feroxbuster Cheatsheet
Type: Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering
Installation
sudo apt install feroxbuster
# or
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash
# or
cargo install feroxbuster
Basic Usage
feroxbuster -u http://<ip>
feroxbuster -u http://<ip> -w wordlist.txt
Common Flags
| Flag | Description |
|---|---|
-u <url> |
Target URL |
-w <wordlist> |
Wordlist (default: built-in if not specified) |
-t <n> |
Threads (default: 50) |
-x <ext> |
File extensions to append |
-d <n> |
Recursion depth (default: 4, 0 = unlimited) |
-r |
Follow redirects |
-k |
Disable TLS certificate verification |
-n |
Disable recursion |
-C <codes> |
Filter out status codes |
-s <codes> |
Only show these status codes |
-S <size> |
Filter by response size (bytes) |
-W <words> |
Filter by word count in response |
-L <lines> |
Filter by line count in response |
-X <regex> |
Filter by response body regex |
-H <header> |
Add custom header (repeatable) |
-b <cookie> |
Add cookie |
-m <methods> |
HTTP methods (default: GET) |
-o <file> |
Output to file |
-q |
Quiet — no banner or progress |
--json |
Output as JSON |
-v |
Verbose |
-T <seconds> |
Request timeout |
--rate-limit <n> |
Max requests per second |
-p <proxy> |
Use proxy (http/socks5) |
-U <user> -P <pass> |
HTTP Basic auth |
-a <agent> |
User-Agent string |
--dont-filter |
Disable wildcard filtering |
--auto-tune |
Automatically slow down on errors |
--collect-extensions |
Collect and scan discovered extensions |
--collect-words |
Build wordlist from responses |
--resume-from <file> |
Resume from a saved state file |
Common Commands
# Basic scan with extensions
feroxbuster -u http://<ip> -w wordlist.txt -x php,html,txt
# No recursion (flat scan)
feroxbuster -u http://<ip> -w wordlist.txt -n
# Limit recursion depth
feroxbuster -u http://<ip> -w wordlist.txt -d 2
# Filter out 404s and 403s
feroxbuster -u http://<ip> -w wordlist.txt -C 404,403
# Only show 200 and 301
feroxbuster -u http://<ip> -w wordlist.txt -s 200,301
# Filter responses by size (remove default page noise)
feroxbuster -u http://<ip> -w wordlist.txt -S 1234
# Filter by word count
feroxbuster -u http://<ip> -w wordlist.txt -W 25
# HTTPS with TLS skip
feroxbuster -u https://<ip> -w wordlist.txt -k
# Custom headers (e.g. API auth)
feroxbuster -u http://<ip> -w wordlist.txt \
-H "Authorization: Bearer <token>" \
-H "X-Custom: value"
# Use proxy (Burp Suite)
feroxbuster -u http://<ip> -w wordlist.txt \
-p http://127.0.0.1:8080 -k
# POST requests
feroxbuster -u http://<ip> -w wordlist.txt -m POST
# Multiple HTTP methods
feroxbuster -u http://<ip> -w wordlist.txt -m GET,POST,PUT
# Output to file (also saves state for resume)
feroxbuster -u http://<ip> -w wordlist.txt -o results.txt
# JSON output
feroxbuster -u http://<ip> -w wordlist.txt --json -o results.json
# Resume interrupted scan
feroxbuster --resume-from ferox-<ip>.state
# Rate limit (be polite / evade detection)
feroxbuster -u http://<ip> -w wordlist.txt --rate-limit 100
# Collect extensions seen in responses and scan them too
feroxbuster -u http://<ip> -w wordlist.txt --collect-extensions
# Build a wordlist from page content, then use it
feroxbuster -u http://<ip> -w wordlist.txt --collect-words
Virtual Host Discovery
# feroxbuster doesn't natively fuzz Host headers
# Use with -H to manually set a specific host header,
# or use ffuf/gobuster for vhost fuzzing
feroxbuster -u http://<ip> -w wordlist.txt \
-H "Host: staging.example.com"
Interactive Pause Menu
While feroxbuster is running, press ENTER to open the interactive menu:
[p]ause / [r]esume scanning
[q]uit (saves state for --resume-from)
[s]how stats
[a]dd url to scan
[f]ilter response by size
Configuration File
Default config: ~/.config/feroxbuster/ferox-config.toml
wordlist = "/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"
threads = 50
depth = 3
timeout = 7
status_codes = [200, 204, 301, 302, 307, 308, 401, 403]
filter_status = [404]
extensions = ["php", "html", "txt"]
Recommended Wordlists
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
Example Full Run
feroxbuster \
-u http://example.com \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-x php,html,txt,bak \
-t 50 \
-d 3 \
-C 404,403 \
-k \
--auto-tune \
-o ferox_results.txt