Awesome Open Source
Awesome Open Source

dirsearch - Web path discovery

Build License Release Stars Tweet

Current Release: v0.4.2 (2021.9.12)

An advanced command-line tool designed to brute force directories and files in webservers, AKA web path scanner

dirsearch is being actively developed by @maurosoria and @shelld3v

Table of Contents

Installation & Usage

Requirement: python 3.7 or higher

Choose one of these installation options:

  • Install with git: git clone --depth 1 (RECOMMENDED)
  • Install with ZIP file: Download here
  • Install with Docker: docker build -t "dirsearch:v0.4.2" . (more information can be found here)
  • Install with PyPi: pip3 install dirsearch
  • Install with Kali Linux: sudo apt-get install dirsearch (deprecated)

Wordlists (IMPORTANT)


  • Wordlist is a text file, each line is a path.
  • About extensions, unlike other tools, dirsearch only replaces the %EXT% keyword with extensions from -e flag.
  • For wordlists without %EXT% (like SecLists), -f | --force-extensions switch is required to append extensions to every word in wordlist, as well as the /.
  • To apply your extensions to wordlist entries that have extensions already, use -O | --overwrite-extensions (Note: some extensions are excluded from being overwritted such as .log, .json, .xml, ... or media extensions like .jpg, .png)
  • To use multiple wordlists, you can separate your wordlists with commas. Example: wordlist1.txt,wordlist2.txt.


  • Normal extensions:

Passing asp and aspx as extensions will generate the following dictionary:

  • Force extensions:

Passing php and html as extensions with -f/--force-extensions flag will generate the following dictionary:

  • Overwrite extensions:

Passing jsp and jspa as extensions with -O/--overwrite-extensions flag will generate the following dictionary:



Usage: [-u|--url] target [-e|--extensions] extensions [options]

  --version             show program's version number and exit
  -h, --help            show this help message and exit

    -u URL, --url=URL   Target URL(s), support multiple flags
    -l PATH, --url-file=PATH
                        URL list file
    --stdin             Read URL(s) from STDIN
    --cidr=CIDR         Target CIDR
    --raw=PATH          Load raw HTTP request from file (use `--scheme` flag
                        to set the scheme)
                        Session file
    --config=PATH       Full path to config file, see 'default.conf' for
                        example (Default: default.conf)

  Dictionary Settings:
    -w WORDLIST, --wordlists=WORDLIST
                        Customize wordlists (separated by commas)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (e.g. php,asp)
    -f, --force-extensions
                        Add extensions to the end of every wordlist entry. By
                        default dirsearch only replaces the %EXT% keyword with
    -O, --overwrite-extensions
                        Overwrite other extensions with your extensions
                        (selected via `-e`)
                        Exclude extension list separated by commas (e.g.
                        Remove extensions in all paths (e.g. admin.php ->
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
    --deep-recursive    Perform recursive scan on every directory depth (e.g.
                        api/users -> api/)
    --force-recursive   Do recursive brute-force for every found path, not
                        only directories
    -R DEPTH, --max-recursion-depth=DEPTH
                        Maximum recursion depth
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (e.g. 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (e.g. 301,500-599)
                        Exclude responses by sizes, separated by commas (e.g.
                        Exclude responses by texts, separated by commas (e.g.
                        'Not found', 'Error')
                        Exclude responses by regex (e.g. '^Error$')
                        Exclude responses if this regex (or text) matches
                        redirect URL (e.g. '/index.html')
                        Exclude responses similar to response of this page,
                        path as input (e.g. 404.html)
                        Skip target whenever hit one of these status codes,
                        separated by commas, support ranges
                        Minimum response length
                        Maximum response length
    --max-time=SECONDS  Maximum runtime for the scan

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    --data-file=PATH    File contains HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, support multiple flags
    --header-file=PATH  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request
    --auth=CREDENTIAL   Authentication credential (e.g. user:password or
                        bearer token)
    --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm, jwt,
    --cert-file=PATH    File contains client-side certificate
    --key-file=PATH     File contains client-side certificate private key

