Awesome Open Source
Awesome Open Source

dirsearch - Web path scanner

Build License Release Stars Tweet

Current Release: v0.4.1 (2020.12.8)

An advanced command-line tool designed to brute force directories and files in webservers, AKA web path scanner

dirsearch is being actively developed by @maurosoria and @shelld3v

Table of Contents

Kali Linux

dirsearch is now available in official Kali Linux packages

Kali Linux

Installation & Usage

Requirement: python 3.x

Choose one of these installation options:

  • Install with git: git clone
  • Install with ZIP file: download
  • Install with Docker: docker build -t "dirsearch:v0.4.1" (more information)
  • Install with Kali Linux: sudo apt-get install dirsearch

Some other notes:

  • In case you want to global dirsearch, install it with pip: pip3 install . (inside dirsearch directory)
  • To can use SOCKS proxy feature, please install packages with requirements.txt: pip3 install -r requirements.txt

All in one:

git clone
cd dirsearch
pip3 install -r requirements.txt
python3 -u <URL> -e <EXTENSIONS>

Wordlists (IMPORTANT)


  • Wordlist is a text file, each line is a path.
  • About extensions, unlike other tools, dirsearch will only replace the %EXT% keyword with extensions in -e | --extensions flag.
  • For wordlists without %EXT% (like SecLists), -f | --force-extensions switch is required to append extensions to every word in wordlist, as well as the /. And for entries in wordlist that you do not want to append extensions, you can add %NOFORCE% at the end of them.
  • To use multiple wordlists, you can seperate your wordlists with commas. Example: wordlist1.txt,wordlist2.txt.


  • Normal extensions

Passing asp and aspx extensions will generate the following dictionary:

  • Force extensions

Passing "php" and "html" extensions with -f/--force-extensions flag will generate the following dictionary:



Usage: [-u|--url] target [-e|--extensions] extensions [options]

  --version             show program's version number and exit
  -h, --help            show this help message and exit

    -u URL, --url=URL   Target URL
    -l FILE, --url-list=FILE
                        Target URL list file
    --stdin             Target URL list from STDIN
    --cidr=CIDR         Target CIDR
    --raw=FILE          File contains the raw request (use `--scheme` flag to
                        set the scheme)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (Example: php,asp)
    -X EXTENSIONS, --exclude-extensions=EXTENSIONS
                        Exclude extension list separated by commas (Example:
    -f, --force-extensions
                        Add extensions to every wordlist entry. By default
                        dirsearch only replaces the %EXT% keyword with

  Dictionary Settings:
    -w WORDLIST, --wordlists=WORDLIST
                        Customize wordlists (separated by commas)
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    --only-selected     Remove paths have different extensions from selected
                        ones via `-e` (keep entries don't have extensions)
                        Remove extensions in all paths (Example: admin.php ->
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
                        Maximum recursion depth
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (Example: 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (Example: 301,500-599)
                        Exclude responses by sizes, separated by commas
                        (Example: 123B,4KB)
                        Exclude responses by texts, separated by commas
                        (Example: 'Not found', 'Error')
                        Exclude responses by regexps, separated by commas
                        (Example: 'Not foun[a-z]{1}', '^Error$')
                        Exclude responses by redirect regexps or texts,
                        separated by commas (Example: '*')
                        Exclude responses by response content of this path
                        Skip target whenever hit one of these status codes,
                        separated by commas
    --minimal=LENGTH    Minimal response length
    --maximal=LENGTH    Maximal response length
    --max-time=SECONDS  Maximal runtime for the scan
    -q, --quiet-mode    Quiet mode
    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
    --no-color          No colored output

