# Tools

We have 2 good options:

## ffuf

ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ

pros:

• have great -ac which automatically filters potential false-positives
• -sf stop when > 95% of responses return 403 Forbidden
• -enc can encode wordlist with URL/base64 encoder
• you can specify multiple wordlists
• -mode can specify multiple wordlists and multiple FUZZ words (like in burp suite)
• you can specify rate limit
• more matching options
• have recursive scan
• better UI (+ have some interactive mode)

cons:

• you need to hack your way around to get it working as Go library
• you muist specify FUZZ in url

## gobuster

gobuster dir -r -k -w ./wordlist.txt -u "http://scanme.sh/" --exclude-length 2
gobuster fuzz -r -k -w ./wordlist.txt -u "http://scanme.sh/FUZZ" --exclude-length 2

pros:

• for some of my tests it made less false-positives
• I’ve made GoLang lib - gobuster-lib
• have options to find backup files (.bak,.1…)
• can randomize user-agent

cons:

• annoying false-positive - don’t automatically set --exclude-length if got 404 page with HTTP response 200 (try scan http://scanme.sh/)
• you can’t specify rate limit, but you can specify threads (1 thread roughly 6-8pps)

# Wordlists

Rockyou for web dirs - six2dez/OneListForAll

Wordlists post