Whats New • Bug Fixes • Installation • Usage • Example Scan • Examples • Contributing • License •
greedy / quick).Install rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Install pathbuster
cargo install pathbuster
pathbuster -h
This command will show the tool's help information and present a list of all the switches that are available.
On first run, Pathbuster will create a default config file at:
~/.pathbuster/config.yml%USERPROFILE%\\.pathbuster\\config.ymlThe generated config contains the default settings, with optional keys commented out.
You can also explicitly point to a config file:
pathbuster --config ./config.yml
--url <URL> (repeatable) or --input-file <FILE>--payloads <FILE>--raw-request <FILE> (optional, uses * as injection points)--wordlist <FILE> (recommended) or --path <PATH> and optional --wordlist-dir <DIR>--wordlist-manipulation <LIST> (alias: --wm)--output <FILE> and optional --output-format <text|json|xml|html>--disable-show-all (only show matches allowed by --wordlist-status)--proxy <URL>, --follow-redirects, --timeout <SECONDS>, --methods <METHODS>--response-diff-threshold <MIN-MAX>--wordlist-status <CODES>, --brute-queue-concurrency <N>, --ac--filter-status <SET> (e.g. V:404,F:500 or 404,500 for both stages)--filter-size <SET> (e.g. V:1234,F:5678)--filter-words <SET> (e.g. V:10,F:25)--filter-lines <SET> (e.g. V:5,F:20)--filter-regex <STAGE:REGEX> (repeatable, e.g. --filter-regex V:<re> --filter-regex F:<re>)greedy and quick)Pathbuster has two traversal strategies you can select via --traversal-strategy:
--start-depth up to --max-depth to find a depth where --fingerprint-status matches.--start-depth.--start-depth (clamped to --max-depth).https://example.com/app/).| Flag | Value | Description |
|---|---|---|
-u, --url |
URL (repeatable) |
Target URL(s) to scan. |
-i, --input-file |
FILE |
Load target URLs from a file (one per line). |
-C, --config |
FILE |
Config file path (defaults to ~/.pathbuster/config.yml). |
--payloads |
FILE |
Payload file path (one payload per line). |
--raw-request |
FILE |
Raw HTTP request template with * injection points. |
--wordlist |
FILE |
Wordlist file path (one word per line). |
--path |
PATH |
Scan a single path instead of using a wordlist. |
--wordlist-dir |
DIR |
Targeted wordlist directory (auto-selected by tech fingerprint). |
--wordlist-manipulation, --wm |
LIST |
Comma-separated wordlist transforms (see Wordlist manipulation). |
--skip-brute |
(flag) | Skip bruteforce/discovery phase. |
-s, --skip-validation |
(flag) | Skip validation phase and go straight to bruteforce/discovery. |
-r, --rate |
RPS |
Request rate limit (requests per second). |
-t, --concurrency |
N |
Max in-flight requests during scanning. |
-w, --workers |
N |
Number of runtime worker threads. |
--timeout |
SECONDS |
Per-request timeout. |
-p, --proxy |
URL |
HTTP proxy URL (e.g. http://127.0.0.1:8080). |
--follow-redirects |
(flag) | Follow HTTP redirects. |
--header |
HEADER |
Add a header to all requests (Key: Value). |
-m, --methods |
METHODS |
Comma-separated HTTP methods to use (e.g. GET,POST). |
--wordlist-status, --ws |
CODES |
Allowed status codes for bruteforce findings (comma-separated). |
--brute-queue-concurrency, --bqc, --bfc |
N |
Max base URLs per bruteforce batch (0 = no batching). |
--ac |
(flag) | Enable automatic collaboration filtering during bruteforce. |
--drop-after-fail |
CODES |
Stop scanning a target after these status codes (comma-separated). |
--validate-status, --vs |
CODES |
HTTP status matcher for validation phase. |
--fingerprint-status |
CODES |
HTTP status matcher for fingerprinting phase. |
--filter-status |
SET |
Exclude responses by HTTP status using stage prefixes (e.g. V:404,F:500). |
--filter-size |
SET |
Exclude responses by body size using stage prefixes (e.g. V:1234,F:5678). |
--filter-words |
SET |
Exclude responses by word count using stage prefixes (e.g. V:10,F:25). |
--filter-lines |
SET |
Exclude responses by line count using stage prefixes (e.g. V:5,F:20). |
--filter-regex |
STAGE:REGEX |
Exclude responses matching regex using stage prefixes (repeatable). |
-d, --response-diff-threshold, --rdt |
MIN-MAX |
Response diff threshold range for comparisons. |
-I, --ignore-trailing-slash, --its |
(flag) | Treat URLs with/without trailing slash as equivalent. |
--start-depth |
N |
Initial traversal depth (0-based). |
--max-depth |
N |
Maximum traversal depth. |
-X, --traversal-strategy, --ts |
STRATEGY |
Traversal strategy (greedy or quick). |
--disable-fingerprinting |
(flag) | Disable fingerprinting (WAF/tech). |
--waf-test |
NAME |
Only test for a specific WAF signature by name. |
--tech |
NAME |
Override detected tech name for targeted wordlist selection. |
--disable-waf-bypass |
(flag) | Disable WAF-aware payload transformations. |
--bypass-level |
N |
Bypass aggressiveness level (0-3). |
--bypass-transform |
NAME (repeatable) |
Force specific payload transform families. |
-o, --output |
FILE |
Write results to a file. |
--output-format |
FORMAT |
Output format (e.g. text, json). |
-v, --verbose |
(count) | Increase verbosity (-v, -vv). |
-c, --color |
(flag) | Enable colored output (overrides --no-color). |
--disable-show-all, --dsa |
(flag) | Only show findings matching --wordlist-status. |
--no-color |
(flag) | Disable colored output. |
-h, --help |
(flag) | Print help. |
-V, --version |
(flag) | Print version. |
--wordlist-manipulation <LIST> (alias: --wm) applies one or more transforms to the bruteforce wordlist before scanning.
