Directory and file fuzzing discovers hidden paths, backups, admin panels, upload directories, debug routes, static files, and server-specific endpoints. We use it early because most web vulnerabilities require a real route before we can test the vulnerability class.
Start with a nonsense baseline:
curl -i http://127.0.0.1:5000/ootw-this-should-not-exist
Record the fake response. If missing paths return 200 OK, filter by size, words, lines, or body pattern instead of status alone.
Basic ffuf path fuzzing:
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt
Filter a fake response by size:
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-fs 1234
Match common useful status codes:
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-mc 200,204,301,302,307,401,403
Extension fuzzing:
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.txt,.bak,.old,.zip,.json,.conf
Recursive fuzzing:
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt \
-recursion -recursion-depth 2 \
-e .php,.txt,.bak,.json
gobuster directory mode:
gobuster dir -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-s 200,204,301,302,307,401,403
gobuster with extensions:
gobuster dir -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-x php,txt,bak,old,zip,json,conf \
-s 200,204,301,302,307,401,403
feroxbuster recursive discovery:
feroxbuster -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-x php,txt,bak,old,zip,json \
-k
Virtual host fuzzing with ffuf:
ffuf -u http://10.10.10.10/ \
-H "Host: FUZZ.example.local" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs 116
Virtual host fuzzing with gobuster:
gobuster vhost -u http://example.local \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
--append-domain
Interesting directory findings:
/admin
/debug
/api
/uploads
/backup
/backups
/old
/dev
/staging
/.git
/.env
/server-status
/actuator
/swagger
/openapi.json
Verification:
curl -i http://127.0.0.1:5000/admin
curl -i http://127.0.0.1:5000/api
curl -i http://127.0.0.1:5000/openapi.json
Notes
Do not trust status code alone. A 403 can be more interesting than a 200 because it proves the path exists.
Run small lists first, then expand. Recursive fuzzing with large lists can bury the signal.