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, support multiple flags (Example:
                        -H 'Referer:')
    --header-list=FILE  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    -s DELAY, --delay=DELAY
                        Delay between requests
    --proxy=PROXY       Proxy URL, support HTTP and SOCKS proxies (Example:
                        localhost:8080, socks5://localhost:8088)
    --proxy-list=FILE   File contains proxy servers
                        Proxy to replay with found paths
    --scheme=SCHEME     Default scheme (for raw request or if there is no
                        scheme in the URL)
                        Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    -b, --request-by-hostname
                        By default dirsearch requests by IP for speed. This
                        will force dirsearch to request by hostname
    --ip=IP             Server IP address
    --exit-on-error     Exit whenever an error occurs

    -o FILE             Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html)


Default values for dirsearch flags can be edited in the configuration file: default.conf

# If you want to edit dirsearch default configurations, you can
# edit values in this file. Everything after `#` is a comment
# and won't be applied

default-extensions = php,aspx,jsp,html,js
force-extensions = False
# exclude-extensions = old,log

threads = 30
recursive = False
deep-recursive = False
force-recursive = False
recursion-depth = 0
exclude-subdirs = %%ff/
random-user-agents = False
max-time = 0
save-logs-home = False
full-url = False
quiet-mode = False
color = True
recursion-status = 200-399,401,403
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-texts = "Not found"
# exclude-regexps = "403 [a-z]{1,25}"
# exclude-content = 404.html
# skip-on-status = 429,999

# report-output = output.txt
report-format = plain
## Support: plain, simple, json, xml, md, csv

lowercase = False
uppercase = False
capitalization = False
# prefixes = .,admin
# suffixes = ~,.bak
# wordlist = db/dicc.txt

httpmethod = get
## Lowercase only
follow-redirects = False
# headers-file = headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123

timeout = 5
delay = 0
scheme = http
maxrate = 0
retries = 2
request-by-hostname = False
exit-on-error = False
# proxy = localhost:8080
# proxy-list = proxies.txt
# replay-proxy = localhost:8000

How to use

Dirsearch demo

Some examples for how to use dirsearch - those are the most common arguments. If you need all, just use the -h argument.

Simple usage

python3 -u https://target
python3 -e php,html,js -u https://target
python3 -e php,html,js -u https://target -w /path/to/wordlist

Recursive scan

  • By using the -r | --recursive argument, dirsearch will brute-force recursively all directories.
python3 -e php,html,js -u https://target -r
  • You can set the max recursion depth with --recursion-depth, and status-codes to recurse with --recursion-status
python3 -e php,html,js -u https://target -r --recursion-depth 3 --recursion-status 200-399
  • There are 2 more options: --force-recursive and --deep-recursive
    • Force recursive: Brute force recursively all found paths, not just paths end with /
    • Deep recursive: Recursive brute-force all depths of a path (a/b/c => add a/, a/b/)


The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster dirsearch runs. By default, the number of threads is 30, but you can increase it if you want to speed up the progress.

In spite of that, the speed still depends a lot on the response time of the server. And as a warning, we advise you to keep the threads number not too big because it can cause DoS.

python3 -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20

Prefixes / Suffixes

  • --prefixes: Add custom prefixes to all entries
python3 -e php -u https://target --prefixes .,admin,_

Base wordlist:


Generated with prefixes:

  • --suffixes: Add custom suffixes to all entries
python3 -e php -u https://target --suffixes ~

Base wordlist:


Generated with suffixes:



Inside the db/ folder, there are several "blacklist files". Paths in those files will be filtered from the scan result if they have the same status as mentioned in the filename.

Example: If you add admin.php into db/403_blacklist.txt, whenever you do a scan that admin.php returns 403, it will be filtered from the result.


Use -i | --include-status and -x | --exclude-status to select allowed and not allowed response status-codes

For more advanced filters: --exclude-sizes, --exclude-texts, --exclude-regexps, --exclude-redirects and --exclude-content

python3 -e php,html,js -u https://target --exclude-sizes 1B,243KB
python3 -e php,html,js -u https://target --exclude-texts "403 Forbidden"
python3 -e php,html,js -u https://target --exclude-regexps "^Error$"
python3 -e php,html,js -u https://target --exclude-redirects "https://(.*)*"
python3 -e php,html,js -u https://target --exclude-content /error.html

Raw request

dirsearch allows you to import the raw request from a file. The content would be something looked like this:

GET /admin HTTP/1.1
Cache-Control: max-age=0
Accept: */*

Since there is no way for dirsearch to know what the URI scheme is, you need to set it using the --scheme flag. By default, the scheme is http, which can cause a lot of false negatives.