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    --delay=DELAY       Delay between requests
    --proxy=PROXY       Proxy URL, support HTTP and SOCKS proxies (e.g.
                        localhost:8080, socks5://localhost:8088)
    --proxy-file=PATH   File contains proxy servers
                        Proxy authentication credential
                        Proxy to replay with found paths
    --tor               Use Tor network as proxy
    --scheme=SCHEME     Scheme for raw request or if there is no scheme in the
                        URL (Default: auto-detect)
    --max-rate=RATE     Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    --ip=IP             Server IP address
    --exit-on-error     Exit whenever an error occurs

    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
                        Show redirects history
    --no-color          No colored output
    -q, --quiet-mode    Quiet mode

    -o PATH, --output=PATH
                        Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html, sqlite)
    --log=PATH          Log file


Default values for dirsearch flags can be edited in the configuration file, by default is default.conf but you can select another file with the --config flag

# If you want to edit dirsearch default configurations, you can
# edit values in this file. Everything after `#` is a comment
# and won't be applied

threads = 25
recursive = False
deep-recursive = False
force-recursive = False
recursion-status = 200-399,401,403
max-recursion-depth = 0
exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/
random-user-agents = False
max-time = 0
# subdirs = /,api/
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-texts = "Not found"
# exclude-regex = "^403$"
# exclude-redirect = "*/error.html"
# exclude-response = 404.html
# skip-on-status = 429,999

default-extensions = php,aspx,jsp,html,js
force-extensions = False
overwrite-extensions = False
lowercase = False
uppercase = False
capitalization = False
# exclude-extensions = old,log
# prefixes = .,admin
# suffixes = ~,.bak
# wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt

httpmethod = get
follow-redirects = False
# headers-file = /path/to/headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123

timeout = 7.5
delay = 0
max-rate = 0
max-retries = 1
exit-on-error = False
## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme
# scheme = http
# proxy = localhost:8080
# proxy-file = /path/to/proxies.txt
# replay-proxy = localhost:8000

full-url = False
quiet-mode = False
color = True
show-redirects-history = False

## Support: plain, simple, json, xml, md, csv, html, sqlite
report-format = plain
autosave-report = True
# log-file = /path/to/dirsearch.log
# report-output-folder = /path/to/reports

How to use

Dirsearch demo

Some examples for how to use dirsearch - those are the most common arguments. If you need all, just use the -h argument.

Simple usage

python3 -u https://target
python3 -e php,html,js -u https://target
python3 -e php,html,js -u https://target -w /path/to/wordlist

Pausing progress

dirsearch allows you to pause the scanning progress with CTRL+C, from here, you can save the progress (and continue later), skip the current target, or skip the current sub-directory.

Pausing dirsearch


  • Recursive brute-force is brute-forcing continuously the after of found directories. For example, if dirsearch finds admin/, it will brute-force admin/* (* is where it brute forces). To enable this feature, use -r (or --recursive) flag
python3 -e php,html,js -u https://target -r
  • You can set the max recursion depth with --recursion-depth, and status codes to recurse with --recursion-status
python3 -e php,html,js -u https://target -r --recursion-depth 3 --recursion-status 200-399
  • There are 2 more options: --force-recursive and --deep-recursive

    • Force recursive: Brute force recursively all found paths, not just paths end with /
    • Deep recursive: Recursive brute-force all depths of a path (a/b/c => add a/, a/b/)
  • If there are sub-directories that you do not want to brute-force recursively, use --exclude-subdirs

python3 -e php,html,js -u https://target -r --exclude-subdirs image/,media/,css/


The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster dirsearch runs. By default, the number of threads is 25, but you can increase it if you want to speed up the progress.

In spite of that, the speed still depends a lot on the response time of the server. And as a warning, we advise you to keep the threads number not too big because it can cause DoS (Denial of Service).

python3 -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20

Prefixes / Suffixes

  • --prefixes: Add custom prefixes to all entries
python3 -e php -u https://target --prefixes .,admin,_



Generated with prefixes:

  • --suffixes: Add custom suffixes to all entries
python3 -e php -u https://target --suffixes ~



Generated with suffixes:



Inside the db/ folder, there are several "blacklist files". Paths in those files will be filtered from the scan result if they have the same status as mentioned in the filename.

