loading
Loading content
loading
Also known as dirbusting
Directory brute-forcing sends a stream of requests to a web server, each one guessing a path such as /admin, /backup.zip, or /.git/config, and watches the response codes to learn which exist. The guesses come from a wordlist of common directory and file names, often layered with extensions the target's stack would use. Anything that returns 200, 403, or a redirect instead of 404 becomes a lead.
The technique finds what crawling misses. A web crawler follows links the application exposes, so it only sees what the site advertises. Brute-forcing reaches the unadvertised surface: forgotten admin panels, exposed backups, configuration files, and staging directories that nobody linked but never removed. Those are frequently where the interesting findings live.
Tuning separates signal from noise. You account for soft 404s, rate limits, and wildcard responses, and you size the wordlist to the target rather than blasting a million entries at a fragile app.
Directory brute-forcing is one technique inside the wider goal of content discovery, and it shares mechanics with parameter and value fuzzing. In a Trickest workflow, discovered paths feed straight into screenshotting, vulnerability checks, and the next round of analysis without manual handoff.
Related terms