pathbuster

A path-normalization pentesting tool (inspired by FFUF)

Whats New • Bug Fixes • Installation • Usage • Example Scan • Examples • Contributing • License •

What's New?

• Unified response filtering under --filter-* flags with stage prefixes (V/F).
• Implemented --drop-after-fail which will ignore requests with the same response code multiple times in a row.
• Added in a --proxy argument, so you can now perform proxy-related tasks such as sending everything to burp.
• Pathbuster will now give you an eta on when the tool will finish processing all jobs.
• Added in a --skip-brute argument, so you have the choice to perform a directory brute force or not.
• Split scan matching into --validate-status and --fingerprint-status for scan-stage control.
• Added in a --skip-validation argument which is used to bypass known protected endpoints using traversals.
• Added in a --header argument which is used to add in additonal headers into each request.
• Added --methods for scanning with one or more HTTP methods (comma-separated).
• Added --path for scanning a single path without a wordlist.
• Added wordlist transforms via --wordlist-manipulation (alias: --wm).
• Added traversal strategy selection via --traversal-strategy (greedy / quick).
• Added bruteforce gating via --wordlist-status and output filtering via --disable-show-all.
• Added bruteforce batching via --brute-queue-concurrency and optional noise filtering via --ac.

Installation

Install rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install pathbuster

cargo install pathbuster

Usage

pathbuster -h

This command will show the tool's help information and present a list of all the switches that are available.

Default config

On first run, Pathbuster will create a default config file at:

• Linux/macOS: ~/.pathbuster/config.yml
• Windows: %USERPROFILE%\\.pathbuster\\config.yml

The generated config contains the default settings, with optional keys commented out.

You can also explicitly point to a config file:

pathbuster --config ./config.yml

Common options (high level)

• Targets: --url <URL> (repeatable) or --input-file <FILE>
• Payloads: --payloads <FILE>
• Raw request: --raw-request <FILE> (optional, uses * as injection points)
• Bruteforce target: --wordlist <FILE> (recommended) or --path <PATH> and optional --wordlist-dir <DIR>
• Wordlist manipulation (optional): --wordlist-manipulation <LIST> (alias: --wm)
• Output: --output <FILE> and optional --output-format <text|json|xml|html>
• Output filtering: --disable-show-all (only show matches allowed by --wordlist-status)
• Networking: --proxy <URL>, --follow-redirects, --timeout <SECONDS>, --methods <METHODS>
• Validation tuning: --response-diff-threshold <MIN-MAX>
• Bruteforce tuning: --wordlist-status <CODES>, --brute-queue-concurrency <N>, --ac
• Filters:
  • --filter-status <SET> (e.g. V:404,F:500 or 404,500 for both stages)
  • --filter-size <SET> (e.g. V:1234,F:5678)
  • --filter-words <SET> (e.g. V:10,F:25)
  • --filter-lines <SET> (e.g. V:5,F:20)
  • --filter-regex <STAGE:REGEX> (repeatable, e.g. --filter-regex V:<re> --filter-regex F:<re>)
  • Stage-scoped filters and status matchers work with both traversal strategies (greedy and quick)

Traversal strategies (quick vs greedy)

Pathbuster has two traversal strategies you can select via --traversal-strategy:

Greedy (default)

• Probes depths from --start-depth up to --max-depth to find a depth where --fingerprint-status matches.
• Once a “fingerprint depth” is found, it validates every depth back down toward --start-depth.
• Higher request count, but more consistent when you don’t know how the target normalizes paths.

Quick

• Computes the “fingerprint depth” directly from the target URL path segment count plus --start-depth (clamped to --max-depth).
• Validates a minimal set of depths (favoring speed over coverage) and moves on.
• Lower request count, best when your base URL has meaningful path segments (e.g. https://example.com/app/).

Arguments

Wordlist manipulation

--wordlist-manipulation <LIST> (alias: --wm) applies one or more transforms to the bruteforce wordlist before scanning.

LIST is a comma-separated list of transforms:

• sort: Sort words (also enables unique via dedup when both are set)
• unique / uniq: Deduplicate words (preserves first-seen order unless sort is also set)
• reverse / rev: Reverse each word
• lower: Lowercase each word
• upper: Uppercase each word
• title: Title-case each word (ASCII)
• prefix=<STR>: Prefix each word with <STR>
• suffix=<STR>: Suffix each word with <STR>
• replace=<FROM:TO>: Replace substring <FROM> with <TO> (repeatable by adding multiple replace=... entries)
• smart: Split naming conventions into separate words (AdminPanel -> Admin, Panel; admin_panel -> admin, panel; admin-panel -> admin, panel)
• smartjoin=<CASE:SEP>: Split then join with SEP (CASE is one of c,l,u,t or empty). Example: smartjoin=l:_ turns AdminPanel into admin_panel.

