Directory Bruteforcing is a reconnaissance technique that discovers hidden files, directories, and endpoints on web servers by systematically requesting paths from wordlists and analyzing responses.
The attacker requests many paths based on common naming patterns and wordlists. Non-404 responses indicate existing resources. Different status codes reveal different information.
# gobuster
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
# ffuf
ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200,301,302,403
# dirsearch
dirsearch -u https://example.com -e php,html,js
# feroxbuster
feroxbuster -u https://example.com -w wordlist.txt200 OK → Resource exists and accessible
301/302 → Redirect (often to login or HTTPS)
403 Forbidden → Exists but access denied (interesting!)
401 → Authentication required
500 → Server error (may reveal info)
404 → Not found (baseline)/admin/ # Admin panels
/.git/ # Exposed git repository
/backup/ # Backup files
/config/ # Configuration files
/api/ # API endpoints
/phpinfo.php # PHP info disclosure
/.env # Environment files
/robots.txt # Crawl directives (lists hidden paths!)
/sitemap.xml # Site structure