LIST is a comma-separated list of transforms:
sort: Sort words (also enables unique via dedup when both are set)unique / uniq: Deduplicate words (preserves first-seen order unless sort is also set)reverse / rev: Reverse each wordlower: Lowercase each wordupper: Uppercase each wordtitle: Title-case each word (ASCII)prefix=<STR>: Prefix each word with <STR>suffix=<STR>: Suffix each word with <STR>replace=<FROM:TO>: Replace substring <FROM> with <TO> (repeatable by adding multiple replace=... entries)smart: Split naming conventions into separate words (AdminPanel -> Admin, Panel; admin_panel -> admin, panel; admin-panel -> admin, panel)smartjoin=<CASE:SEP>: Split then join with SEP (CASE is one of c,l,u,t or empty). Example: smartjoin=l:_ turns AdminPanel into admin_panel.Examples:
pathbuster \
--url https://example.com/app/ \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt \
--wordlist-manipulation sort,unique,lower,replace=..%2f:../
pathbuster \
--url https://example.com/app/ \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt \
--wm smartjoin=l:_
Basic usage (single target):
pathbuster --url https://example.com/app/ \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt \
--output ./output.html --output-format html
pathbuster --url https://example.com/app/ \
--methods GET,POST \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt \
--skip-brute
pathbuster --url https://example.com/app/ \
--payloads ./payloads/traversals.txt \
--path admin \
--skip-brute
pathbuster \
--url https://example.com/app/ \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt \
--wordlist-dir ./wordlists/targeted \
--rate 500 \
--concurrency 200 \
--timeout 10 \
--response-diff-threshold 5-1000 \
--validate-status 404 \
--fingerprint-status 400,500 \
--filter-status V:301,302,F:404 \
--bypass-level 2 \
--follow-redirects
Create a request file containing one or more * markers:
GET /app/* HTTP/1.1
Host: example.com
User-Agent: pathbuster
Accept: */*
Then run:
pathbuster \
--url https://example.com/app/ \
--raw-request ./request.txt \
--payloads ./payloads/traversals.txt \
--wordlist ./wordlists/wordlist.txt
Create or edit ~/.pathbuster/config.yml:
rate: 500
concurrency: 200
timeout: 10
payloads: ./payloads/traversals.txt
wordlist: ./wordlists/wordlist.txt
# Or scan a single path without a wordlist:
# path: admin
wordlist_dir: ./wordlists/targeted
wordlist_manipulation: "sort,unique,lower"
wordlist_status: "200"
disable_show_all: false
validate_status: "404"
fingerprint_status: "400,500"
response_diff_threshold: "5-1000"
filter_status: ""
filter_size: ""
filter_words: ""
filter_lines: ""
filter_regex: []
follow_redirects: true
disable_fingerprinting: false
disable_waf_bypass: false
bypass_level: 3
bypass_transform: []
Run using that config:
pathbuster --url https://example.com/app/ --config ~/.pathbuster/config.yml
pathbuster --url https://example.com/app/ \
--path internal/admin \
--validate-status 404 \
--fingerprint-status 404 \
--traversal-strategy quick \
--max-depth 5 \
--rate 50 \
--concurrency 20 \
--timeout 5 \
--wordlist-status 200 \
--brute-queue-concurrency 3 \
--disable-show-all

Library usage examples are in the examples folder.
$ claude mcp add pathbuster \
-- python -m otcore.mcp_server <graph>