Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2025-12-06 00:43:40 +01:00
Code Issues Projects Releases Wiki Activity
5896 commits 2 branches 30 tags 2.2 GiB
Commit graph

301 commits

Author SHA1 Message Date
Dominique RIGHETTO
9d3ac03fd0
Initial adding 2021-11-24 11:25:10 +01:00
g0t mi1k
6b00e5cf53 Fix formatting 2021-11-24 10:13:43 +00:00
g0tmi1k
4030e1b6ce
Merge pull request #660 from noraj/patch-1 
Update fuzz-Bo0oM.txt

Source: https://github.com/Bo0oM/fuzz.txt/blob/master/fuzz.txt
 2021-11-24 09:53:58 +00:00
Dominique RIGHETTO
6e3e64f1f5
Add IBM MQSeries common channel names 2021-11-17 09:33:49 +01:00
Alexandre ZANNI
484ab9e986
Update fuzz-Bo0oM.txt 2021-10-07 11:03:42 +02:00
g0t mi1k
efeb38808c Replace ' ' with ' ' (Empty Characters) 2021-08-28 21:05:13 +01:00
g0tmi1k
177f25ba69
Merge pull request #625 from cbk914/master 
Some additions

Source: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
 2021-08-27 21:14:37 +01:00
Gabriel
fb613f25bf
Add "-" and remove duplicate "_" entry 
Fixes #612
 2021-07-13 14:42:14 +01:00
cbk914
9a871facf1
Merge branch 'danielmiessler:master' into master 2021-06-26 23:06:55 +02:00
Annihilat0r
495c8a6c3f
Add NoSQL payload 2021-05-29 13:21:29 +03:00
cbk914
cb4febae37 Merge branch 'danielmiessler:master' into master 2021-05-11 16:10:42 +02:00
Alex G
66e5827639
Add master.mdf MSSQL path to Windows LFI 2021-02-19 22:42:27 +01:00
g0tmi1k
6372096eab
Merge pull request #561 from kazkansouh/ldap-fuzzing 
Standard LDAP attribute and classes lists

Source: ldapsearch -s base -b cn=Subschema  "(objectclass=*)" attributetypes -LLL | sed -e ':x N ; s/\n // ; tx ; P ; s/^.*\n//; tx' | grep -e '^a' | cut -d "'" -f 2 | sort -u
 2021-02-11 21:25:40 +00:00
g0tmi1k
af40e7f267
Merge pull request #519 from arjunshibu/master 
Added http-request-methods.txt
 2021-02-11 20:27:53 +00:00
Karim Kanso
840067b851 add standard ldap attribute and classes lists 2021-01-20 15:38:59 +00:00
cbk914
003bfef95f
Merge pull request #6 from danielmiessler/master 
Update
 2020-11-12 02:44:53 +01:00
cbk914
d2a20595fc Update 2020-11-05 16:41:54 +01:00
g0t mi1k
d4ebb09709 dos2unix 2020-11-04 11:45:59 +00:00
Chris H
08925a1fae
Update email-top-100-domains.txt 
added missing mail domain
 2020-11-03 13:06:10 +01:00
g0tmi1k
6d164b9672
Merge pull request #527 from soufianetahiri/master 
Added actuator default paths and created new XSS fuzzing list

Source: https://docs.spring.io/spring-boot/docs/1.5.x/reference/html/production-ready-endpoints.html
 2020-11-03 11:39:11 +00:00
Soufiane Tahiri
a100ade82e
Create XSS-Fuzzing 
High rate hit XSS payloads
 2020-10-23 10:56:16 +02:00
cbk914
ae8aabcfed Merge branch 'master' of https://github.com/cbk914/SecLists 2020-09-30 16:37:47 +02:00
Arjun Shibu
9d298b2121
Create http-request-methods.txt 
Useful for fuzzing endpoints
 2020-09-25 20:06:30 +05:30
Luke Paris
52f1658a0c
Removed destructive SQL statements 
Those two lines are downright irresponsible, someone is going to use this list to fuzz a web application and accidentally nuke a production database.
 2020-09-17 15:02:40 +02:00
g0tmi1k
f1f3750803
Merge pull request #480 from haxxinen/patch-1 
Create quick-SQLi.txt
 2020-09-16 07:29:18 +01:00
g0tmi1k
c5ba0f44e4
Merge pull request #493 from daehee/master 
XSS payloads from OFJAAAH

Source: https://ghostbin.co/paste/qo23j
 2020-09-16 07:27:07 +01:00
g0tmi1k
0b7d119f74
Merge pull request #501 from righettod/master 
Add payloads to identify the template engine used