Examples:

pathbuster \
  --url https://example.com/app/ \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt \
  --wordlist-manipulation sort,unique,lower,replace=..%2f:../

pathbuster \
  --url https://example.com/app/ \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt \
  --wm smartjoin=l:_

Examples

Basic usage (single target):

pathbuster --url https://example.com/app/ \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt \
  --output ./output.html --output-format html

Scan with multiple HTTP methods

pathbuster --url https://example.com/app/ \
  --methods GET,POST \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt \
  --skip-brute

Scan a single path (no wordlist)

pathbuster --url https://example.com/app/ \
  --payloads ./payloads/traversals.txt \
  --path admin \
  --skip-brute

Run a scan with explicit scan settings

pathbuster \
  --url https://example.com/app/ \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt \
  --wordlist-dir ./wordlists/targeted \
  --rate 500 \
  --concurrency 200 \
  --timeout 10 \
  --response-diff-threshold 5-1000 \
  --validate-status 404 \
  --fingerprint-status 400,500 \
  --filter-status V:301,302,F:404 \
  --bypass-level 2 \
  --follow-redirects

Use a raw HTTP request template with injection points

Create a request file containing one or more * markers:

GET /app/* HTTP/1.1
Host: example.com
User-Agent: pathbuster
Accept: */*

Then run:

pathbuster \
  --url https://example.com/app/ \
  --raw-request ./request.txt \
  --payloads ./payloads/traversals.txt \
  --wordlist ./wordlists/wordlist.txt

Specify scan settings via config file

Create or edit ~/.pathbuster/config.yml:

rate: 500
concurrency: 200
timeout: 10

payloads: ./payloads/traversals.txt
wordlist: ./wordlists/wordlist.txt
# Or scan a single path without a wordlist:
# path: admin
wordlist_dir: ./wordlists/targeted
wordlist_manipulation: "sort,unique,lower"
wordlist_status: "200"
disable_show_all: false

validate_status: "404"
fingerprint_status: "400,500"
response_diff_threshold: "5-1000"
filter_status: ""
filter_size: ""
filter_words: ""
filter_lines: ""
filter_regex: []

follow_redirects: true
disable_fingerprinting: false
disable_waf_bypass: false
bypass_level: 3
bypass_transform: []

Run using that config:

pathbuster --url https://example.com/app/ --config ~/.pathbuster/config.yml

Example scan:

pathbuster --url https://example.com/app/ \
  --path internal/admin \
  --validate-status 404 \
  --fingerprint-status 404 \
  --traversal-strategy quick \
  --max-depth 5 \
  --rate 50 \
  --concurrency 20 \
  --timeout 5 \
  --wordlist-status 200 \
  --brute-queue-concurrency 3 \
  --disable-show-all

Using as a Rust library

Library usage examples are in the examples folder.

• Basic runner example: library_scan.rs
• Inline payloads + raw request example: library_scan_inline.rs
• Filters example: library_scan_filters.rs
• Skip-validation + wordlist manipulation example: library_scan_skip_validation.rs

Run the example binary:

cargo run --example library_scan

You can also run scans by constructing a Runner with Options and calling run().

Basic example (same as library_scan.rs):

use std::error::Error;

use pathbuster::runner::{Options, PayloadSource, Runner};

#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
    let runner = Runner::new(Options {
        urls: vec!["https://example.com/app/".to_string()],
        payloads: PayloadSource::FilePath("./payloads/traversals.txt".to_string()),
        skip_brute: true,
        rate: 10,
        concurrency: 10,
        timeout_seconds: 5,
        max_depth: 2,
        ..Options::default()
    })?;

    let result = runner.run().await?;

    println!("Targets: {}", result.fingerprints.len());
    println!("Matches: {}", result.matches.len());
    for m in result.matches.iter() {
        println!("{} {} {}", m.base_url, m.status, m.result_url);
    }

    Ok(())
}

Warning

Do not run automated scans, brute forcing, or high-rate tooling (including Pathbuster) against PentesterLab infrastructure or any training platform you do not own or explicitly have permission to test.

Support Development

If this project helps you uncover any interesting or impactful bugs, I'd really appreciate a bit of support or recognition. A shout-out on Twitter/X (@z0idsec) or buying me a coffee goes a long way in supporting continued development and research.

Thanks for checking it out - hope you enjoy using it.

Contributing

Contributions are welcome and appreciated. If you're planning a significant change, please open an issue first to discuss the proposed approach and ensure alignment before submitting a pull request.

When submitting changes, please ensure that any relevant tests are updated or added as appropriate.

Contributors

Thanks to everyone who has contributed to this project.

License

Pathbuster is distributed under MIT License