What paths does this tool check?

We check a curated list of commonly exposed paths including: /.env, /.git, /admin, /backup.zip, /robots.txt, /sitemap.xml, /.well-known/security.txt, /wp-admin, /phpinfo.php, /server-status, /.htaccess, /api, /graphql, /.DS_Store, /debug, and /logs.

Why is an exposed .env file dangerous?

The .env file typically contains environment variables including database credentials, API keys, encryption secrets, and third-party service tokens. An exposed .env file gives attackers direct access to your backend services, databases, and integrated platforms — it's one of the highest-severity findings possible.

What does an exposed .git directory reveal?

An exposed .git directory allows attackers to download your entire source code repository, including all commit history. This can reveal hardcoded credentials, internal API endpoints, business logic, security mechanisms, and other sensitive information that was ever committed to the repository.

What do the different status codes mean?

200 means the resource exists and is accessible. 301/302 means it redirects somewhere (possibly to a login page). 403 means the server knows the resource exists but denies access. 404 means the path doesn't exist. 500 could indicate a misconfigured endpoint.

How does this compare to a full penetration test?

This tool checks a small set of known sensitive paths. A full penetration test from Maced uses extensive wordlists, recursive directory enumeration, technology-specific path checks, and follows discovered paths to find deeper vulnerabilities like exposed admin panels, unprotected API endpoints, and information disclosure.

Free URL Fuzzer

Discover hidden files and directories on any website

Enter a URL to probe for commonly exposed files and directories. This tool checks for sensitive paths like .env files, .git directories, admin panels, backup files, and configuration endpoints that are frequently left accessible on production servers.

Trusted by teams at

How it works

How URL Fuzzer works

Enter a base URL

Paste the root URL of any website. We'll use this as the base to probe for commonly exposed paths and files.

Probe common paths

We send HEAD requests to a curated list of sensitive paths — including environment files, version control directories, admin panels, backups, and configuration endpoints.

Review discovered paths

Get a report of which paths returned non-404 responses, their status codes, and an assessment of the security risk for each discovered resource.

Features

What URL Fuzzer checks

Sensitive file detection

Checks for .env, .htaccess, .DS_Store, and other files that should never be publicly accessible. These often contain credentials, API keys, and internal configuration.

Version control exposure check

Probes for exposed .git directories that can leak your entire source code repository, including commit history, credentials in old commits, and internal documentation.

Admin panel discovery

Checks common admin panel paths like /admin, /wp-admin, and /server-status that may be accessible without authentication or have weak access controls.

Backup and debug file scan

Looks for backup files (backup.zip), debug endpoints (/debug, /phpinfo.php), and log files that developers sometimes leave accessible on production servers.

API endpoint enumeration

Discovers common API paths including /api, /graphql, and /.well-known/security.txt that reveal application structure and may have different security controls than the main site.

Use cases

Who should use the free URL Fuzzer

Developers

Check your production deployment for accidentally exposed files. Catch .env files, .git directories, and debug endpoints before attackers find them.

Security Engineers

Run quick assessments of web servers during security reviews. Identify exposed configuration files, admin panels, and backup files across your infrastructure.

Penetration Testers

Use as a fast initial enumeration tool during engagements. Discover low-hanging fruit like exposed .git repos, .env files with credentials, and unprotected admin interfaces.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free URL Fuzzer.

Go beyond URL Fuzzer

This free URL Fuzzer checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free URL Fuzzer

Discover hidden files and directories on any website

How URL Fuzzer works

Enter a base URL

Probe common paths

Review discovered paths

What URL Fuzzer checks

Sensitive file detection

Version control exposure check

Admin panel discovery

Backup and debug file scan

API endpoint enumeration

Who should use the free URL Fuzzer

Developers

Security Engineers

Penetration Testers

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free URL Fuzzer checks a handful of things. Maced's AI pentest checks thousands.

Free URL Fuzzerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Discover hidden files and directories on any websiteself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How URL Fuzzer worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter a base URLself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Probe common pathsself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Review discovered pathsself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What URL Fuzzer checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Sensitive file detectionself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Version control exposure checkself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Admin panel discoveryself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Backup and debug file scanself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

API endpoint enumerationself.__wrap_n!=1&&self.__wrap_b("_R_3b9lav5ubtpfl7b_",1)

Who should use the free URL Fuzzerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Developersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Security Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Penetration Testersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What paths does this tool check?

Why is an exposed .env file dangerous?

What does an exposed .git directory reveal?

What do the different status codes mean?

How does this compare to a full penetration test?

This free URL Fuzzer checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free URL Fuzzer

Discover hidden files and directories on any website

How URL Fuzzer works

Enter a base URL

Probe common paths

Review discovered paths

What URL Fuzzer checks

Sensitive file detection

Version control exposure check

Admin panel discovery

Backup and debug file scan

API endpoint enumeration

Who should use the free URL Fuzzer

Developers

Security Engineers

Penetration Testers

All free security tools

Frequently asked questions

This free URL Fuzzer checks a handful of things. Maced's AI pentest checks thousands.