- https://portswigger.net/research/server-side-template-injection
- https://github.com/epinna/tplmap
 2020-09-16 07:23:39 +01:00
Daniel Neal
68fe48d9dd
Add string js or injection 2020-09-14 21:55:24 -07:00
Dominique RIGHETTO
1361ac96c1
Fix typos 2020-09-14 14:30:00 +02:00
Dominique RIGHETTO
1c2fb11278
Add file with special vars used by template engines 
The objective is to identify the engine once an expression evaluation pattern was identified.
 2020-09-14 14:28:12 +02:00
Dominique RIGHETTO
234dfabf72
Add an expression using expression inlining for Thymeleaf 
See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining
Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved
 2020-09-13 11:04:15 +02:00
Dominique RIGHETTO
ba87953a08
Add expression for Velocity engine 2020-09-13 09:33:41 +02:00
Daehee Park
850d3b10f1 XSS payloads from OFJAAAH 2020-08-30 14:40:59 -07:00
cbk914
e06aacd937 Revert "Merge pull request #4 from danielmiessler/master" 
This reverts commit c266835781, reversing
changes made to fd4968f43b.
 2020-08-11 14:25:56 +02:00
haxxinen
783b5edf73
Create quick-SQLi.txt 2020-08-06 10:35:03 +02:00
Dominique RIGHETTO
00f10f8513
Add character that can break a MongoDB query when JS expression is used 2020-07-18 18:00:24 +02:00
PinkDraconian
cf1ca8ec62
Added scientific notation entries 2020-06-16 12:36:29 +02:00
PinkDraconian
8679c2d6fe
Added true and false to the fuzzing list 
Changing json field to true or false could have interesting results on an endpoint when fuzzing.
 2020-06-16 12:21:04 +02:00
g0tmi1k
d76b8f6691
Merge pull request #452 from noraj/patch-1 
Create LFI-gracefulsecurity-windows.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
 2020-06-12 09:57:44 +01:00
g0tmi1k
b2865e0492
Merge pull request #453 from noraj/patch-2 
Create LFI-gracefulsecurity-linux.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
 2020-06-12 09:57:09 +01:00
sheimo
6757058b8c
Create sqli.auth.bypass.txt 
This is a thorough SQL injection authentication bypass list. Each source below was combined to a text file and sorted.

Source: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Source: http://www.lifeoverpentest.com/2018/03/sql-injection-login-bypass-cheat-sheet.html
 2020-06-11 23:24:34 -05:00
Alexandre ZANNI
7dd955a544
Create LFI-gracefulsecurity-linux.txt 2020-06-11 16:49:45 +02:00
Alexandre ZANNI
6945f3e779
Create LFI-gracefulsecurity-windows.txt 2020-06-11 16:48:39 +02:00
g0tmi1k
245984882a
Merge pull request #442 from kazkansouh/standardise-line-end 
Standardise line endings
 2020-05-28 11:11:35 +01:00
Jamie Scott
5b5cafaa47
Adding the not in operator 
Adding the not in operator as another thing to check or test. It will equivalently act as { $ne: 1 } only it functions within an array.
 2020-05-28 00:34:48 -07:00
Karim Kanso
607c3293b4 strip trailing whitespace 2020-05-27 14:26:51 +01:00
kegan
54ac7074da
add nested traversal strings for /etc/passwd 2020-05-18 18:12:12 -05:00
Dominique RIGHETTO
984af30974
Add the expression for the Dust engine 2020-05-03 10:52:17 +02:00
Dominique RIGHETTO
aecd8036ca
Add the expression for the doT engine 2020-05-03 10:30:48 +02:00
g0tmi1k
09d5a27cf7
Merge pull request #421 from storenth/master 
Update the fuzz-Bo0oM.txt with more ';'

Source: https://twitter.com/11xuxx/status/1247496768054591489
 2020-04-29 17:52:49 +01:00
Kirill Z
6466bd0ed2
Add more XSS 2020-04-27 20:19:33 +07:00
Kirill Z
561d6236c2
Update the fuzz-Bo0oM.txt with more ';' 2020-04-27 20:09:53 +07:00
Dominique RIGHETTO
611d47caf3
Add a version of the payload for CodeContext 
Add the payload "42*42" to the fuzzing list in order to cover the "Code context" detection point mentioned in the https://portswigger.net/web-security/server-side-template-injection training
 2020-04-25 09:13:06 +02:00
g0tmi1k
a7dbde1ec9
Merge pull request #412 from righettod/master 
Collection of template engines expression

