An advanced web path brute-forcer.


Requirement: python 3.7 or higher

Choose one of these installation options:

  • Install with git: git clone https://github.com/maurosoria/dirsearch.git --depth 1 (RECOMMENDED)
  • Install with ZIP file: Download here
  • Install with Docker: docker build -t "dirsearch:v0.4.3" . (more information can be found here)
  • Install with PyPi: pip3 install dirsearch or pip install dirsearch
  • Install with Kali Linux: sudo apt-get install dirsearch (deprecated)


Please check README.md for further configurations.

dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]


  --version             show program's version number and exit
  -h, --help            show this help message and exit

    -u URL, --url=URL   Target URL(s), can use multiple flags
    -l PATH, --url-file=PATH
                        URL list file
    --stdin             Read URL(s) from STDIN
    --cidr=CIDR         Target CIDR
    --raw=PATH          Load raw HTTP request from file (use '--scheme' flag
                        to set the scheme)
                        Session file
    --config=PATH       Path to configuration file (Default:
                        'DIRSEARCH_CONFIG' environment variable, otherwise

  Dictionary Settings:
    -w WORDLISTS, --wordlists=WORDLISTS
                        Customize wordlists (separated by commas)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (e.g. php,asp)
    -f, --force-extensions
                        Add extensions to the end of every wordlist entry. By
                        default dirsearch only replaces the %EXT% keyword with
    -O, --overwrite-extensions
                        Overwrite other extensions in the wordlist with your
                        extensions (selected via `-e`)
                        Exclude extension list separated by commas (e.g.
                        Remove extensions in all paths (e.g. admin.php ->
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
    --deep-recursive    Perform recursive scan on every directory depth (e.g.
                        api/users -> api/)
    --force-recursive   Do recursive brute-force for every found path, not
                        only directories
    -R DEPTH, --max-recursion-depth=DEPTH
                        Maximum recursion depth
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (e.g. 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (e.g. 301,500-599)
                        Exclude responses by sizes, separated by commas (e.g.
                        Exclude responses by text, can use multiple flags
                        Exclude responses by regular expression
                        Exclude responses if this regex (or text) matches
                        redirect URL (e.g. '/index.html')
                        Exclude responses similar to response of this page,
                        path as input (e.g. 404.html)
                        Skip target whenever hit one of these status codes,
                        separated by commas, support ranges
                        Minimum response length
                        Maximum response length
    --max-time=SECONDS  Maximum runtime for the scan
    --exit-on-error     Exit whenever an error occurs

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    --data-file=PATH    File contains HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, can use multiple flags
    --header-file=PATH  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request
    --auth=CREDENTIAL   Authentication credential (e.g. user:password or
                        bearer token)
    --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm, jwt,
    --cert-file=PATH    File contains client-side certificate
    --key-file=PATH     File contains client-side certificate private key

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    --delay=DELAY       Delay between requests
    --proxy=PROXY       Proxy URL (HTTP/SOCKS), can use multiple flags
    --proxy-file=PATH   File contains proxy servers
                        Proxy authentication credential
                        Proxy to replay with found paths
    --tor               Use Tor network as proxy
    --scheme=SCHEME     Scheme for raw request or if there is no scheme in the
                        URL (Default: auto-detect)
    --max-rate=RATE     Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    --ip=IP             Server IP address

  Advanced Settings:
    --crawl             Crawl for new paths in responses

  View Settings:
    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
                        Show redirects history
    --no-color          No colored output
    -q, --quiet-mode    Quiet mode

  Output Settings:
    -o PATH, --output=PATH
                        Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html, sqlite)
    --log=PATH          Log file

Configuration File (config.ini)

By default the config.ini file is used to configure the settings. The default configuration is as follows.

# If you want to edit dirsearch default configurations, you can
# edit values in this file. Everything after `#` is a comment
# and won't be applied

threads = 25
recursive = False
deep-recursive = False
force-recursive = False
recursion-status = 200-399,401,403
max-recursion-depth = 0
exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/
random-user-agents = False
max-time = 0
exit-on-error = False
# subdirs = /,api/
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-texts = [
#   "Not found",
#   "404"
# ]
# exclude-regex = "^403$"
# exclude-redirect = "*/error.html"
# exclude-response = 404.html
# skip-on-status = 429,999

default-extensions = php,aspx,jsp,html,js
force-extensions = False
overwrite-extensions = False
lowercase = False
uppercase = False
capitalization = False
# exclude-extensions = old,log
# prefixes = .,admin
# suffixes = ~,.bak
# wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt

http-method = get
follow-redirects = False
# headers = [
#   "Header1: Value",
#   "Header2: Value"
# ]
# headers-file = /path/to/headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123

timeout = 7.5
delay = 0
max-rate = 0
max-retries = 1
## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme
# scheme = http
# proxies = ["localhost:8080"]
# proxies-file = /path/to/proxies.txt
# replay-proxy = localhost:8000

crawl = False

full-url = False
quiet-mode = False
color = True
show-redirects-history = False

## Support: plain, simple, json, xml, md, csv, html, sqlite, mysql, postgresql
report-format = plain
autosave-report = True
autosave-report-folder = reports/
# log-file = /path/to/dirsearch.log
# log-file-size = 50000000


In the example below the parameter --exclude-status 401,403,404 can be helpful filtering out specific status codes.

$ python3 dirsearch.py -u https://kb.offsec.nl

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11713

Output: /Users/crypt0rr/tools/dirsearch/reports/https_kb.offsec.nl/_23-08-17_10-59-02.txt

Target: https://kb.offsec.nl/

[10:59:02] Starting: 
[10:59:14] 404 -    2KB - /php.txt
[10:59:15] 404 -    2KB - /html.txt
[10:59:15] 404 -    2KB - /jsp.txt
[10:59:15] 404 -    2KB - /aspx.txt
[10:59:15] 404 -    2KB - /js.txt
[11:13:59] 404 -    2KB - /zeroclipboard.swf

Task Completed
$ python3 dirsearch.py -u https://kb.offsec.nl --exclude-status 401,403,404 -r

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11713

Output: /Users/crypt0rr/tools/dirsearch/reports/https_kb.offsec.nl/_23-08-17_11-41-31.txt

Target: https://kb.offsec.nl/

[11:41:31] Starting: 

Task Completed

URL list