> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/hidden-directory/trick-0218.md).

# Directory Fuzzing for Web Path Discovery

***

Discover hidden web paths by fuzzing with a wordlist using tools like `feroxbuster`.

```bash
feroxbuster -u http://10.10.246.67/ -w ~/Downloads/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
```

This sends requests for each entry in the specified wordlist (containing common directory and file names) to the target URL to identify existing directories or files that aren't directly linked.

Feroxbuster can automatically detect directory listings. This behavior can be enabled using the `-d` flag.

```bash
feroxbuster -u http://target.com/ -w wordlist.txt -d 1
```

Using the `-d 1` flag instructs feroxbuster to scan for and report directory listings encountered during the fuzzing process.

To perform recursive scans, which means following directories it finds and continuing the fuzzing process within them, the `-r` flag is used. This is a powerful feature for deeper discovery.

```bash
feroxbuster -u http://10.10.10.10/ -w /path/to/wordlist.txt -r
```

This command will not only check entries from the wordlist against the initial URL but will also descend into any directories found and repeat the process.

Often, you'll want to filter the results to only show interesting responses, such as those indicating a successful find (like 200 OK) or a redirect (like 302). The `-s` flag allows specifying which status codes to include.

```bash
feroxbuster -u http://10.10.10.10 -w /path/to/wordlist.txt -s 200 301 302 403
```

This command will only display results with the status codes 200, 301, 302, or 403. By default, feroxbuster excludes 404 and certain other status codes, but this flag provides explicit control.

To specifically look for files with certain extensions, the `-x` flag is useful. This appends the specified extensions to each wordlist entry.

```bash
feroxbuster -u http://10.10.10.10 -w /path/to/wordlist.txt -x html php asp
```

This will test names like `/index.html`, `/index.php`, `/index.asp`, etc., for each entry like `index` in the wordlist.

For testing targets that use HTTPS but have certificate issues (like self-signed certificates), the `-k` or `--insecure` flag can be used to disable TLS certificate verification.

```bash
feroxbuster -u https://target.com/ -w /path/to/wordlist.txt -k
```

This allows feroxbuster to connect to the target without validating the certificate chain, which is common in lab environments or when testing internal applications.