Source: https://github.com/expressjs/express/wiki#template-engines
 2020-04-20 10:06:06 +01:00
g0tmi1k
b3b337e6f1
Merge pull request #390 from ipentest/add-ipentest 
Added top 100 email domains to Seclists/Fuzzing

Source: https://email-verify.my-addr.com/list-of-most-popular-email-domains.php
 2020-04-20 10:04:42 +01:00
Dominique RIGHETTO
1bd30300de
Add a initial collection of template engines expression 2020-04-18 17:16:20 +02:00
Antoine Guilbaud
13b1f18901 add a common windows lfi path 2020-04-15 12:49:42 +02:00
milangfx
e82e5e5026 add /apidocs/api-docs.json, /api-docs 2020-04-01 14:42:20 +02:00
ipentest
b2cf6971c9 Add ipentest to contributors 2020-02-12 11:46:44 -05:00
S7X Deckard Case
b8e87ad36c Added the entire XSS Cheat Sheet of PortSwigger, their HTML events and tags. 2019-11-18 09:33:26 +01:00
Camas
eb2cd4518a Remove extra newline 2019-11-08 23:32:46 +00:00
Camas
a7184dd1f7 Fix line endings 2019-11-08 15:09:15 +00:00
Parth Malhotra
01b280755c
Create 1-4_all_letters_a-z.txt 2019-11-07 21:50:55 +05:30
Luke Anderson
68f8d60da5
Fix Fuzzing Types (Fixes #339) 2019-10-05 00:35:43 +09:30
g0tmi1k
327cc859ee Quick rename 2019-08-13 12:50:53 +01:00
g0tmi1k
5bbc1e6fe3 Close #329 - Bo0oM's fuzz.txt 
Source: https://github.com/Bo0oM/fuzz.txt
 2019-08-13 12:50:20 +01:00
g0tmi1k
3fc464d156 Add XSS without parentheses and semi-colons 
Source: https://portswigger.net/blog/xss-without-parentheses-and-semi-colons
 2019-05-22 12:15:42 +01:00
g0tmi1k
9239f0a284 find . -name '*_*' -exec rename 's/_/-/g' "{}" \; 2019-05-08 11:54:39 +01:00
g0tmi1k
a65f6bd665 Close #291 - Fix encoding issues 
$ for x in $( find . -type f ); do iconv -f utf-8 -t utf-8 -c ${x} | sed '/^$/d' > tmp; mv tmp ${x}; done
 2019-05-08 11:04:00 +01:00
g0tmi1k
7b1f14989c Quick move about 2019-04-12 13:52:47 +01:00
g0tmi1k
3f2c0d33d2 Quick clean up of locations 2019-04-10 13:22:39 +01:00
g0tmi1k
12751dbbf0 Fix #288 - Add graphql 
Source: https://graphql.org/learn/serving-over-http/
 2019-04-10 13:18:25 +01:00
g0tmi1k
b9483d00b7 Sort out a few more filenmae issues 2019-04-10 11:32:07 +01:00
g0tmi1k
437478ce7b Fix #284 #285 - useragents-ie.txt 2019-04-10 10:19:12 +01:00
Alexandre ZANNI
cfe4b16023
Update LFI-JHADDIX.txt 
fix typo + add 1 entry
 2019-03-10 17:11:22 +01:00
Infected Drake
0400e0bbc1
A wrong payload corrected 
The payload on line 18 contains a misspelled event handler `OnpOinTeReENer`. Corrected it properly.
 2019-02-09 12:13:28 +05:30
g0tmi1k
7ed3f897df
Merge pull request #237 from s0md3v/patch-1 
+5 payloads, some enhancements
 2019-01-08 18:11:33 +00:00
Prinzhorn
1eae4d51f0 Strip HTML from LFI-LFISuite-pathtotest-huge.txt 2018-12-18 10:13:49 +01:00
g0tmi1k
47b1829910
Merge pull request #241 from g0tmi1k/ua 
Added various User Agent strings
 2018-11-26 10:09:44 +00:00
g0tmi1k
b99b0ed28f Added various User Agent strings 
Source: https://developers.whatismybrowser.com/useragents/explore/
 2018-11-26 09:56:22 +00:00
Somdev Sangwan
bb180d4e27
changed %3B to %26 (I'm sleep deprived sorry) 2018-11-21 14:53:27 +05:30
Somdev Sangwan
31167686f0
+5 payloads, some enhancements 2018-11-21 14:45:08 +05:30
Michael Henriksen
2dab37db43 Add best performing payloads from the XSS Polyglot Challenge 2018-11-01 07:37:16 +01:00
g0tmi1k
d68ba5f9ed Rename "_" -> "-" & found a few new homes 2018-10-15 13:08:10 +01:00
Somdev Sangwan
cebebee4b5
Create XSS-Somdev.txt 2018-10-15 02:13:17 +05:30
g0tmi1k
9f73b7e81a Add LFISuite 
Source: https://github.com/D35m0nd142/LFISuite
 2018-07-25 13:51:06 +01:00
Karan Saini
3911f92c82
Added numeric combinations 
Text files of numeric combinations (with leading zeros) for use during enumeration
 2018-04-08 00:54:51 +05:30
Daniel Miessler
25323690ce
Merge pull request #185 from ryan-wendel/master 
Update XSS-JHADDIX.txt
 2018-03-23 12:05:55 -07:00
Ryan Wendel
619f3afb71
Update XSS-JHADDIX.txt 
Removed offensive term from wordlist.
 2018-03-23 10:01:05 -06:00
g0tmi1k
3f79d071ce Quick move about 2018-03-21 17:47:29 +00:00
g0tmi1k
5278477235 Close #106 - XXE-Fuzzing / Grep PHP Auditing 2018-03-21 17:19:17 +00:00
g0tmi1k
401af588f6 Close #88 - Fuzzing List Integer fields 
Source: https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/FuzzLists/numeric_fields_only.txt
 2018-03-21 16:30:38 +00:00
g0tmi1k
7b6b792312 Close #69 - Fix SQLi Polyglot 
Source: https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

