You would be surprised at what people leave unprotected on a web server.
What is Dirbuster
DirBuster is a project by OWASP that will brute force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not be available to the public.
It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.
In kali, wordlists are located
apache-user-enum-1.0.txt apache-user-enum-2.0.txt directory-list-1.0.txt directory-list-2.3-small.txt directory-list-2.3-medium.txt directory-list-lowercase-2.3-small.txt directory-list-lowercase-2.3-medium.txt directories.jbrofuzz
OWASP ZAP : Forced Browse optionis based on the code from the OWASP Dirbuster Project. Read the OWASP documentation here