Before I discovered feroxbuster I was having a constant Delima on choosing between gobuster and ffuf as my favorite tool for directory fuzzing a website. My initial thought is that ffuf just looks really clunky while gobuster looks more user friendly. Even though ffuf doesn’t look as good as gobuster it just seems faster in my opinion which is why I would choose it over gobuster.
After trying feroxbuster it will now be my go-to choice when it comes directory enumeration. Feroxbuster’s interface is just so beautiful it makes gobuster look very basic. Another thing I like is that it enumerates directory’s recursively by default.
Crawling
Another thing that’s awesome is that feroxbuster can essentially act as a web crawler by examining a websites response for any mentioned links or files in the source code, finding directories and files a wordlist might not pick up. This is a great feature because not only do I have to spend less time looking at a websites source code, it almost removes the need to use another tool for crawling.
Usage Example
In this example I don’t specify a wordlist, so it uses one of the Seclists lists by default. If you want to specify a wordlist to use, you can add the -w flag. The -C flag is filtering response codes kind of like how you would with Ffuf. In this example I’m filtering response codes 500 and 502.
$ feroxbuster [url] -C 502 500 -O [ouput_file]
Close Out
Although feroxbuster is my choice for directory enumeration ffuf will remain my go-to choice for subdomain and parameter enumeration as I don’t believe feroxbuster can do this. And while gobuster is not that far behind in terms of functionality, between the user interface and the web crawling feature feroxbuster is just more appealing to me.