Web Fuzzing & Content Discovery
ffuf, feroxbuster, Gobuster, dirsearch — finding hidden paths, params, vhosts.
A huge slice of web pentest / bug-bounty work is "what's not linked from the homepage?" Content-discovery and web-fuzzing tools brute-force paths, parameters, vhosts, subdomains, and headers against wordlists. For binary fuzzing see Binary Fuzzing. For DAST template scanning see Vulnerability Scanners (Nuclei). For discovery up the stack see Subdomain & Asset Discovery.
The current generation
- ★ ★ ffuf (Joohoi) — Go; fast; the default modern web fuzzer. Custom matchers, recursion, request templates, cluster-bomb mode. Free.
- ★ feroxbuster (epi052) — Rust; recursive content discovery; fast; ergonomics inspired by ffuf + dirbuster. Free.
- ★ Gobuster — Go; the long-standing default; modes for
dir,dns,vhost,fuzz,s3. Free. - dirsearch — Python; dictionary-driven; very actively maintained 2024–26.
- wfuzz — Python classic; less recommended now (slow, archived).
- dirb / dirbuster — legacy; superseded.
Param / endpoint / JS discovery
- arjun — HTTP parameter discovery.
- paramspider — historical-source param mining (gau, wayback).
- x8 — Rust parameter brute-forcer; fast.
- kiterunner (AssetNote) — API-aware content discovery; uses kbrute lists; better than ffuf for REST APIs.
- JSluice (BishopFox) — pull URLs / params / secrets from JS.
- subjs / linkfinder / getJS — JS endpoint extraction.
- xnLinkFinder — modern link / param miner.
URL / param historical sources
- gau / gauplus / gau+ (lc / pry0cc) — pull URLs from Wayback / CommonCrawl / OTX.
- waybackurls — original.
- katana (ProjectDiscovery) — modern crawler; headless Chrome mode; great with ffuf chain.
- hakrawler (hakluke) — fast crawler.
Wordlists
- ★ SecLists/Discovery/Web-Content/ — the canonical web content lists (raft, common.txt, big.txt, directory-list-2.3-medium.txt). Free.
- ★ AssetNote wordlists — best-of-breed; updated regularly; per-tech (jsp, asp, k8s, swagger).
- OneListForAll (six2dez) — combined wordlist for one-shot fuzzing.
- kiterunner kbrute lists — API-shape wordlists.
- Trickest's wordlists repo.
Vhost / subdomain fuzzing
- ffuf -H "Host: FUZZ.target.tld" with
-fs <size>filter — vhost discovery. - gobuster vhost — same niche.
- VirtualHostScanner — older.
- For passive subdomain enum see Subdomain & Asset Discovery.
Recursive workflows / CI
- ★ feroxbuster built-in recursion + filter sizes / words / regex.
- ffuf -recursion -recursion-depth 2 — same.
- ffufpostprocessing — clean ffuf JSON for reporting.
API-shaped fuzzing
- kiterunner — see above.
- APIsec / Akto — see API security in Security Scanning.
- Schemathesis — property-based OpenAPI test; see OpenAPI Tooling.
- postman + Newman — replay collection mutations.
Filter strategies (the difference between noise and signal)
- ★ Filter by size (
-fs), status (-fc), lines (-fl), words (-fw), regex (-fr). - Auto-calibration (
-acin ffuf) — learns the 404-shape and excludes it automatically. - Use multiple wordlists in cluster bomb (
-w list1:FUZZ -w list2:FUZ2Z) for path × extension fuzzing.
Pick this if…
- Default modern web fuzzer: ffuf.
- Recursive content discovery, ergonomic: feroxbuster.
- Old habit / muscle memory: Gobuster.
- Python ecosystem / scripting integration: dirsearch.
- REST API discovery: kiterunner + AssetNote lists.
- Best wordlists: SecLists + AssetNote.
- JS deep mining: JSluice + xnLinkFinder.