DirBuster – Bruteforcing the Web

DirBuster is a multi-threaded Java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

This tool is written by James Fisher and now an OWASP’s Project, licensed under LGPL.

DirBuster provides the following features:

  • Multi-threaded has been recorded at over 6000 requests/sec
  • Works over both http and https
  • Scan for both directory and files
  • Will recursively scan deeper into directories it finds
  • Able to perform a list based or pure brute force scan
  • DirBuster can be started on any directory
  • Custom HTTP headers can be added
  • Proxy support
  • Auto switching between HEAD and GET requests
  • Content analysis mode when failed attempts come back as 200
  • Custom file extensions can be used
  • Performance can be adjusted while the program in running
  • Supports Basic, Digest and NTLM auth
  • Command line
  • GUI interface


Leave a Reply