loading
loading
Discovery
A fast, simple, recursive content discovery tool written in Rust.
overview
feroxbuster brute-forces a web server's directories and files from a wordlist and recurses into everything it finds, so one run maps a content tree rather than a single level. Written in Rust, it is fast by default, and its recursion means a discovered directory automatically becomes the next thing it scans, down to a depth you control.
Its smart modes are what set it apart. A single --smart flag turns on link extraction, auto-tuning, word collection, and backup detection, and --thorough goes further into directory listings and extension collection. Auto-tune lowers the rate when errors spike, auto-bail stops a run that is clearly failing, and rich response filtering by status, size, lines, words, or regex keeps the output clean.
Run it after probing confirms a host is live, and emit JSON so the discovered paths become a structured set the next stage can probe or test.
use cases
Brute-force from a wordlist and let recursion walk into every directory it finds, so one run surfaces the whole reachable structure, not only the top level.
Turn on --smart to extract links, auto-tune the rate, collect words, and find backups in one flag, widening coverage without hand-tuning options.
Use auto-tune and auto-bail so the scan lowers its rate or stops when a target starts erroring, instead of hammering a struggling server.
Filter out responses by status, size, line, word count, or regex so the output holds real hits rather than uniform soft-404 pages.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url-list | FILE | · | List of target URLs to scan. |
| wordlist | FILE | --wordlist | Wordlist of paths and files to brute-force. |
| extensions | STRING | --extensions | File extension(s) to search for (ex: php pdf js). |
| depth | STRING | --depth | Maximum recursion depth; 0 is infinite (default 4). |
| smart | BOOLEAN | --smart | Enable extract-links, auto-tune, collect-words, and collect-backups. |
| threads | STRING | --threads | Number of concurrent threads (default 50). |
| status-codes | STRING | --status-codes | Status codes to include (default 200 204 301 302 307 308 401 403 405). |
| json | BOOLEAN | --json | Emit JSON logs instead of normal text. |
Showing key inputs. feroxbuster exposes 56 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| data | FILE | --data | Request's Body - The file name starts with an `@` (ex: @post.bin) |
| json | BOOLEAN | --json | Emit JSON logs to output instead of normal text |
| depth | STRING | --depth | Maximum recursion depth, a depth of 0 is infinite recursion (default: 4) |
| proxy | STRING | --proxy | Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port) |
| query | STRING | --query | Request's URL query parameters (ex: token=stuff) |
| quiet | BOOLEAN | --quiet | Hide progress bars and banner |
| smart | BOOLEAN | --smart | Set --extract-links, --auto-tune, --collect-words, and --collect-backups to true |
| silent | BOOLEAN | --silent | Only print URLs |
| cookies | STRING | --cookies | Specify HTTP cookies to be used in each request (ex: stuff=things) |
| headers | STRING | --headers | Specify HTTP headers to be used in each request (ex: Header:val) |
| methods | STRING | --methods | Which HTTP request method(s) should be sent (default: GET) |
| threads | STRING | --threads | Number of concurrent threads (default: 50) |
| timeout | STRING | --timeout | Number of seconds before a client's request times out (default: 7) |
| insecure | BOOLEAN | --insecure | Disables TLS certificate validation in the client |
| no-state | BOOLEAN | --no-state | Disable state output file (*.state) |
| parallel | STRING | --parallel | Run parallel feroxbuster instances |
| protocol | STRING | --protocol | Specify the protocol to use when targeting via --request-file or --url with domain only (default: https) |
| thorough | BOOLEAN | --thorough | Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true |
| url-list | FILE | · | List of target URLs |
| wordlist | FILE | --wordlist | Wordlist |
| add-slash | BOOLEAN | --add-slash | Append / to each request's URL |
| auto-bail | BOOLEAN | --auto-bail | Automatically stop scanning when an excessive amount of errors are encountered |
| auto-tune | BOOLEAN | --auto-tune | Automatically lower scan rate when an excessive amount of errors are encountered |
| dont-scan | STRING | --dont-scan | URL(s) or Regex Pattern(s) to exclude from recursion/scans |
| redirects | BOOLEAN | --redirects | Allow client to follow redirects |
| verbosity | STRING | · | Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 v's is probably too much) |