Example: If you add admin.php into db/403_blacklist.txt, whenever you do a scan that admin.php returns 403, it will be filtered from the result.


Use -i | --include-status and -x | --exclude-status to select allowed and not allowed response status-codes

For more advanced filters: --exclude-sizes, --exclude-texts, --exclude-regexps, --exclude-redirects and --exclude-response

python3 -e php,html,js -u https://target --exclude-sizes 1B,243KB
python3 -e php,html,js -u https://target --exclude-texts "403 Forbidden"
python3 -e php,html,js -u https://target --exclude-regexps "^Error$"
python3 -e php,html,js -u https://target --exclude-redirects "https://(.*)*"
python3 -e php,html,js -u https://target --exclude-response /error.html

Raw request

dirsearch allows you to import the raw request from a file. The content would be something looked like this:

GET /admin HTTP/1.1
Cache-Control: max-age=0
Accept: */*

Since there is no way for dirsearch to know what the URI scheme is, you need to set it using the --scheme flag. By default, dirsearch automatically detects the scheme.

Wordlist formats

Supported wordlist formats: uppercase, lowercase, capitalization







Exclude extensions

Use -X | --exclude-extensions with an extension list will remove all paths in the wordlist that contains the given extensions

python3 -u https://target -X jsp





Scan sub-directories

  • From an URL, you can scan a list of sub-directories with --subdirs.
python3 -e php,html,js -u https://target --subdirs /,admin/,folder/


dirsearch supports SOCKS and HTTP proxy, with two options: a proxy server or a list of proxy servers.

python3 -e php,html,js -u https://target --proxy
python3 -e php,html,js -u https://target --proxy socks5://
python3 -e php,html,js -u https://target --proxylist proxyservers.txt


Supported report formats: simple, plain, json, xml, md, csv, html, sqlite

python3 -e php -l URLs.txt --format plain -o report.txt
python3 -e php -u https://target --format html -o target.json

More example commands

cat urls.txt | python3 --stdin
python3 -u https://target --max-time 360
python3 -u https://target --auth admin:pass --auth-type basic
python3 -u https://target --header-list rate-limit-bypasses.txt

There are more to discover, try yourself!

Support Docker

Install Docker Linux

Install Docker

curl -fsSL | bash

To use docker you need superuser power

Build Image dirsearch

To create image

docker build -t "dirsearch:v0.4.2" .

dirsearch is the name of the image and v0.4.2 is the version

Using dirsearch

For using

docker run -it --rm "dirsearch:v0.4.2" -u target -e php,html,js,zip



  • The server has requests limit? That's bad, but feel free to bypass it, by randomizing proxy with --proxy-list
  • Want to find out config files or backups? Try --suffixes ~ and --prefixes .
  • Want to find only folders/directories? Why not combine --remove-extensions and --suffixes /!
  • The mix of --cidr, -F, -q and will reduce most of noises + false negatives when brute-forcing with a CIDR
  • Scan a list of URLs, but don't want to see a 429 flood? --skip-on-status 429 will help you to skip a target whenever it returns 429
  • The server contains large files that slow down the scan? You might want to use HEAD HTTP method instead of GET
  • Brute-forcing CIDR is slow? Probably you forgot to reduce request timeout and request retries. Suggest: --timeout 3 --retries 1


We have been receiving a lot of helps from many people around the world to improve this tool. Thanks so much to everyone who have helped us so far! See to know who they are.

Pull requests and feature requests are welcomed


Copyright (C) Mauro Soria ([email protected])

License: GNU General Public License, version 2

Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Python (808,558
Security (31,687
Scanner (13,982
Thread (12,451
Hacking (7,732
Penetration Testing (3,141
Pentesting (3,140
Brute (1,558
Fuzzing (1,393
Wordlist (1,031
Hacking Tool (1,005
Fuzzer (898
Appsec (455
Pentest Tool (441
Dirsearch (16