A URL fuzzer helps you discover parts of a web application that are not obvious from the home page: hidden folders, old backup files, admin paths, API routes, and interesting parameters. This guide explains how web application fuzzing works, when an online URL fuzzer is enough, and when command-line tools such as FFUF, Feroxbuster, Gobuster, Dirsearch, Wfuzz, and Burp Intruder are the better fit. See the tool comparison table to jump to any section.
I ran the install and example commands below on Ubuntu 25.04 against a local test web server so you can compare real terminal output on your machine. Use only targets you own or are authorized to test—see the virtual penetration testing lab if you need a safe practice environment.
Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic.
What is a URL fuzzer?
A URL fuzzer automates sending many candidate paths, filenames, parameters, or payloads to a web application and records how the server responds. The goal is discovery, not exploitation: you are looking for resources the application exposes but does not advertise.
Common findings include:
- hidden directories (
/admin/,/internal/) - backup or archive files (
.zip,.tar.gz,.bak,.old) - old or forgotten pages
- admin or debug paths
- API endpoints (
/api/v1/,/graphql) - query parameters worth testing later (
?file=,?redirect=) - virtual hosts (
dev.example.com,staging.example.com)
URL fuzzer vs web fuzzer vs directory brute forcing
| Term | Meaning | Example use |
|---|---|---|
| URL fuzzer | Tests many URL paths, files, or parameters | Find /admin, /backup.zip, /api/debug |
| Directory brute forcing | Tests directory and file names from a wordlist | Discover hidden web content |
| Web fuzzer | Broader term for fuzzing URLs, headers, forms, parameters, and requests | Test inputs across HTTP requests |
| Application fuzzing | Broader software testing method | Web apps, APIs, protocols, file formats |
In practice, people search for url fuzzer, web fuzzer, application fuzzing, and web application fuzzing to mean roughly the same workflow for HTTP targets. This article stays focused on URL and web request fuzzing—not protocol fuzzing or binary file-format fuzzing.
Online URL fuzzer vs command-line tools
| Option | Best for | Limitations |
|---|---|---|
| Online URL fuzzer | Quick checks, small scans, beginners, no local setup | Limited wordlists, scan limits, privacy concerns, authorization restrictions |
| Command-line fuzzer | Serious testing, custom wordlists, authenticated testing, CI, repeatable results | Requires setup, tuning, and responsible rate control |
| Proxy-based fuzzer | Manual testing of forms, headers, and authenticated requests | Slower, more interactive, often needs a GUI/proxy workflow |
If you are looking for a url fuzzer online free option, online tools are fine for a fast sanity check on a small scope. For authorized security testing, CLI tools are usually better because you can bring custom wordlists, set cookies and headers, throttle threads, save output, and rerun the same scan later.
Best URL fuzzing tools for web application testing
Jump to each tool's usage section:
| Tool | Best for | Strength |
|---|---|---|
| FFUF | Fast URL, directory, parameter, and vhost fuzzing | Speed and flexible filtering |
| Feroxbuster | Recursive content discovery | Fast forced browsing and auto-recursion |
| Gobuster | Directory, DNS, vhost, S3/GCS-style discovery | Simple and fast Go-based tool |
| Dirsearch | Web path discovery and recursive scanning | Good built-in workflow and reporting |
| Wfuzz | Flexible request fuzzing | Payloads in URL, headers, forms, parameters |
| Burp Intruder | Manual/proxy-based fuzzing | Best when you need to fuzz captured authenticated requests |
| Dirb | Basic directory discovery | Simple legacy option, but less flexible than newer tools |
How web application fuzzing works
A typical URL fuzzing workflow looks like this:
- Identify the target entry point (base URL, host, or captured request).
- Choose what to fuzz: path, file, extension, parameter, header, host, or request body.
- Choose a wordlist sized for the job.
- Send controlled requests with sensible thread counts.
- Filter noise (404 storms, soft 404s, redirects).
- Review interesting responses.
- Validate findings manually in a browser or proxy.
This article does not cover protocol fuzzing or file-format fuzzing. For related discovery techniques outside brute forcing, see find hidden endpoints.
What can a URL fuzzer find?
| Finding | Example pattern |
|---|---|
| Hidden directories | /admin/, /backup/, /old/ |
| Backup files | .zip, .tar.gz, .bak, .old |
| Config or debug files | .env, config.php, debug/ |
| API endpoints | /api/v1/, /graphql, /internal/ |
| Parameters | ?id=, ?file=, ?redirect= |
| Virtual hosts | dev.example.com, admin.example.com |
| Misconfigured cloud paths | public buckets or exposed static files |
A fuzz hit is a lead, not proof of a vulnerability. Confirm each result manually before reporting it.
