Docs · Tools

Directory Fuzzer

The Directory Fuzzer guesses paths on a web server to surface pages, backups, and admin panels that nothing links to. It uses ffuf or gobuster when present, and falls back to a built-in concurrent Python fuzzer when they are not.

Category: Web & API
Powered by: ffuf / gobuster + pure-Python fallback
Edition: Pro
Where: Desktop → Directory Fuzzer tab

What it does

Plenty of risk hides in paths that are never linked: /admin, /.git, backup.zip, old API versions. The fuzzer requests many candidate paths from a wordlist and reports which ones exist (by status code and size), so you find them before an attacker does.

How to use it

Enter a base URL

Provide the target, e.g. https://example.com.

Pick a wordlist

Use a built-in list or one from the Wordlist Manager.

Tune & run

Set concurrency and which status codes to keep, then click Fuzz. Hits stream in live.

Options

Wordlist — the candidate paths to try.
Concurrency — parallel requests (the Python fallback uses a thread pool).
Status filter — which response codes count as a hit (e.g. 200, 301, 403).
Extensions — append file types like .php, .bak, .zip.

What you get

A list of discovered paths with status code and response size. Exposed .git, source maps, or backups found here line up with the Fleet's web-audit detections.

Tips

Watch for 403 as well as 200 — a forbidden path still proves something exists.
Keep concurrency reasonable so you do not overwhelm the target or trip rate limits.
No ffuf/gobuster yet? The built-in fuzzer runs immediately so you are never blocked.

Authorized use only. Only fuzz sites you own or are permitted to assess. Inputs are sanitized and subprocesses run without shell=True.

PreviousDNS / Subdomain Recon Next Asset Inventory