Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2025-12-30 04:35:55 +01:00
Code Issues Projects Releases Wiki Activity
2925 commits 2 branches 30 tags 2.4 GiB
Commit graph

272 commits

Author SHA1 Message Date
Dominique RIGHETTO
1c2fb11278
Add file with special vars used by template engines 
The objective is to identify the engine once an expression evaluation pattern was identified.
 2020-09-14 14:28:12 +02:00
Dominique RIGHETTO
234dfabf72
Add an expression using expression inlining for Thymeleaf 
See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining
Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved
 2020-09-13 11:04:15 +02:00
Dominique RIGHETTO
ba87953a08
Add expression for Velocity engine 2020-09-13 09:33:41 +02:00
Daehee Park
850d3b10f1 XSS payloads from OFJAAAH 2020-08-30 14:40:59 -07:00
cbk914
e06aacd937 Revert "Merge pull request #4 from danielmiessler/master" 
This reverts commit c266835781, reversing
changes made to fd4968f43b.
 2020-08-11 14:25:56 +02:00
haxxinen
783b5edf73
Create quick-SQLi.txt 2020-08-06 10:35:03 +02:00
Dominique RIGHETTO
00f10f8513
Add character that can break a MongoDB query when JS expression is used 2020-07-18 18:00:24 +02:00
PinkDraconian
cf1ca8ec62
Added scientific notation entries 2020-06-16 12:36:29 +02:00
PinkDraconian
8679c2d6fe
Added true and false to the fuzzing list 
Changing json field to true or false could have interesting results on an endpoint when fuzzing.
 2020-06-16 12:21:04 +02:00
g0tmi1k
d76b8f6691
Merge pull request #452 from noraj/patch-1 
Create LFI-gracefulsecurity-windows.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
 2020-06-12 09:57:44 +01:00
g0tmi1k
b2865e0492
Merge pull request #453 from noraj/patch-2 
Create LFI-gracefulsecurity-linux.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
 2020-06-12 09:57:09 +01:00
sheimo
6757058b8c
Create sqli.auth.bypass.txt 
This is a thorough SQL injection authentication bypass list. Each source below was combined to a text file and sorted.

Source: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Source: http://www.lifeoverpentest.com/2018/03/sql-injection-login-bypass-cheat-sheet.html
 2020-06-11 23:24:34 -05:00
Alexandre ZANNI
7dd955a544
Create LFI-gracefulsecurity-linux.txt 2020-06-11 16:49:45 +02:00
Alexandre ZANNI
6945f3e779
Create LFI-gracefulsecurity-windows.txt 2020-06-11 16:48:39 +02:00
g0tmi1k
245984882a
Merge pull request #442 from kazkansouh/standardise-line-end 
Standardise line endings
 2020-05-28 11:11:35 +01:00
Jamie Scott
5b5cafaa47
Adding the not in operator 
Adding the not in operator as another thing to check or test. It will equivalently act as { $ne: 1 } only it functions within an array.
 2020-05-28 00:34:48 -07:00
Karim Kanso
607c3293b4 strip trailing whitespace 2020-05-27 14:26:51 +01:00
kegan
54ac7074da
add nested traversal strings for /etc/passwd 2020-05-18 18:12:12 -05:00
Dominique RIGHETTO
984af30974
Add the expression for the Dust engine 2020-05-03 10:52:17 +02:00
Dominique RIGHETTO
aecd8036ca
Add the expression for the doT engine 2020-05-03 10:30:48 +02:00
g0tmi1k
09d5a27cf7
Merge pull request #421 from storenth/master 
Update the fuzz-Bo0oM.txt with more ';'

Source: https://twitter.com/11xuxx/status/1247496768054591489
 2020-04-29 17:52:49 +01:00
Kirill Z
6466bd0ed2
Add more XSS 2020-04-27 20:19:33 +07:00
Kirill Z
561d6236c2
Update the fuzz-Bo0oM.txt with more ';' 2020-04-27 20:09:53 +07:00
Dominique RIGHETTO
611d47caf3
Add a version of the payload for CodeContext 
Add the payload "42*42" to the fuzzing list in order to cover the "Code context" detection point mentioned in the https://portswigger.net/web-security/server-side-template-injection training
 2020-04-25 09:13:06 +02:00
g0tmi1k
a7dbde1ec9
Merge pull request #412 from righettod/master 
Collection of template engines expression