Choosing the right wordlist
Wordlist choice affects scan time, noise, and results more than many beginners expect.
- Small wordlists — good for quick checks and smoke tests (
common.txt, top paths). - Medium wordlists — normal web scans when you have time and authorization.
- Technology-specific wordlists — PHP, Java, ASP.NET, WordPress, or API route lists from SecLists and similar projects.
- Extension lists — pair path fuzzing with
-e php,html,bak,zipor tool-specific extension flags. - Parameter wordlists — for
?FUZZ=or POST body parameter name discovery. - Custom wordlists — built from JavaScript files, sitemap entries, or routes you already know from find hidden endpoints.
- Bigger is not always better — huge wordlists increase time, WAF noise, and false positives.
Start small, review results, then widen the wordlist or add extensions.
How to reduce false positives
Many tutorials show commands but skip interpretation. These patterns cause the most wasted time:
| Problem | What it looks like | Fix |
|---|---|---|
| Soft 404 | Every path returns 200 | Filter by response size or words |
| Wildcard vhost | Every host resolves | Use baseline request and filter duplicates |
| Redirect noise | Many 301/302 results | Review Location header and filter common redirects |
| WAF/rate limit | 403/429 spikes | Slow down, reduce threads, confirm authorization |
| Dynamic pages | Different size every time | Compare content, not only status code |
Useful HTTP status codes to understand:
| Code | Often means |
|---|---|
| 200 | Content returned—verify it is real, not a soft 404 |
| 204 | Success with empty body |
| 301/302 | Redirect—follow manually and note the target |
| 401 | Authentication required—path may exist |
| 403 | Forbidden—path may exist but blocked |
| 404 | Not found—usually noise unless your target uses custom 404 sizes |
| 500 | Server error—may indicate a reachable but broken handler |
Install fuzzing tools on Ubuntu
You do not need Kali Linux for the tools in this guide. On Ubuntu 25.04 I installed the main CLI fuzzers from the universe repository:
sudo apt update
sudo apt install -y ffuf gobuster wfuzz dirbNear the end of install, version checks looked like this:
$ ffuf -V
ffuf version: 2.1.0-dev
$ gobuster version
3.6
$ wfuzz --version
3.1.0Dirsearch is not in the default Ubuntu repos I used. Clone it and install Python dependencies:
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
pip3 install -r requirements.txt
python3 dirsearch.py --versionFeroxbuster ships as a release binary. Download the build for your architecture from the Feroxbuster releases page, extract it, and place feroxbuster on your PATH. On my host, feroxbuster 2.13.1 ran after extracting the x86_64-linux zip.
For deeper Gobuster setup on Ubuntu, see How to Install GoBuster with Basic Usage on Ubuntu.
Local practice target (authorized only)
To test commands safely, I used a tiny local site on port 8765:
mkdir -p /tmp/fuzzlab/{admin,api,backup}
printf 'admin\napi\nbackup\nconfig\n' > /tmp/fuzz-wordlist.txt
cd /tmp/fuzzlab && python3 -m http.server 8765Replace http://127.0.0.1:8765/ in the examples with your authorized target URL. Walkthroughs below cover FFUF, Feroxbuster, Gobuster, Dirsearch, Wfuzz, Burp Intruder, and Dirb.
FFUF: fast URL and parameter fuzzing
Use FFUF when you want speed, flexible matchers, and one tool for directories, extensions, parameters, and virtual hosts. It is the first tool many testers reach for on modern web assessments. Install it with the other CLI tools in Install fuzzing tools on Ubuntu before running the examples below.
Directory/path fuzzing against the local lab:
ffuf -w /tmp/fuzz-wordlist.txt -u http://127.0.0.1:8765/FUZZ -mc 200,301,302,403Trimmed output:
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 22ms]
api [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
backup [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 20ms]Extension fuzzing appends candidates to each wordlist entry:
ffuf -w /tmp/fuzz-wordlist.txt -u http://127.0.0.1:8765/FUZZ -e .txt,.html,.bak -mc 200,301Parameter name fuzzing uses multiple FUZZ markers in one URL:
ffuf -w /path/to/parameter-names.txt \
-u 'http://127.0.0.1:8765/?FUZZ=test' -mc 200,301,302,403Use a parameter wordlist from SecLists (for example Discovery/Web-Content/burp-parameter-names.txt after you clone the repository).
