Content Discovery Cheat Sheet

Practical content discovery reference: ffuf and feroxbuster patterns, wordlist selection, recursion, extension fuzzing, backup/temp file hunting, and virtual host enumeration for finding hidden directories, files, and endpoints. (50 payloads)

Try it interactively with the Subdomain Wordlist Builder

Wordlist Selection

(8)

/usr/share/seclists/Discovery/Web-Content/common.txt

First-pass list (~4.7k entries). Fast sweep for the obvious low-hanging directories and filesSecLists is the de-facto wordlist collection; clone from danielmiessler/SecLists if not in /usr/share

/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

RAFT lists are built from real-world crawl data, ordered by frequency. Use raft-large-files.txt for files, raft-large-words.txt for everythingraft-medium-* is the sweet spot for time-boxed engagements

/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

DirBuster medium (~220k). Comprehensive but slow — run after a quick common.txt pass confirms the target handles the loaddirectory-list-2.3-big.txt (~1.2M) only when you have time and rate budget

/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

Dedicated API route wordlist. Pair with objects.txt and the api/ folder for REST/GraphQL endpoint huntingWhen you find /api/v1/, fuzz the next segment with these lists

/usr/share/seclists/Discovery/Web-Content/<tech>.txt (tomcat.txt, jboss.txt, IIS.txt, nginx.txt)

Tech-specific lists — pick based on Server/X-Powered-By headers, favicon hash, or 404 fingerprintWappalyzer or whatweb first; a Java stack needs different paths than PHP

assetnote/wordlists — automated.json / httparchive_directories

Assetnote's commonspeak2/automated lists are generated from Common Crawl + HTTP Archive — finds modern routes SecLists missesDownload from wordlists.assetnote.io; far better hit rate on SaaS/cloud apps

cewl -d 2 -m 5 -w custom.txt https://target.com

Generate a target-specific wordlist by spidering the site for words — catches custom path/param names no public list hasCombine with the company name, product names, and dev usernames you've OSINTed

/usr/share/seclists/Discovery/Web-Content/quickhits.txt

Curated high-value paths (.git/HEAD, .env, config files, admin panels) — fast and noisy-with-purposeGreat as a first probe before committing to a full brute-force

ffuf Core Patterns

(8)

ffuf -u https://target.com/FUZZ -w raft-large-directories.txt -ac

Directory brute with -ac (autocalibrate) — ffuf learns the soft-404 baseline and auto-filters bogus responses-ac removes most false positives without manually tuning -fs/-fw

ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.bak,.zip,.old,.txt,.json

-e appends each extension to every word, so FUZZ becomes admin, admin.php, admin.bak, etc.Choose extensions to match the stack; .bak/.old/.zip catch backups

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,204,301,302,307,401,403,405 -fc 404

-mc matches interesting codes; 401/403 reveal protected resources that exist. Filter the 404 noise403 often means the path is real but ACL-blocked — note it for bypass attempts

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234 -fw 56 -fl 7 -fr 'Not Found'

Stack filters: -fs size, -fw words, -fl lines, -fr regex. Pin down the exact soft-404 signature when -ac is not enoughRun once unfiltered, read the dominant size/word count, then filter it

ffuf -u https://target.com/FUZZ -w list.txt -t 40 -rate 50 -p 0.1-0.5 -timeout 10

-t threads, -rate caps req/s, -p adds random delay (jitter), -timeout per-request. Tune to avoid WAF bans and DoSDrop -t to 5-10 and add -p on fragile or production targets

ffuf -u https://target.com/FUZZ -w list.txt -H 'Cookie: session=...' -b 'auth=...' -x http://127.0.0.1:8080

Authenticated discovery: pass session via -H/-b and proxy through Burp (-x) to capture and replay every hitLogged-in surface is usually much larger than anonymous

ffuf -u https://target.com/FUZZ -w list.txt -o out.json -of json -or -s

-o/-of write machine-readable output, -or skips writing on empty results, -s silent for clean pipingUse json or csv output to feed results into the next phase or a report

ffuf -w hosts.txt:HOST -w paths.txt:PATH -u https://HOST/PATH -mode clusterbomb

Multi-wordlist fuzzing: named keywords with pitchfork (parallel, paired) or clusterbomb (all combinations)clusterbomb = every host x every path; pitchfork = line-aligned pairs

feroxbuster & Recursion

(7)

feroxbuster -u https://target.com -w raft-medium-directories.txt

feroxbuster recurses automatically by default — every discovered directory is queued and scanned in turnRust-based, fast, multi-threaded; ideal when you want depth without scripting

feroxbuster -u https://target.com -w list.txt -d 3 --thorough

-d caps recursion depth (3 levels); --thorough enables extra checks (recursion into 403/links, extension collection)Unbounded recursion can explode — always cap depth on large sites

feroxbuster -u https://target.com -w list.txt -x php,html,bak,zip,js,json

-x adds extensions to every word during recursive scanning, so backups and source files surface at every levelferoxbuster also auto-extracts links/paths from response bodies with --extract-links

feroxbuster -u https://target.com -w list.txt -C 404,400 -s 200,301,403 --filter-size 0