Source: https://twitter.com/SymbianSyMoh/status/707685783801454594
 2018-03-21 16:29:03 +00:00
g0tmi1k
9ae73c2ceb Add "Big List of Naughty Strings" 
Source: https://github.com/minimaxir/big-list-of-naughty-strings
 2018-03-21 16:20:10 +00:00
g0tmi1k
26cf832f9d Close ##152 - PHP base64 filter file read (XXE_Fuzzing) 2018-03-21 16:13:09 +00:00
g0tmi1k
d2282eee97 Added ] in (Fix #131) 2018-03-07 11:46:03 +00:00
g0tmi1k
7611257a60 Quick rename of files 2018-03-05 11:03:11 +00:00
g0tmi1k
7a55e1871c Remove pointless files. 2018-03-05 09:52:00 +00:00
Daniel Miessler
49a6d721ff
Merge pull request #128 from g0tmi1k/structure 
Structure Clean Up
 2018-03-04 12:23:06 -08:00
Daniel Miessler
7cf6e78ff5 Addded Darkweb 10,100,1K,10K to Passwords. 2018-01-02 21:46:14 -08:00
g0tmi1k
25d4ac447e rename 's/_/-/g' 2017-08-23 14:55:06 +01:00
g0tmi1k
a97be9373e Started sorting "Miscellaneous/" & "Fuzzing/" 2017-07-11 13:53:16 +01:00
g0tmi1k
6f69a35b5e Started clean up on "Discovery/Web_Content" 2017-07-11 13:36:01 +01:00
Jason Haddix
02b09becc3 Rename NoSQL to NoSQL.txt 2017-06-28 11:25:52 -07:00
Jason Haddix
46de2f6727 Create NoSQL 2017-06-28 11:25:16 -07:00
Daniel Miessler
ffce0051e4 Merge pull request #113 from ilyaglow/fix/bitquark-subdomains-location 
Move bitquark subdomains list to Discovery
 2017-05-11 21:51:25 -04:00
Daniel Miessler
7b131262e6 Merge pull request #110 from sneakerhax/add-useragents-ie 
Add useragents-ie
 2017-05-11 21:51:00 -04:00
Daniel Miessler
9aab1014e9 Merge pull request #92 from alexlauerman/master 
Improved test cases
 2017-05-11 21:47:55 -04:00
Ilya Glotov
2f921032f0
Move bitquark subdomains list to Discovery 2017-04-07 16:15:55 +03:00
Sneakerhax
d1b104a46f Add useragents-ie 2017-03-06 15:04:31 -08:00
Alex Lauerman
382c44dd97 Improved test cases 
Includes parameter entities and OOB test case.
 2016-10-29 20:11:36 -05:00
Daniel Miessler
b012b32ee4 Added 0xsobky's Ultimate XSS Polyglot. 2016-07-20 10:54:35 -07:00
Daniel Miessler
4cd6f77ac1 Added Bitquark's Top 100K Subdomains. 2016-07-20 10:50:27 -07:00
Daniel Miessler
b4f21b34f5 Added BruteLogic's XSS strings. 2016-07-20 10:02:28 -07:00
Daniel Miessler
601038eb4e Added @Brutelogic's brilliant XSS Cheatsheet. 2016-07-13 12:58:49 -07:00
g0tmi1k
457997fd6a Changing permissions to everything matches - 0644 2016-05-17 12:04:45 +01:00
Daniel Miessler
486d847fd7 Merge pull request #41 from lukebeer/master 
commix.py INJECT_HERE payloads, all credits & thanks to commix devs.
 2016-01-04 13:26:39 -08:00
Jason Haddix
1d1030ec28 Create XXE_Fuzzing.txt 2015-11-27 15:51:45 -08:00
lukebeer
68c75f1c5d commix.py INJECT_HERE payloads, all credits & thanks to commix devs. 2015-11-09 14:35:06 +00:00
Jason Haddix
34aaaa98a3 Update SQLi_Polyglots.txt 2015-11-03 12:51:43 -08:00
