OWASP DirBuster – Bruteforcing the Web

July 16, 2012, by | Start Discussion

DirBuster is a multi-threaded Java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

This tool is written by James Fisher and now an OWASP's Project, licensed under LGPL.

DirBuster provides the following features:

  • Multi-threaded has been recorded at over 6000 requests/sec
  • Works over both http and https
  • Scan for both directory and files
  • Will recursively scan deeper into directories it finds
  • Able to perform a list based or pure brute force scan
  • DirBuster can be started on any directory
  • Custom HTTP headers can be added
  • Proxy support
  • Auto switching between HEAD and GET requests
  • Content analysis mode when failed attempts come back as 200
  • Custom file extensions can be used
  • Performance can be adjusted while the program in running
  • Supports Basic, Digest and NTLM auth
  • Command line
  • GUI interface

How works DirBuster?

It works with the "Fail Cases", for example, DirBuster will attempt to determine if something is available and if the test executed returns a result different from the "Fail Case".

It is very interesting to say that the lists were generated crawling the Internet and collecting the directory and files that are actually used by developers.

DirBuster has a total of 9 different lists:

  1. Apache User Enumeration 1.0
  2. Apache User Enumeration 2.0
  3. Directory List 1.0
  4. Directory List 2.3 Small
  5. Directory List 2.3 Medium
  6. Directory List 2.3 Big
  7. Directory List Lowercase 2.3 Small
  8. Directory List Lowercase 2.3 Medium
  9. Directory List Lowercase 2.3 Big

The directory lists are distributed under Creative Commons Attribution-Share Alike 3.0 License.

You can select the scanning type "Pure Brute Force" if you have time, and try with different Char set, setting the Max and Min Length.

Other interesting options are:

  • Brute Force Dirs.
  • Brute Force Files.
  • Be Recursive.
  • Use Blank Extension.
  • Dir to start with (for example "/").
  • File Extension.

Also you can put a URL and try it with fuzzing, for example:

What DirBuster can do for me?

Attempt to find hidden pages/directories unlinked, giving you another attack vector.

How does DirBuster help in the building of secure applications?

DirBuster is able to find content on the web server or within the application that is not required and from the developers point of view understand that by simply not linking to a page does not mean it cannot be accessed, the basic concept of “Security through obscurity”.

What DirBuster will NOT do for you?

Exploit anything it finds. This is not the purpose of this tool.

Installation & Usage

  1. Unzip or untar the download.
  2. cd into the program directory.
  3. To run the program java -jar DirBuster-0.10.jar (Windows uses should be able to just double click on the jar).
  4. Recommended list to use is directory-list-2.3-medium.txt.


DirBuster requires Java 1.6 or above.

Command Line

Run DirBuster in headless mode.

java -jar DirBuster-0.12.jar -H -u https://www.target.com

Start GUI with target file prepopulated.

java -jar DirBuster-0.12.jar -u https://www.target.com

Official Website


Security Analyst working in an International Bank and participating in some Projects like Vulnerability Database, Zero Science Lab, OWASP. Fanatic of open standards.

Leave a Reply