-C filters status codes, -s matches them, --filter-size/-W/-N drop responses by size/words/linesUse --smart or --auto-tune to dynamically adapt filtering and rate during the scan

ffuf -u https://target.com/FUZZ -w list.txt -recursion -recursion-depth 2 -recursion-strategy greedy

ffuf recursion: queues new FUZZ jobs for each found directory. greedy recurses into everything; default only into clear dirsferoxbuster handles recursion more gracefully; use ffuf recursion for tighter control

feroxbuster --resume-from ferox.state

feroxbuster saves a state file on Ctrl-C — resume long recursive scans exactly where they stoppedffuf equivalent: ffuf ... -o out.json then resume manually; ffuf has no native resume

feroxbuster -u https://target.com -w list.txt --dont-scan '/logout,/exit,/static'

Blacklist paths that would log you out, waste cycles, or trigger alerts during recursionAlways exclude logout/delete endpoints in authenticated scans

Extensions & File Hunting

(6)

-e .php,.php3,.php5,.phtml,.inc / -x asp,aspx,ashx,asmx / .jsp,.jspx,.do,.action

Match executable extensions to the detected stack (PHP / .NET / Java). Hitting the right ones reveals dynamic endpointsServer header, error pages, and cookie names (PHPSESSID, JSESSIONID, ASP.NET_SessionId) fingerprint the stack

ffuf -u https://target.com/index.FUZZ -w extensions.txt

Extension fuzzing on a known basename — discover index.php vs index.bak vs index.old vs index.txt of the same pageUse /usr/share/seclists/Discovery/Web-Content/web-extensions.txt

/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt + .json/.xml/.yaml

Hunt config and data files: swagger.json, openapi.yaml, .well-known/, sitemap.xml, robots.txt, crossdomain.xmlrobots.txt and sitemap.xml are free disclosure — always pull them manually first

ffuf -u https://target.com/FUZZ -w list.txt -e .map

Source maps (.js.map) reverse minified JS back to readable source — exposes API routes, secrets, and logicAppend .map to discovered .js files; use a sourcemap unpacker to rebuild the tree

/usr/share/seclists/Discovery/Web-Content/LogFiles-sortbymostpopular.fuzz.txt

Log and debug file discovery: error.log, debug.log, access.log, laravel.log, trace.axd — often world-readableFramework debug pages (Laravel /telescope, Symfony _profiler) leak environment and queries

ffuf -u https://target.com/FUZZ -w list.txt -e .DS_Store,.htaccess,.htpasswd,.git-credentials

Dotfile and metadata leaks: .DS_Store maps directory contents, .htpasswd carries hashes, .git-credentials is plaintextParse a leaked .DS_Store with ds_store_exp to enumerate filenames without brute force

Backup, Temp & Source Leaks

(7)

ffuf -u https://target.com/index.php.FUZZ -w '.bak,.old,.orig,.save,.swp,.tmp,~,.1' (as wordlist)

Backup-suffix fuzzing on a known file. Editors and admins leave index.php.bak, config.php~, .index.php.swp behindVim swap files (.filename.swp) recover unsaved source via vim -r

ffuf -u https://target.com/FUZZ -w files.txt -e .zip,.tar,.tar.gz,.tgz,.gz,.7z,.rar,.bak,.sql

Archive and DB-dump hunting — backup.zip, www.tar.gz, db.sql, dump.sql, site_backup.7z are routine misconfigurationsTry the domain name as the archive name: target.zip, target.com.tar.gz, www.zip

/usr/share/seclists/Discovery/Web-Content/BackupFiles.fuzz.txt

Purpose-built backup-pattern wordlist combining common basenames with backup extensions and date suffixesAlso try date-stamped names: backup-2024.sql, db_2024-01.sql.gz

git clone via exposed /.git/ → git-dumper https://target.com/.git/ ./loot

If /.git/HEAD returns 200, the whole repo is downloadable. Dump it and recover full source + history + secretsCheck /.git/config, /.git/HEAD; GitTools/Dumper or git-dumper rebuilds the working tree

curl -s https://target.com/.svn/wc.db | curl -s https://target.com/.env

VCS and env leaks: .svn/wc.db (SVN entries), .hg/, .bzr/, and .env files with DB creds, API keys, secrets.env exposure is one of the highest-impact content-discovery findings

ffuf -u https://target.com/FUZZ -w files.txt -e .config,.conf,.ini,.yml,.yaml,.properties,.xml

Config-file discovery: web.config, application.yml, settings.py, database.yml, appsettings.json — credentials and internal hostsweb.config can disclose connection strings and machine keys (.NET deserialization)

ffuf -u https://target.com/FUZZ -w files.txt -e .phps,.php~,.inc,.bak.php

Source disclosure: .phps and copied-but-not-parsed variants serve raw PHP instead of executing itReading source reveals hardcoded creds, hidden params, and the real auth logic