Daniel Miessler
5504f74836 JSON fuzzing list submitted by Danny Chrastil. 2015-09-08 21:18:33 -07:00
Daniel Miessler
cafd775959 Added addition XSS polyglot. 2015-08-18 04:36:13 -07:00
Daniel Miessler
44d69f4678 Added XSS polyglots from polyglot.innerht.ml 2015-08-18 04:34:39 -07:00
Daniel Miessler
7690b959ec Moar directory motionz. 2015-08-04 10:53:50 -07:00
Daniel Miessler
32591928bd Added XSS vectors. 2015-06-11 15:10:12 -07:00
Daniel Miessler
fa2fd76540 Updated polyglot list. 2015-03-12 23:37:55 -07:00
Daniel Miessler
4a11eb48b1 Added polyglots. 2015-03-12 23:36:01 -07:00
JT
8c76412dac Update JHADDIX_LFI.txt 2015-01-26 20:22:10 +08:00
Jay Turla
726901c931 Create LDAP_FUZZ.txt 2014-11-19 15:31:08 +08:00
Jay Turla
39802ff82f Update XML_FUZZ 2014-11-19 15:27:31 +08:00
Jay Turla
3570ebcd2f Update XML_FUZZ 
Adding some payloads
 2014-11-19 15:21:10 +08:00
Jason Haddix
73c85e7d64 Create XML_FUZZ 2014-07-28 08:11:08 -07:00
Jason Haddix
6fae683c4d Update JHADDIX_FORMATSTRING 2014-07-28 08:06:35 -07:00
Jason Haddix
f0683ecead Create JHADDIX_FORMATSTRING 
initial dump
 2014-07-27 05:44:08 -07:00
Jason Haddix
2eaeada471 Update Generic_SQLi 2014-07-23 03:48:38 -07:00
Jason Haddix
13e3bbb403 Create Generic_SQLi 
cant remember where this is from =/
 2014-07-23 03:42:58 -07:00
jhaddix
96910294b0 Create JHADDIX_HTML5sec_Injections.txt 
initial HTML5Sec list
 2014-06-29 10:46:13 -07:00
Daniel Miessler
9dc0d15475 Added top 100 adobe passwords. 2013-12-21 10:18:08 -06:00
jhaddix
1574930a75 updated LFI list and added laudanum shells 2013-03-15 15:44:46 -07:00
jhaddix
0e3255e359 removed offending spaces 2013-03-12 12:56:21 -07:00
jhaddix
951ea38c65 LFI List 2013-03-12 12:02:43 -07:00
jhaddix
b258cbf37c XSS Strings with context 
XSS Strings with context iformation for those who want to know wtf the
xss is trying to do.
 2013-03-12 11:55:39 -07:00
jhaddix
026561d226 SSI Injections 2013-03-12 11:46:37 -07:00
jhaddix
e0e9382ea4 Revert "Revert "renamed"" 
This reverts commit d4f558be88.
 2013-03-12 11:40:46 -07:00
jhaddix
d4f558be88 Revert "renamed" 
This reverts commit 38ea38d9c5.
 2013-03-12 11:38:21 -07:00
jhaddix
38ea38d9c5 renamed 2013-03-12 11:12:52 -07:00
jhaddix
a2181239c9 Chnages naming structure 2013-03-12 11:09:21 -07:00
jhaddix
7a45990b37 Create advanced_xss_jhaddix.txt 
A list I've compiled from various sources, some from the html5sec.org challenge, so slight modifications may be necessary.
 2013-02-05 21:59:13 -08:00
Daniel Miessler
b9e6418c48 Many additions to the repository... 2012-08-26 20:04:09 -07:00
Daniel Miessler
90c26a2558 Changed name of SS fuzzing list... 2012-05-21 22:04:45 -07:00
Daniel Miessler
c6491fc635 Added fuzzing list from SkullSecurity... 2012-05-21 22:03:34 -07:00