loading
loading
Discovery
Fetch known URLs from AlienVault OTX, the Wayback Machine, and Common Crawl for any domain.
overview
gau, short for getallurls, builds a URL list for a domain without ever touching the target. Instead of crawling, it queries public archives that already recorded the site over the years: AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and urlscan. The result is a wide set of historical and current paths, parameters, and endpoints that an active crawler would never reach in a single pass.
Because the collection is passive, gau is safe to run early and at scale. It generates no traffic to the target, so you can seed recon against a sensitive scope, recover endpoints that were removed from the live site but still sit in archives, and surface parameterized URLs that make good fuzzing and injection candidates. Date windows, provider selection, and MIME or status-code filters keep the output focused.
On Trickest, gau is a Discovery node that takes a domain or a file of domains and writes a file and a folder of URLs. Chain it before httpx to find which archived URLs are still live, or feed its parameterized endpoints straight into a fuzzer or a scanner. It pairs naturally with an active crawler such as Katana, covering the archive history that live crawling misses.
source github.com/lc/gau
use cases
Pull every archived URL for a domain from Wayback, Common Crawl, OTX, and urlscan without sending a single request to the host, so reconnaissance starts wide and silent.
Surface old paths, deprecated APIs, and forgotten parameters that no longer appear on the running application but still live in public archives.
Collect parameterized URLs across subdomains, then collapse duplicates with parameter filtering so a fuzzer or injection scanner works from a clean, deduplicated set.
Run gau alongside an active crawler such as Katana, then probe the merged URLs with httpx so the workflow covers both archive history and the current attack surface.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | · | Target domain to fetch known URLs for. |
| targets | FILE | · | File listing multiple target domains to process. |
| subs | BOOLEAN | --subs | Include subdomains of the target domain in results. |
| urls-providers | STRING | --providers | Providers to query (wayback, commoncrawl, otx, urlscan). |
| json | BOOLEAN | --json | Output results as JSON records instead of plain URLs. |
| from | STRING | --from | Fetch URLs from this date onward (format YYYYMM). |
| blacklist | STRING | --blacklist | File extensions to skip, for example png, jpg, css. |
| filter-parameters | BOOLEAN | --fp | Remove different parameters of the same endpoint. |
Showing key inputs. gau exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | · | target domain |
| targets | FILE | · | list of targets |
| subs | BOOLEAN | --subs | include subdomains of target domain |
| urls-providers | STRING | --providers | list of providers to use (wayback,commoncrawl,otx,urlscan) |
| from | STRING | --from | fetch urls from date (format: YYYYMM) |
| to | STRING | --to | fetch urls to date (format: YYYYMM) |
| json | BOOLEAN | --json | output as json |
| blacklist | STRING | --blacklist | list of extensions to skip |
| mime-types | STRING | --mt | list of mime-types to match |
| filter-mime-types | STRING | --ft | list of mime-types to filter |
| status-codes | STRING | --mc | list of status codes to match |
| filter-status-codes | STRING | --fc | list of status codes to filter |
| filter-parameters | BOOLEAN | --fp | remove different parameters of the same endpoint |
| proxy | STRING | --p | http proxy to use |
| threads | STRING | --threads | number of workers to spawn (default 1) |
| retries | STRING | --retries | retries for the HTTP client |
| timeout | STRING | --timeout | timeout (in seconds) for HTTP client (default 45) |
| verbose | BOOLEAN | --verbose | show verbose output |
example
# archived URLs for a domain and its subdomains, static assets droppedgau example.com --subs --providers wayback,commoncrawl --blacklist png,jpg,gif,css --fphttps://example.com/https://example.com/index.php?id=42https://example.com/loginhttps://api.example.com/v1/users?page=2https://example.com/wp-content/uploads/2019/report.pdfhttps://example.com/old/checkout.aspx?cart=3https://dev.example.com/debug?verbose=truehttps://example.com/search?q=test&lang=enhttps://example.com/.git/configguidance
Reach for gau when you want a wide URL list without sending traffic to the target, or when archive history matters. It is passive only, so it never confirms a URL is still live. For an active crawl that follows links and parses JavaScript, use Katana. For probing which archived URLs respond, pass gau's output to httpx.
A maintained gau fork with the same archive providers and a few extra options. Drop-in for the same passive URL discovery.
Active crawler that follows links and parses JavaScript. Covers the current site, not archive history; complements gau.
HTTP prober, not a discovery tool. Run it after gau to find which archived URLs are still live.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A domain feeds gau, which pulls known URLs from public archives and passes them to httpx for live probing before they land as a queryable output.
Facts on this page come from the live Trickest tool library.