Virtual host fuzzing sends a Host header while keeping the IP or canonical hostname in the URL:
ffuf -w /tmp/vhosts.txt -u http://127.0.0.1/ -H 'Host: FUZZ.example.com' -mc 200,301,302,403Filtering keeps output readable: -mc matches status codes, -fs filters size, -fw filters word count, -fc filters status codes out. Enable -recursion only when you need nested discovery—it multiplies request volume quickly. Save runs with -o results.json -of json for later review.
Feroxbuster: recursive forced browsing
Feroxbuster is built for fast recursive content discovery. Many testers add it to the same toolbox as FFUF when they want automatic recursion and link extraction without chaining shell scripts.
Example against the local lab:
feroxbuster -u http://127.0.0.1:8765/ -w /tmp/fuzz-wordlist.txt -t 10 -q --no-stateIt reported redirects for /admin, /api, and /backup, then followed into nested files such as /api/v1.txt and /backup/readme.txt with 200 responses. That recursive behavior is why Feroxbuster shows up in modern URL fuzzing comparisons.
Practical notes:
- Auto-recursion finds nested paths other tools miss in one pass.
- Link extraction can widen discovery from pages already returned.
- Filtering — Feroxbuster can auto-filter wildcard 404-like responses; review flags if real paths disappear.
- Rate control — lower
-tthreads on production targets; use--rate-limitwhen needed.
Gobuster: simple directory, DNS, and vhost discovery
Gobuster is a strong choice when you want straightforward modes without memorizing many flags. It is often easier for beginners than FFUF, though FFUF is more flexible for fine-grained filtering.
Directory mode on the local lab:
gobuster dir -u http://127.0.0.1:8765/ -w /tmp/fuzz-wordlist.txt -t 10Output:
/admin (Status: 301) [Size: 0] [--> /admin/]
/backup (Status: 301) [Size: 0] [--> /backup/]
/api (Status: 301) [Size: 0] [--> /api/]DNS mode discovers subdomains:
gobuster dns -d example.com -w /path/to/subdomains.txt -t 50Vhost mode fuzzes virtual hosts against one IP:
gobuster vhost -u http://127.0.0.1:8765/ -w /tmp/vhosts.txt --append-domainAdd extensions with -x php,html,bak. Tune threads with -t—start low on fragile servers. Use --wildcard or status filtering when the server returns the same page for every missing path.
Dirsearch: web path discovery with recursion and reports
Dirsearch fits teams that want a Python workflow with built-in recursion, extension handling, and export options. It is beginner-friendly because one command covers many common cases.
From a cloned Dirsearch directory:
python3 dirsearch.py -u http://127.0.0.1:8765/ -w /tmp/fuzz-wordlist.txtOn my run:
[22:17:57] 301 - 0B - http://127.0.0.1:8765/admin -> /admin/
[22:17:57] 301 - 0B - http://127.0.0.1:8765/api -> /api/
[22:17:57] 301 - 0B - http://127.0.0.1:8765/backup -> /backup/Useful options:
- Recursive scans —
-ror--recursivefor nested paths (watch request volume). - Extensions —
-e php,html,bak,zip. - Status filtering — exclude noisy codes with
-x 404or include only interesting ones. - Reports —
-o report.txtor JSON output for handoff to notes or tickets.
Dirsearch is slower than FFUF or Feroxbuster on large wordlists, but the defaults and reporting make it a good teaching and lab tool.
Wfuzz: flexible HTTP request fuzzing
Wfuzz is a flexible HTTP request fuzzer, not just a directory brute-forcer. Its FUZZ placeholder marks where each payload from your wordlist is inserted.
Path fuzzing, hiding 404 responses:
wfuzz -w /tmp/fuzz-wordlist.txt --hc 404 http://127.0.0.1:8765/FUZZTrimmed output:
000000001: 301 0 L 0 W 0 Ch "admin"
000000002: 301 0 L 0 W 0 Ch "api"
000000003: 301 0 L 0 W 0 Ch "backup"Parameter fuzzing:
wfuzz -w /tmp/fuzz-wordlist.txt --hc 404 'http://127.0.0.1:8765/?FUZZ=test'Header fuzzing:
wfuzz -w /tmp/headers.txt -H 'X-Custom-Header: FUZZ' --hc 404 http://127.0.0.1:8765/Form fields use multiple placeholders (FUZZ, FUZ2Z, and so on) in POST data. Filter with --hc, --sc, --hl, and --hw to drop noise.