| client-key | FILE | --client-key | Add a PEM encoded private key for mutual authentication (mTLS) |
| extensions | STRING | --extensions | File extension(s) to search for (ex: php pdf js) |
| limit-bars | STRING | --limit-bars | Number of directory scan bars to show at any given time (default: no limit) |
| rate-limit | BOOLEAN | --rate-limit | Limit number of requests per second (per directory) (default: 0, i.e. no limit) |
| scan-limit | STRING | --scan-limit | Limit total number of concurrent scans (default: 0, i.e. no limit) |
| time-limit | STRING | --time-limit | Limit total run time of all scans (ex: --time-limit 10m) |
| user-agent | STRING | --user-agent | Sets the User-Agent (default: feroxbuster/2.7.1) |
| client-cert | FILE | --client-cert | Add a PEM encoded certificate for mutual authentication (mTLS) |
| dont-filter | BOOLEAN | --dont-filter | Don't auto-filter wildcard responses |
| filter-size | STRING | --filter-size | Filter out messages of a particular size (ex: 4927,1970) |
| resume-from | FILE | --resume-from | State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state) |
| dont-collect | STRING | --dont-collect | File extension(s) to Ignore while collecting extensions (only used with `collect-extensions`) |
| filter-lines | STRING | --filter-lines | Filter out messages of a particular line count (ex: 31,30) |
| filter-regex | STRING | --filter-regex | Filter out messages via regular expression matching on the response's body/headers (ex: -X '^ignore me$') |
| filter-words | STRING | --filter-words | Filter out messages of a particular word count (ex: 91,82) |
| no-recursion | BOOLEAN | --no-recursion | Do not scan recursively |
| random-agent | BOOLEAN | --random-agent | Use a random User-Agent |
| replay-codes | STRING | --replay-codes | Status Codes to send through a Replay Proxy when found (default: --status-codes value) |
| replay-proxy | STRING | --replay-proxy | Send only unfiltered requests through a Replay Proxy, instead of all requests |
| request-file | FILE | --request-file | Raw HTTP request file to use as a template for all requests |
| server-certs | FILE | --server-certs | Add custom root certificate(s) for servers with unknown certificates |
| status-codes | STRING | --status-codes | Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405) |
| collect-words | BOOLEAN | --collect-words | Automatically discover important words from within responses and add them to the wordlist |
| filter-status | STRING | --filter-status | Filter out status codes (deny list) (ex: 401) |
| collect-backups | STRING | --collect-backups | Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1) |
| force-recursion | BOOLEAN | --force-recursion | Force recursion attempts on all 'found' endpoints (still respects recursion depth) |
| filter-similar-to | STRING | --filter-similar-to | Filter out pages that are similar to the given page (ex: http://site.xyz/soft404) |
| scan-dir-listings | BOOLEAN | --scan-dir-listings | Force scans to recurse into directory listings (default: false) |
| collect-extensions | BOOLEAN | --collect-extensions | Automatically discover extensions and add them to --extensions (unless they're in `dont-collect`) |
| dont-extract-links | BOOLEAN | --dont-extract-links | Don't extract links from response body (html, javascript, etc... |
example
# feroxbuster against example.com (url-list input on Trickest)feroxbuster --wordlist raft-small-directories.txt --smart --depth 3 --threads 50 --json200 GET 48l 210w 4820c https://example.com/admin/301 GET 7l 32w 178c https://example.com/login -> /login/200 GET 120l 890w 22140c https://example.com/api/403 GET 10l 40w 564c https://example.com/backup/200 GET 33l 150w 3102c https://example.com/static/200 GET 15l 60w 1240c https://staging.example.com/config/# feroxbuster found 6 paths under example.comguidance
Use feroxbuster for fast, recursive directory and file discovery on a host you know is live. It excels at walking a content tree with smart defaults. For parameter or vhost fuzzing reach for ffuf, and for crawling links use katana.
General FUZZ engine for paths, parameters, and vhosts. feroxbuster is more opinionated and recurses by default.
Simple, fast directory brute-forcing. feroxbuster adds recursion, auto-tuning, and richer filtering.
Python content scanner with built-in wordlists. feroxbuster is the faster Rust alternative for the same step.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A target and a wordlist feed feroxbuster, which recursively brute-forces paths and writes the discovered content as a queryable output.
Facts on this page come from the live Trickest tool library.