Wordlist formats

Supported wordlist formats: uppercase, lowercase, capitalization







Exclude extensions

  • Use -X | --exclude-extensions with an extension list will remove all paths in the wordlist that contains the given extensions

python3 -u https://target -X jsp

Base wordlist:



  • If you want to exclude ALL extensions, except for the ones you selected in the -e flag, use --only-selected

python3 -e html -u https://target --only-selected

Base wordlist:




Scan sub-directories

  • From an URL, you can scan a list of sub-directories with --subdirs.
python3 -e php,html,js -u https://target --subdirs admin/,folder/,/
  • The reverse version of this is --exclude-subdirs, which prevents dirsearch from scan recursively the given sub-directories.
python3 -e php,html,js -u https://target --recursive --exclude-subdirs image/,css/


dirsearch supports SOCKS and HTTP proxy, with two options: a proxy server or a list of proxy servers.

python3 -e php,html,js -u https://target --proxy
python3 -e php,html,js -u https://target --proxy socks5://
python3 -e php,html,js -u https://target --proxylist proxyservers.txt


Supported report formats: simple, plain, json, xml, md, csv, html

python3 -e php -l URLs.txt --format plain -o report.txt
python3 -e php -u https://target --format html -o target.json

Some others commands

python3 -u https://target -t 100 -m POST --data "username=admin"
python3 -u https://target --random-agent --cookie "isAdmin=1" -F
python3 -u https://target --format json -o target.json
python3 -u https://target --auth admin:pass --auth-type basic
python3 -u https://target --header-list rate-limit-bypasses.txt
python3 -u https://target -q --stop-on-error --max-time 360
python3 -u https://target --full-url --max-rate 100
python3 -u https://target --remove-extensions

There are more features and you will need to discover them by your self


  • The server has a request limit? That's bad, but feel free to bypass it, by randomizing proxy with --proxy-list
  • Want to find out config files or backups? Try --suffixes ~ and --prefixes .
  • For some endpoints that you do not want to force extensions, add %NOFORCE% at the end of them
  • Want to find only folders/directories? Combine --remove-extensions and --suffixes /!
  • The combination of --cidr, -F, -q and a low --timeout will reduce most of the noise + false negatives when brute-forcing with a CIDR
  • Scan a list of URLs, but don't want to see a 429 flood? Use --skip-on-status + 429 will help you to skip a target whenever it returns 429

Support Docker

Install Docker Linux

Install Docker

curl -fsSL | bash

To use docker you need superuser power

Build Image dirsearch

To create image

docker build -t "dirsearch:v0.4.1" .

dirsearch is the name of the image and v0.4.1 is the version

Using dirsearch

For using

docker run -it --rm "dirsearch:v0.4.1" -u target -e php,html,js,zip


Copyright (C) Mauro Soria ([email protected])

License: GNU General Public License, version 2


This tool is currently under development by maurosoria and shelld3v. We received a lot of help from many people around the world to improve this tool. Thanks so much to everyone who helped us!!

See for more information about who they are!

Want to join the team? Feel free to submit any pull request that you can. If you don't know how to code, you can support us by updating the wordlist or the documentation. Giving feedback or a new feature suggestion is also a good way to help us improve this tool

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
python (53,634
security (1,880
hacking (553
pentesting (376
penetration-testing (244
scanner (226
infosec (199
hacking-tool (155
fuzzing (145
bruteforce (72
brute-force (67
fuzzer (50
bug-bounty (47
appsec (42
wordlist (31
scanner-web (18