into reports

    • The URL Fuzzer results include detailed HTTP request/response data, status codes, headers, and endpoint types, exportable as PDF, editable DOCX, HTML, JSON, CSV or XLSX. Use these reports to back up vulnerability findings, build validated PoCs, or share clear technical context with devs, clients or source code reviewers.

    Side by side illustration

Sample URL Fuzzer report

Once you have your results, you can spot hidden entry points, uncover overlooked endpoints, and assess what’s worth testing next. Use this specific intel to guide deeper scanning, exploitation, or reporting.

Lists unlinked or hidden paths with HTTP status codes and sizes to identify accessible resources

Found directories and files preview

How the URL Fuzzer works

The URL Fuzzer uses dictionary-based fuzz testing to find hidden files, directories, and parameters that aren’t linked in the page source.

It sends crafted HTTP requests using predefined or custom wordlists, observes how the server responds, and captures full response data for follow-up analysis.

The embedded ML Classifier filters out noise and highlights real targets, even on dynamic or messy HTML pages.

  • Wordlist-based discovery

    Sends thousands of crafted requests using predefined or custom wordlists to brute-force hidden directories and files on the target web server. You can also set timeout values to fine-tune scan duration.

  • Path, file, and extension fuzzing

    Checks for common paths (/admin, /backup), file names (index.bak, config.old), and exposed file extensions (.zip, .tar.gz) using smart pattern matching.

  • Parameter fuzzing

    Finds undocumented parameters by injecting payloads using GET, POST, or any HTTP method and observing how the web server responds.

  • ML-powered filtering and parsing

    The built-in ML Classifier removes duplicate, low-signal, or noisy results. It parses poorly structured HTML fast and highlights only valuable discoveries, reducing irrelevant findings by up to 50%.

  • Recursive directory fuzzing

    Automatically continues fuzzing inside discovered directories to uncover deeper nested content.

  • Numeric and sequential fuzzing

    Generates and tests numeric payloads to discover ID-based endpoints (e.g., /user/1001, /order/2023).

  • Custom wordlist injection

    Uses built-in or user-uploaded wordlists to drive all tests, including support for compound wordlist mutations.

  • Payload mutation

    Modifies discovered words (e.g., login, login_old, login-dev) to find variations attackers might exploit.

  • Custom header injection

    Sends requests with custom headers (e.g., Authorization, User-Agent) to mimic authenticated or browser-like traffic.

  • Soft 404 and redirect detection

    Detects and discards misleading responses (e.g., 200 OK on a missing page) to reduce false positives.

  • Timeout and retry logic testing

    Validates how endpoints behave under time delays, retry conditions, and with slow responses.

Cut web fuzzing false positives by 50% with the integrated Machine Learning Classifier

The ML Classifier, a purpose-engineered machine learning model, is directly integrated into our URL Fuzzer to help you filter out noise and zero in on real issues – automatically.

Instead of relying on brittle RegEx logic, the ML Classifier analyzes every HTML response during a scan and every HTML response and assigns it to one of four smart categories:

  • HIT: High-value targets like login pages, backups, and exposed secrets
  • MISS: Confirmed dead ends, even with misleading status codes
  • PARTIAL HIT: Ambiguous but interesting responses, like firewalls
  • INCONCLUSIVE: Pages needing browser rendering to confirm

This structured triage filters out dead ends, repeated templates, and language-specific error pages that traditional scanners often mistake for vulnerabilities.

Why this URL Fuzzer works better and faster

Reduces noise for clearer, more valuable results

Spend less time parsing dead ends. The baked-in ML Classifier filters out junk data and near-duplicates, and gives you cleaner, actionable results.

Finds the hidden entry points attackers look for

Quickly catch exposed directories, forgotten dev folders, admin panels, and more.

Extends your recon workflow

Use it early in your recon to find assets that you can further test with the Website Scanner or other recon and exploitation tools.

Features built-in customization

Use our curated wordlists or bring your own. Customize every scan to your target for broad asset discovery or focused recon in pentests.

Streamlined reporting and exports

Export results with full request/response context in JSON, HTML, customizable DOCX, PDF, CSV, XLSX formats, that are easy to include in your final reports or team workflows.

Customer reviews

It's very user-friendly, easy, and quick to launch and use to scan and monitor my attack surface. Pentest-Tools.com enabled me to quickly scan my attack surface for vulnerabilities and collect the required evidence so I could fix it. I like that it runs on the cloud, avoiding the need to waste computing resources on my endpoint.

Uri Fleyder-Kotler Linkedin profile

Uri Fleyder-Kotler

CISO at iothreat

Review author: Uri Fleyder-Kotler

FAQs

Who should use the URL Fuzzer in the workflow, and when?

The tool is ideal for penetration testers, internal security teams, and MSPs. Use it early in the engagement to map hidden assets or mid-assessment to uncover missed targets. It’s also a smart choice when validating exposed endpoints before writing PoCs or building final reports.

What makes URL Fuzzer different from other URL scanners or fuzzing tools?

Unlike traditional URL scanners, the URL Fuzzer is fully integrated into our suite. It’s powered by a proprietary ML Classifier that reduces noise and enhances result quality. You can customize scans with your own wordlists, combine it with other tools like Website Scanner or Pentest Robots to automate recon-validation-reporting flows, and generate structured reports with full request/response context.

Can I use my own wordlists or payloads with the URL Fuzzer?

Yes. In addition to curated default wordlists, the URL Fuzzer supports fully custom wordlists. You can upload your own files to fuzz specific paths, file types, extensions, or parameters. This is especially useful when targeting custom-built applications or performing highly focused recon.

How does the URL Fuzzer handle parameter fuzzing?

The tool dynamically injects potential GET or POST parameter names and monitors how the server responds. This helps you discover undocumented inputs that could lead to input validation flaws, XSS, IDOR, or injection vulnerabilities — even when they're not visible in page source or forms.

Can I combine URL Fuzzer with other tools on the Pentest-Tools platform?

Absolutely. You can switch directly from URL Fuzzer results into tools like Website Scanner for vulnerability discovery, opt for custom probing, or use Pentest Robots for automation of chained recon-validation-reporting workflows. It’s designed to fit cleanly into end-to-end offensive security processes.

Does the ML Classifier require any manual setup or tuning?

No setup needed. The ML Classifier is fully embedded into the URL Fuzzer. It automatically analyzes each HTML response during the scan and applies intelligent filtering behind the scenes. There’s no training, configuration, or fine-tuning required on your part.

Do I need to install anything?

No installation needed. The URL Fuzzer online runs entirely in the cloud and is accessible from any modern browser - just log in and start scanning.