URL Fuzzer

Find Hidden Files and Directories on A Website 

Find Hidden Files and Directories on A Website 

Contents of the Report

Here is what you can expect in Scantrics’ URL Fuzzer report:
URL Fuzzer Scanner

Use Cases for URL Fuzzer

Using the URL Fuzzer, you might be able to find out some hidden files and directories that you never knew before – some of them might be hidden functionalities of your web applications. More information can be discovered and even some vulnerabilities with this tool.
Sensitive information such as environment variables, configuration files, credentials, database files, SSH key pairs, or even your Git repositories may be unintentionally exposed to the public. Use the URL Fuzzer to uncover them and take appropriate action on the server side so that access to these files can be secured and blocked.

Your web server might be improperly configured to protect from web attacks. By using the URL Fuzzer, you can verify whether proper security measures have been put in place to prevent external parties from accessing something that they should not have access to.

Technical Details

Sometimes the web server administrator does not even know what is in the server itself and actually accessible from the outside world. Many organizations do not have adequate security measures to restrict what is or is not publicly accessible on their websites.

This unintentionally leaves sensitive information unprotected and free to be leaked to the public. Fuzz testing, or Fuzzing as it is also known, is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).

Running the fuzz tests with the URL Fuzzer can help you discover hidden files or find hidden directories that contain sensitive information.

How it works?

How it works

To discover hidden files and discoveries, the URL Fuzzer uses a custom-built wordlist. The wordlist contains more than 1,000 common names of known files and directories to run the fuzz test. An HTTP request to the target will be made with every word in the wordlist.

When the results for files and directories are generated in the report, the corresponding HTTP response codes and the page sizes are also returned together.

This tool is configurable with the option to scan configuration files, source code files, compressed or archived files, database files, log files, and more. Custom file extensions can be also specified if you have special requirements. For more powerful search, mutation can be also enabled to find other related resources.

Explore More of Our Tools