loading
loading
Discovery
A URL fuzzing tool that finds critical backup files by building a dynamic wordlist from the domain.
overview
fuzzuli hunts for exposed backup files, the ones developers leave behind when they zip up a site or dump a database before a change. Instead of running a static wordlist, it reads the target domain and generates candidate filenames from it on the fly, applying transforms like reversing the name, dropping vowels, dropping dots, and shuffling characters. A site at example.com gets probed for example.zip, elpmaxe.tar.gz, exmpl.sql, and dozens of other domain-derived variants that a generic list would never contain.
The matching side is built for signal. fuzzuli sends HEAD requests by default to stay light, then keeps only responses that match the status code, content type, and minimum content length you set, so a real archive stands out from a 200-everything wildcard. Methods, prefixes, suffixes, file extensions, and the worker count are all tunable, and a just-wordlist mode lets you generate the candidate names without firing a single request.
On Trickest, fuzzuli is a Discovery node that takes a file of hosts and writes a file and a folder of results. Run it after subdomain enumeration and HTTP probing so it targets live hosts, then chain its findings into a downloader or a reporting stage. Because the wordlist is derived per domain, it scales across a large host list without you hand-curating names for each one.
source github.com/musana/fuzzuli
use cases
Point fuzzuli at a host list and let it derive domain-specific filenames, then probe for .zip, .tar.gz, .sql, and .backup files that hold source code or database dumps a generic wordlist would miss.
Run fuzzuli after subdomain enumeration and httpx so it tests only live hosts, generating a fresh candidate list for each domain instead of reusing one static list across the whole estate.
Filter responses by status code, content type, and a minimum content length so a genuine multi-megabyte archive surfaces while wildcard 200s and tiny error pages drop out of the results.
Use just-wordlist mode to produce the domain-derived candidate names alone, then feed them into another fuzzer or review them before any request reaches the target.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-file | FILE | -f | Input file containing the list of hosts or domains to fuzz. |
| method | STRING | -mt | Wordlist generation method: regular, withoutdots, withoutvowels, reverse, mixed, withoutdv, shuffle, or all. |
| file-extensions | STRING | -ex | Extensions to test (default rar, zip, tar.gz, tar, gz, jar, 7z, bz2, sql, backup, war). |
| status-code | STRING | -sc | Match responses with the specified status code (default 200). |
| content-length | STRING | -cl | Match responses with at least this content length, e.g. >100 (default 100). |
| http-method | STRING | -hm | HTTP method used to probe each candidate (default HEAD). |
| worker-count | STRING | -w | Number of concurrent workers (default 16). |
| just-wordlist | BOOLEAN | -jw | Generate the wordlist only, without sending any HTTP requests. |
Showing key inputs. fuzzuli exposes 21 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| paths | STRING | -pt | Paths to fuzz, comma-separated for multiple, e.g. /,/db/,/old/ (default "/"). |
| method | STRING | -mt | Wordlist generation method: regular, withoutdots, withoutvowels, reverse, mixed, withoutdv, shuffle, or all. |
| prefix | STRING | -pf | Prefix to add to generated URLs. |
| remove | STRING | -rm | Remove the specified character from candidate names. |
| silent | BOOLEAN | -sl | Silent mode; print results only. |
| suffix | STRING | -sf | Suffix to add to generated URLs. |
| exclude | STRING | -es | Exclude domains containing the given string or char; supports the OR operand, e.g. google|bing|yahoo (default "#"). |
| replace | STRING | -rp | Replace the specified character in candidate names. |
| timeout | STRING | -to | Request timeout in seconds (default 10). |
| http-proxy | STRING | -px | HTTP proxy to route requests through. |
| input-file | FILE | -f | Input file containing a list of hosts or domains to fuzz. |
| print-urls | BOOLEAN | -p | Print every URL a request is sent to. |
| user-agent | STRING | -ua | User-Agent header to send (default a Firefox 100 string). |
| http-method | STRING | -hm | HTTP method used to probe each candidate (default HEAD). |
| status-code | STRING | -sc | Match responses with the specified status code (default 200). |
| content-type | STRING | -ct | Match responses with the specified content type. |
| worker-count | STRING | -w | Number of concurrent workers (default 16). |
| domain-length | STRING | -dl | Match domains up to the specified length (default 40). |
| just-wordlist | BOOLEAN | -jw | Generate the wordlist only, without sending any HTTP requests. |
| content-length | STRING | -cl | Match responses with at least this content length, e.g. >100 (default 100). |
| file-extensions | STRING | -ex | Extensions to test (default rar, zip, tar.gz, tar, gz, jar, 7z, bz2, sql, backup, war). |
example
# derive per-host backup names and probe with strict matchingfuzzuli -f hosts.txt -mt all -ex zip,tar.gz,sql -sc 200 -cl >1000 -w 24https://example.com/example.zip 200 5242880https://example.com/elpmaxe.tar.gz 200 1048576https://shop.example.com/pohs.sql 200 262144https://api.example.com/ipa.backup 200 786432https://dev.example.com/ved.rar 200 3145728https://staging.example.com/gnigats.war 200 4194304guidance
Reach for fuzzuli when you specifically want exposed backup and archive files, and want the wordlist derived from each domain rather than reused. For general directory and file brute forcing with a fixed wordlist, use ffuf or feroxbuster. For known sensitive paths, use a content-discovery scan instead.
General-purpose web fuzzer with a fixed wordlist and rich matchers. fuzzuli instead derives backup-file names per domain.
Recursive content discovery in Rust. Broader path brute forcing, not backup-name generation.
Directory and file brute forcer. Useful for general content discovery, no domain-derived wordlist.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A domain list is probed by httpx for live hosts, then fuzzuli derives backup-file names per host and writes the matching archives as a queryable output.
Facts on this page come from the live Trickest tool library.