On Ubuntu, the packaged Wfuzz build warned that PycURL was not compiled against OpenSSL, which can affect SSL fuzzing. For HTTPS targets, test carefully or reinstall python3-pycurl against OpenSSL if scans fail on TLS sites.
This article does not cover login brute-force examples. Credential attacks are out of scope here and are unsafe without explicit written authorization.
Burp Intruder: fuzzing captured web requests
Burp Intruder fits when you already captured a real request in a proxy and need to fuzz positions inside it—especially with session cookies, CSRF tokens, or JSON bodies. CLI directory tools cannot replay that context as easily.
Typical workflow:
- Browse the target through Burp Suite Proxy.
- Send an interesting request to Intruder.
- Mark payload positions in the URL, headers, cookies, or body.
- Load a wordlist (or numbers for IDs).
- Start the attack and sort by length or status.
Use Burp Intruder when:
- the path is behind authentication
- you need to fuzz POST JSON or multipart forms
- you are testing one sensitive parameter, not enumerating thousands of paths
Keep Intruder slow on production systems. It is interactive by design, not a replacement for FFUF on huge wordlists.
Dirb: basic directory discovery (legacy)
Dirb ships with sudo apt install dirb and still appears on older lab images. It is fine for a basic directory wordlist scan, but most new work moves to FFUF or Gobuster for speed and filtering.
dirb http://127.0.0.1:8765/ /tmp/fuzz-wordlist.txt -STrimmed output on the local lab:
+ http://127.0.0.1:8765/admin (CODE:301|SIZE:0)
+ http://127.0.0.1:8765/api (CODE:301|SIZE:0)
+ http://127.0.0.1:8765/backup (CODE:301|SIZE:0)Use -S for silent mode and -X .html for extensions. Dirb lacks modern recursion and structured export, so treat it as a fallback when newer tools are not available.
Which fuzzing tool should you use?
| Use case | Recommended tool |
|---|---|
| Fast directory and file discovery | FFUF or Feroxbuster |
| Simple beginner directory scan | Gobuster or Dirsearch |
| Recursive content discovery | Feroxbuster or Dirsearch |
| Parameter fuzzing | FFUF or Wfuzz |
| Vhost fuzzing | FFUF or Gobuster |
| Authenticated request fuzzing | Burp Intruder or Wfuzz |
| Online quick check | Online URL fuzzer |
| Repeatable pentest workflow | FFUF, Gobuster, Dirsearch, Feroxbuster |
Many testers combine tools: FFUF or Feroxbuster for breadth, Burp Intruder for authenticated follow-up, and manual review for anything that looks interesting.
Safe and responsible fuzzing checklist
- Test only authorized targets (lab VMs, bug bounty scope, signed pentest).
- Start with low thread counts (
-t 10or lower) and increase only when safe. - Avoid heavy scans against production without approval.
- Read bug bounty rules—some programs restrict automated scanning.
- Do not run login or password brute-force attacks from a URL fuzzing guide.
- Avoid destructive payloads; discovery first, validation second.
- Save tool output (
-o, reports, Burp logs) for triage. - Manually verify every finding before reporting.
Common mistakes in URL fuzzing
- Starting with a huge wordlist before a small smoke test.
- Trusting only HTTP 200 responses.
- Ignoring 401 and 403—they often mean the path exists.
- Not filtering soft 404 pages that return 200 for everything.
- Forgetting file extensions (
.bak,.old,.zip). - Skipping virtual host fuzzing on shared hosting or CDN setups.
- Fuzzing without written permission.
- Running high-thread scans against fragile or rate-limited servers.
References
- FFUF documentation
- Gobuster documentation
- Dirsearch documentation
- Feroxbuster documentation
- Wfuzz documentation
- Burp Suite — Intruder
- SecLists wordlists
- On-site: Setup Virtual Penetration Testing Lab, Burp Suite Proxy Tutorial, Find Hidden Endpoints, Install GoBuster on Ubuntu
Summary
URL fuzzers help you discover hidden paths, files, parameters, and endpoints by sending many HTTP requests and studying the responses. Online URL fuzzers are useful for quick checks, but command-line tools give you custom wordlists, headers, cookies, rate limits, and repeatable output for real assessments. FFUF, Gobuster, Dirsearch, Feroxbuster, Wfuzz, and Burp Intruder cover different parts of the same workflow—pick by speed, recursion, flexibility, or authenticated proxy testing. Good results depend as much on wordlists, filters, and manual validation as on the tool name on the command line.
