To provide a comprehensive overview of using Gobuster, a tool used for brute-force testing of directories and files on web servers, let's consider its various commands and options. Gobuster is particularly useful for web developers and penetration testers to discover hidden resources such as directories and files that might not be immediately visible through a website's navigation or sitemap.
sudo apt update && sudo apt upgrade gobuster
Typo for gobuster dir -u <url> -w <wordlist> – common basic command gobuster commands upd
Help/update flags – check version:
gobuster --version
| Flag | Description | Example |
|------|-------------|---------|
| -a | Custom User-Agent | -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" |
| -H | Add custom header (can use multiple) | -H "Authorization: Bearer token" -H "X-Custom: Value" |
| --cookies | Send cookies | --cookies "session=abc123; user=admin" |
| -k | Skip SSL certificate verification | -k (for self-signed certs) |
| --no-tls-validation | Alias for -k | --no-tls-validation | To provide a comprehensive overview of using Gobuster,
gobuster dir -u https://api.target.com/v2 -w api_words.txt -x json,js,php -H "Authorization: Bearer eyJhbGciOiJ..." -s 200,201,401
This is the most powerful "new" addition. It allows you to brute force parameters in the URL, headers, or POST data. You replace the part you want to fuzz with the keyword FUZZ.
Example: Brute Forcing a Parameter Value Typo for gobuster dir -u <url> -w <wordlist>
gobuster fuzz -u http://target.com/page?id=FUZZ -w numbers.txt
Example: Brute Forcing a Header
gobuster fuzz -u http://target.com/ \
-H "Host: FUZZ.target.com" \
-w subdomains.txt
The landscape of web security testing changes fast. By using this updated Gobuster commands reference, you ensure:
Final updated command cheat sheet:
# Directory busting (modern)
gobuster dir -u https://target.com -w wordlist.txt -t 50 --status-codes 200,403 --no-tls-validation