feroxbuster
Discover hidden web directories and files
TLDR
Discover specific directories and files that match in the wordlist with extensions and 100 threads and a random user-agent
Enumerate directories without recursion through a specific proxy
Find links in webpages
Filter by a specific status code and a number of chars
SYNOPSIS
feroxbuster [OPTIONS] -u <URL> [-w <WORDLIST> ...]
feroxbuster -u <URL> --stdin
PARAMETERS
-u, --url
The target URL to scan. Multiple URLs can be specified or read from a file by prepending the argument with `@` (e.g., `@urls.txt`).
-w, --wordlist
Path to a wordlist file to use for brute-forcing. Multiple wordlists can be provided.
-x, --extensions
Comma-separated list of extensions to append to each word (e.g., html,php,bak). Wildcard `*` can be used to load extensions from a built-in list.
-s, --status-codes
Comma-separated list of HTTP status codes to include in results (e.g., 200,301,403). Default: 200,204,301,302,307,308.
-C, --dont-filter
Comma-separated list of HTTP status codes to not filter. Overrides default filtering and other filtering options.
--filter-size
Comma-separated list of response sizes (in bytes) to filter out from results.
--filter-wordcount
Comma-separated list of response word counts to filter out.
--filter-linecount
Comma-separated list of response line counts to filter out.
-k, --no-recursion
Disables recursive scanning; only scans the top-level directory provided by the URL.
-d, --depth
Maximum recursion depth for directories. Default is 4.
-t, --threads
Number of concurrent threads to use for scanning. Default is 50.
-H, --headers
Add a custom HTTP header to requests (e.g., "Authorization: Bearer token"). Can be used multiple times.
-A, --user-agent
Set a custom User-Agent string for requests. Default is `feroxbuster/version`.
--insecure
Disables SSL certificate verification, allowing connections to servers with invalid or self-signed certificates.
--extract-links
Extracts links from HTML responses and adds them to the scan queue for further discovery.
--data
HTTP method and POST data (e.g., "POST /path/to/data.json"). This will send a POST request with the specified data.
--config
Path to a TOML configuration file for predefined settings, overriding command-line arguments if conflicts exist.
DESCRIPTION
Feroxbuster is an open-source, fast, and powerful web content discovery tool written in Rust. It is designed for penetration testers and bug bounty hunters to efficiently find hidden directories, files, and other assets on web servers by brute-forcing.
Key features include:
- Recursive directory discovery: Automatically follows redirects and explores deeper into the web application structure.
- Intelligent filtering: Filters out unwanted responses (e.g., 404s, specific content lengths) to reduce noise and focus on relevant findings.
- Dynamic runtime configuration: Allows modifications to scan parameters while a scan is in progress.
- Concurrency: Highly multi-threaded for speed and efficiency.
- Payloads: Supports multiple wordlists, extensions, and custom HTTP headers.
- WAF Bypass: Includes options to evade Web Application Firewalls.
- Data extraction: Can extract links from HTML responses for further analysis and queueing.
CAVEATS
Ethical Considerations: Always ensure you have explicit permission before scanning any target. Unauthorized scanning can be illegal and may lead to legal repercussions.
Resource Usage: High thread counts can consume significant network bandwidth and target server resources, potentially leading to denial of service or network congestion. Use responsibly.
False Positives/Negatives: While `feroxbuster` employs intelligent filtering, it might occasionally miss valid paths or report non-existent ones. Fine-tuning filters and using dynamic filtering can improve accuracy.
WAFs/IPS: Aggressive scanning patterns can trigger Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS), potentially leading to IP blocking, CAPTCHAs, or other defensive measures.
CONFIGURATION FILES
Feroxbuster supports configuration files (default: ferox-buster.toml in the current directory or ~/.config/feroxbuster/ferox-buster.toml). These TOML-formatted files allow users to define default settings, wordlists, status codes, and other options, significantly simplifying complex or repetitive scans by centralizing configurations.
OUTPUT FORMATTING
Feroxbuster provides various output options to suit different needs. The --json flag outputs results in a structured JSON format, enabling easy integration with other tools or scripts for automated analysis. Additionally, a quiet mode (-q) is available for minimal output, focusing only on the discovered resources without verbose logging, ideal for scripting.
DYNAMIC FILTERING
Beyond static size, word, or line count filtering, `feroxbuster` can perform dynamic filtering. This advanced feature automatically calculates a statistical baseline of typical error or non-existent page responses and then filters out entries that match this baseline, effectively reducing noise and highlighting truly unique findings.
HISTORY
Feroxbuster was created by Mark Baggett (@epi052) and first released in 2019. It emerged from a desire for a faster and more flexible web content discovery tool that could leverage modern programming paradigms. Developed in Rust, it aimed to improve upon the performance and concurrency capabilities of existing tools. Since its inception, `feroxbuster` has rapidly gained popularity within the cybersecurity community due to its speed, robust recursive scanning abilities, and continuous development, establishing itself as a go-to tool for reconnaissance during penetration tests and bug bounty hunting.