Web path scanner.


Scan a web server for common paths with common extensions

$ dirsearch --url [url] --extensions-list

Scan a list of web servers for common paths with the .php extension
$ dirsearch --url-list [path/to/url-list.txt] --extensions [php]

Scan a web server for user-defined paths with common extensions
$ dirsearch --url [url] --extensions-list --wordlist [path/to/url-paths.txt]

Scan a web server using a cookie
$ dirsearch --url [url] --extensions [php] --cookie [cookie]

Scan a web server using the HEAD HTTP method
$ dirsearch --url [url] --extensions [php] --http-method [HEAD]

Scan a web server, saving the results to a .json file
$ dirsearch --url [url] --extensions [php] --json-report [path/to/report.json]

SYNOPSIS [-u|--url] target [-e|--extensions] extensions [options]



show program's version number and exit

-h, --help

show this help message and exit


-u URL, --url=URL

Target URL

-l FILE, --url-list=FILE

Target URL list file


Target URL list from STDIN


Target CIDR


Load raw HTTP request from file (use `--scheme` flag to set the scheme)


Extension list separated by commas (Example: php,asp)

-X EXTENSIONS, --exclude-extensions=EXTENSIONS

Exclude extension list separated by commas (Example: asp,jsp)

-f, --force-extensions

Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions

Dictionary Settings:

-w WORDLIST, --wordlists=WORDLIST

Customize wordlists (separated by commas)


Add custom prefixes to all wordlist entries (separated by commas)


Add custom suffixes to all wordlist entries, ignore directories (separated by commas)


Remove paths have different extensions from selected ones via `-e` (keep entries don't have extensions)


Remove extensions in all paths (Example: admin.php -> admin)

-U, --uppercase

Uppercase wordlist

-L, --lowercase

Lowercase wordlist

-C, --capital

Capital wordlist

General Settings:

-t THREADS, --threads=THREADS

Number of threads

-r, --recursive

Brute-force recursively


Perform recursive scan on every directory depth (Example: api/users -> api/)


Do recursive brute-force for every found path, not only paths end with slash

-R DEPTH, --recursion-depth=DEPTH

Maximum recursion depth


Valid status codes to perform recursive scan, support ranges (separated by commas)


Scan sub-directories of the given URL[s] (separated by commas)


Exclude the following subdirectories during recursive scan (separated by commas)

-i CODES, --include-status=CODES

Include status codes, separated by commas, support ranges (Example: 200,300-399)

-x CODES, --exclude-status=CODES

Exclude status codes, separated by commas, support ranges (Example: 301,500-599)


Exclude responses by sizes, separated by commas (Example: 123B,4KB)


Exclude responses by texts, separated by commas (Example: 'Not found', 'Error')


Exclude responses by regexps, separated by commas (Example: 'Not foun[a-z]{1}', '^Error$')


Exclude responses by redirect regexps or texts, separated by commas (Example: '*')


Exclude responses by response of this page (path as input)


Skip target whenever hit one of these status codes, separated by commas, support ranges


Minimal response length


Maximal response length


Maximal runtime for the scan

-q, --quiet-mode

Quiet mode


Full URLs in the output (enabled automatically in quiet mode)


No colored output

Request Settings:

-m METHOD, --http-method=METHOD

HTTP method (default: GET)

-d DATA, --data=DATA

HTTP request data


HTTP request header, support multiple flags (Example: -H 'Referer:')


File contains HTTP request headers

-F, --follow-redirects

Follow HTTP redirects


Choose a random User-Agent for each request


Authentication type (basic, digest, bearer, ntlm)


Authentication credential (user:password or bearer token)



Connection Settings:


Connection timeout

-s DELAY, --delay=DELAY

Delay between requests


Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088)


File contains proxy servers


Proxy to replay with found paths


Default scheme (for raw request or if there is no scheme in the URL)


Max requests per second


Number of retries for failed requests

-b, --request-by-hostname

By default dirsearch requests by IP for speed. This will force dirsearch to request by hostname


Server IP address


Exit whenever an error occurs


-o FILE, --output=FILE

Output file


Report format (Available: simple, plain, json, xml, md, csv, html)

You can change the dirsearch default configurations (default extensions,

timeout, wordlist location, ...) by editing the "/etc/dirsearch/default.conf" file. More information at


The full documentation for dirsearch is maintained as a Texinfo manual. If the info and dirsearch programs are properly installed at your site, the command info dirsearch should give you access to the complete manual.

Copied to clipboard