Skip to content
Reconnaissance

Content Discovery

Directory fuzzing, endpoint discovery, and asset enumeration

Content Discovery Reference

Complete reference for finding hidden content in web applications.

Directory Fuzzing

ffuf

BASH 
# Basic directory scan
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

# With extensions
ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak

# Filter responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234  # Filter size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 50   # Filter words

# Match specific
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302

# Recursive
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

# With authentication
ffuf -u https://target.com/FUZZ -w wordlist.txt -H "Cookie: session=abc"
ffuf -u https://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"

gobuster

BASH 
# Directory mode
gobuster dir -u https://target.com -w wordlist.txt

# With extensions
gobuster dir -u https://target.com -w wordlist.txt -x php,html,txt

# Status codes
gobuster dir -u https://target.com -w wordlist.txt -s 200,204,301,302,307

# Threads
gobuster dir -u https://target.com -w wordlist.txt -t 50

feroxbuster

BASH 
# Recursive scan
feroxbuster -u https://target.com -w wordlist.txt

# With extensions
feroxbuster -u https://target.com -w wordlist.txt -x php,html

# Depth control
feroxbuster -u https://target.com -w wordlist.txt --depth 3

Wordlists

Essential Lists

TEXT 
# General
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

# Technology specific
/usr/share/seclists/Discovery/Web-Content/PHP.fuzz.txt
/usr/share/seclists/Discovery/Web-Content/apache.txt
/usr/share/seclists/Discovery/Web-Content/nginx.txt
/usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt

# API endpoints
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# Backup files
/usr/share/seclists/Discovery/Web-Content/Common-Backup-File-Names.txt

Hidden Files

Common Hidden Paths

TEXT 
# Version control
/.git/HEAD
/.git/config
/.svn/entries
/.hg/

# Configuration
/.env
/.env.local
/.env.prod
/config.php.bak
/wp-config.php.bak
/.htaccess
/web.config

# Debug/Info
/phpinfo.php
/info.php
/server-status
/server-info

# Backups
/backup/
/backup.zip
/backup.tar.gz
/db.sql
/database.sql

API Discovery

BASH 
# Common API paths
/api/
/api/v1/
/api/v2/
/v1/
/graphql
/swagger/
/swagger.json
/openapi.json
/api-docs

# GraphQL introspection
POST /graphql
{"query": "{__schema{types{name}}}"}

Virtual Host Discovery

BASH 
# gobuster vhost
gobuster vhost -u http://target.com -w subdomains.txt

# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 1234

JavaScript Analysis

BASH 
# Extract JS files
katana -u https://target.com -jc | grep "\.js$"

# Find endpoints in JS
cat file.js | grep -oE "(\/[a-zA-Z0-9_\-\/]+)" | sort -u

# Tools
LinkFinder: python linkfinder.py -i https://target.com/app.js -o cli
SecretFinder: python SecretFinder.py -i https://target.com/app.js
Back to Cheatsheets
On this page