Tooling

Web Fuzzing & Content Discovery

ffuf, feroxbuster, Gobuster, dirsearch — finding hidden paths, params, vhosts.

A huge slice of web pentest / bug-bounty work is "what's not linked from the homepage?" Content-discovery and web-fuzzing tools brute-force paths, parameters, vhosts, subdomains, and headers against wordlists. For binary fuzzing see Binary Fuzzing. For DAST template scanning see Vulnerability Scanners (Nuclei). For discovery up the stack see Subdomain & Asset Discovery.

The current generation

  • ★ ★ ffuf (Joohoi) — Go; fast; the default modern web fuzzer. Custom matchers, recursion, request templates, cluster-bomb mode. Free.
  • feroxbuster (epi052) — Rust; recursive content discovery; fast; ergonomics inspired by ffuf + dirbuster. Free.
  • Gobuster — Go; the long-standing default; modes for dir, dns, vhost, fuzz, s3. Free.
  • dirsearch — Python; dictionary-driven; very actively maintained 2024–26.
  • wfuzz — Python classic; less recommended now (slow, archived).
  • dirb / dirbuster — legacy; superseded.

Param / endpoint / JS discovery

  • arjun — HTTP parameter discovery.
  • paramspider — historical-source param mining (gau, wayback).
  • x8 — Rust parameter brute-forcer; fast.
  • kiterunner (AssetNote) — API-aware content discovery; uses kbrute lists; better than ffuf for REST APIs.
  • JSluice (BishopFox) — pull URLs / params / secrets from JS.
  • subjs / linkfinder / getJS — JS endpoint extraction.
  • xnLinkFinder — modern link / param miner.

URL / param historical sources

  • gau / gauplus / gau+ (lc / pry0cc) — pull URLs from Wayback / CommonCrawl / OTX.
  • waybackurls — original.
  • katana (ProjectDiscovery) — modern crawler; headless Chrome mode; great with ffuf chain.
  • hakrawler (hakluke) — fast crawler.

Wordlists

  • SecLists/Discovery/Web-Content/ — the canonical web content lists (raft, common.txt, big.txt, directory-list-2.3-medium.txt). Free.
  • AssetNote wordlists — best-of-breed; updated regularly; per-tech (jsp, asp, k8s, swagger).
  • OneListForAll (six2dez) — combined wordlist for one-shot fuzzing.
  • kiterunner kbrute lists — API-shape wordlists.
  • Trickest's wordlists repo.

Vhost / subdomain fuzzing

  • ffuf -H "Host: FUZZ.target.tld" with -fs <size> filter — vhost discovery.
  • gobuster vhost — same niche.
  • VirtualHostScanner — older.
  • For passive subdomain enum see Subdomain & Asset Discovery.

Recursive workflows / CI

  • feroxbuster built-in recursion + filter sizes / words / regex.
  • ffuf -recursion -recursion-depth 2 — same.
  • ffufpostprocessing — clean ffuf JSON for reporting.

API-shaped fuzzing

Filter strategies (the difference between noise and signal)

  • Filter by size (-fs), status (-fc), lines (-fl), words (-fw), regex (-fr).
  • Auto-calibration (-ac in ffuf) — learns the 404-shape and excludes it automatically.
  • Use multiple wordlists in cluster bomb (-w list1:FUZZ -w list2:FUZ2Z) for path × extension fuzzing.

Pick this if…

  • Default modern web fuzzer: ffuf.
  • Recursive content discovery, ergonomic: feroxbuster.
  • Old habit / muscle memory: Gobuster.
  • Python ecosystem / scripting integration: dirsearch.
  • REST API discovery: kiterunner + AssetNote lists.
  • Best wordlists: SecLists + AssetNote.
  • JS deep mining: JSluice + xnLinkFinder.

On this page