Virtual Host Enumeration

(7)

ffuf -u http://TARGET_IP/ -H 'Host: FUZZ.target.com' -w subdomains.txt -ac

VHost fuzzing — many hostnames share one IP. The Host header selects the site; -ac filters the default vhost's baselineFinds internal/staging vhosts that have no public DNS record

ffuf -u http://TARGET_IP/ -H 'Host: FUZZ.target.com' -w subs.txt -fs 4242

When -ac is insufficient, filter the default response size — a different size means a distinct vhost respondedNote the baseline page size first, then filter exactly that value

gobuster vhost -u http://TARGET_IP -w subs.txt --append-domain

gobuster vhost mode; --append-domain turns each word into word.target.com automaticallyWithout --append-domain (newer versions) you must supply full FQDNs in the wordlist

feroxbuster -u http://TARGET_IP -H 'Host: FUZZ.target.com' -w subs.txt (or) ffuf ... -mc all -fw N

VHost responses often all return 200 — filter by word/line count (-fw/-fl) rather than status code-mc all then filter the common content signature isolates the real vhosts

/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Wordlist for vhost/subdomain brute. Top-110k balances coverage and runtime; use -5000 for a quick passnamelist.txt and bitquark-subdomains lists complement it

ffuf -u http://TARGET_IP/ -H 'Host: FUZZ-dev.target.com' -w subs.txt (prefix/suffix mutations)

Mutate guessed names: dev-, staging-, -uat, -internal, qa. Non-prod vhosts are often unauthenticated and bug-richGenerate permutations with a tool like gotator/dnsgen, then feed the list to ffuf

Compare DNS-resolvable subdomains vs IP-only vhosts

A name found only via Host-header fuzzing (not in DNS) is a hidden vhost — frequently a forgotten admin/staging appCross-reference vhost hits against subdomain enumeration results to spot the gap

Workflow, Filtering & Evasion

(7)

Recon order: robots.txt + sitemap.xml + JS files → passive (waybackurls, gau) → active brute

Harvest free paths before brute-forcing. Wayback/CommonCrawl and JS endpoint extraction reveal routes no wordlist containswaybackurls target.com | gau target.com | sort -u feeds historical URLs into ffuf as a wordlist

Establish the soft-404 baseline: request /thisdoesnotexist-$(date) and read its status/size/words

Apps that return 200 for missing pages defeat -mc filtering. Capture the baseline, then filter by size/words/regexffuf -ac and feroxbuster --auto-tune automate this, but verify manually on weird targets

ffuf -u https://target.com/FUZZ -w list.txt -ic -mc 200,403 -recursion -recursion-depth 1

Balanced default: -ic ignores wordlist comments, match 200+403, shallow recursion. Good first-run profileStart shallow, review hits, then deepen recursion only into promising branches

ffuf -u https://target.com/FUZZ -w list.txt -p 0.5-1.5 -t 5 -H 'User-Agent: Mozilla/5.0 ...' -timeout 15

Stealth profile: heavy jitter, low threads, real browser UA, long timeout — slips under rate-based WAF/IDS thresholdsRotate UA and source IP (proxychains/VPN) if the WAF starts returning 429/captcha

403 bypass: try /admin/ vs /admin vs /admin/. , X-Original-URL/X-Rewrite-URL headers, case/encoding tricks

A 403 confirms the path exists — retry with trailing slash, path tricks (/.;/, //), and override headers to reach the bodyTools like byp4xx/nomore403 automate the common 403/401 bypass permutations

Match instead of filter on huge wordlists: -mr 'admin|password|api_key' / -ms 1500-9999

When most responses are noise, invert the logic — match the signal (regex/size range) rather than filtering each false positiveUseful for value fuzzing where you know what a hit looks like

Always re-run finds with extensions and one recursion level deeper before moving on

A discovered /backup/ directory usually hides /backup/db.sql; a found script.php often has script.php.bak nearbyThe highest-value files live one directory or one extension past the initial hit

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

LFI / Path Traversal Cheat Sheet ffuf Web Fuzzer Cheatsheet Gobuster Directory Fuzzing Cheatsheet Subdomain Enumeration Cheat Sheet

Frequently asked questions

What is the Content Discovery Cheat Sheet?+

It's a quick-reference collection of 50 Content Disco payloads for testing Content Discovery vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Content Disco payloads?+

Copy any payload straight into your authorized test, or use the Subdomain Wordlist Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Content Disco payloads free to use?+

Yes — this cheat sheet and all Content Disco payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Content Discovery Cheat Sheet?+

How do I use these Content Disco payloads?+

Copy any payload straight into your authorized test, or use the Subdomain Wordlist Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Content Disco payloads free to use?+

Yes — this cheat sheet and all Content Disco payloads are completely free, with no account required. Everything runs in your browser.

Content Discovery Cheat Sheet

Wordlist Selection

ffuf Core Patterns

feroxbuster & Recursion

Extensions & File Hunting

Backup, Temp & Source Leaks

Virtual Host Enumeration

Workflow, Filtering & Evasion

Related Tools

Related Cheat Sheets

Frequently asked questions

Content Discovery Cheat Sheet

Wordlist Selection

ffuf Core Patterns

feroxbuster & Recursion

Extensions & File Hunting

Backup, Temp & Source Leaks

Virtual Host Enumeration

Workflow, Filtering & Evasion

Related Tools

Related Cheat Sheets

Frequently asked questions