Feroxbuster — Install, Use, Optimise (2026)

Rust-based recursive web content discovery tool — significantly faster than gobuster for deep directory busts.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Cargo

cargo install feroxbuster

Linux (apt)

sudo apt install feroxbuster

Binary

curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Recursive bust (default depth 4)

feroxbuster -u https://target.com -w wordlist.txt

Limit depth

feroxbuster -u https://target.com -d 2 -w wordlist.txt

Multiple file extensions

feroxbuster -u https://target.com -x html,php,bak,old,zip -w wordlist.txt

Filter by status

feroxbuster -u https://target.com -C 404 -w wordlist.txt

Save state, resume later

feroxbuster -u target.com --state-file scan.state -w big.txt

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• -t 200 threads default = 200. Already aggressive; rarely needs increase.
• --rate-limit 100 caps to 100 req/s — predictable pressure on production targets.
• --smart auto-tunes throughput based on errors — generally leave on.
• --scan-limit 20 max simultaneously-scanned dirs (recursion). Keeps memory bounded on huge sites.
• --collect-words harvests words from response bodies into wordlist — adaptive recon.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Default recursion goes 4 levels deep — easily 100k+ requests on a real site. Use -d to bound.
• --smart can over-throttle. If results feel slow, try --no-smart.
• Saved state files are large; clean up scan.state after engagements.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• ffuf — more flexible fuzzing modes.
• gobuster — simpler.
• katana — JS-aware crawling.

India context and engagement notes

Feroxbuster’s recursive default + adaptive learning makes it the fastest path from “I have a target URL” to “here are all the hidden directories”. For SPAs, pair with katana to crawl JS-rendered routes.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.