Source: https://github.com/expressjs/express/wiki#template-engines
 2020-04-20 10:06:06 +01:00
g0tmi1k
b3b337e6f1
Merge pull request #390 from ipentest/add-ipentest 
Added top 100 email domains to Seclists/Fuzzing

Source: https://email-verify.my-addr.com/list-of-most-popular-email-domains.php
 2020-04-20 10:04:42 +01:00
Dominique RIGHETTO
1bd30300de
Add a initial collection of template engines expression 2020-04-18 17:16:20 +02:00
Antoine Guilbaud
13b1f18901 add a common windows lfi path 2020-04-15 12:49:42 +02:00
milangfx
e82e5e5026 add /apidocs/api-docs.json, /api-docs 2020-04-01 14:42:20 +02:00
ipentest
b2cf6971c9 Add ipentest to contributors 2020-02-12 11:46:44 -05:00
S7X Deckard Case
b8e87ad36c Added the entire XSS Cheat Sheet of PortSwigger, their HTML events and tags. 2019-11-18 09:33:26 +01:00
Camas
eb2cd4518a Remove extra newline 2019-11-08 23:32:46 +00:00
Camas
a7184dd1f7 Fix line endings 2019-11-08 15:09:15 +00:00
Parth Malhotra
01b280755c
Create 1-4_all_letters_a-z.txt 2019-11-07 21:50:55 +05:30
Luke Anderson
68f8d60da5
Fix Fuzzing Types (Fixes #339) 2019-10-05 00:35:43 +09:30
g0tmi1k
327cc859ee Quick rename 2019-08-13 12:50:53 +01:00
g0tmi1k
5bbc1e6fe3 Close #329 - Bo0oM's fuzz.txt 
Source: https://github.com/Bo0oM/fuzz.txt
 2019-08-13 12:50:20 +01:00
g0tmi1k
3fc464d156 Add XSS without parentheses and semi-colons 
Source: https://portswigger.net/blog/xss-without-parentheses-and-semi-colons
 2019-05-22 12:15:42 +01:00
g0tmi1k
9239f0a284 find . -name '*_*' -exec rename 's/_/-/g' "{}" \; 2019-05-08 11:54:39 +01:00
g0tmi1k
a65f6bd665 Close #291 - Fix encoding issues 
$ for x in $( find . -type f ); do iconv -f utf-8 -t utf-8 -c ${x} | sed '/^$/d' > tmp; mv tmp ${x}; done
 2019-05-08 11:04:00 +01:00
g0tmi1k
7b1f14989c Quick move about 2019-04-12 13:52:47 +01:00
g0tmi1k
3f2c0d33d2 Quick clean up of locations 2019-04-10 13:22:39 +01:00
g0tmi1k
12751dbbf0 Fix #288 - Add graphql 
Source: https://graphql.org/learn/serving-over-http/
 2019-04-10 13:18:25 +01:00
g0tmi1k
b9483d00b7 Sort out a few more filenmae issues 2019-04-10 11:32:07 +01:00
g0tmi1k
437478ce7b Fix #284 #285 - useragents-ie.txt 2019-04-10 10:19:12 +01:00
Alexandre ZANNI
cfe4b16023
Update LFI-JHADDIX.txt 
fix typo + add 1 entry
 2019-03-10 17:11:22 +01:00
Infected Drake
0400e0bbc1
A wrong payload corrected 
The payload on line 18 contains a misspelled event handler `OnpOinTeReENer`. Corrected it properly.
 2019-02-09 12:13:28 +05:30
g0tmi1k
7ed3f897df
Merge pull request #237 from s0md3v/patch-1 
+5 payloads, some enhancements
 2019-01-08 18:11:33 +00:00
Prinzhorn
1eae4d51f0 Strip HTML from LFI-LFISuite-pathtotest-huge.txt 2018-12-18 10:13:49 +01:00
g0tmi1k
47b1829910
Merge pull request #241 from g0tmi1k/ua 
Added various User Agent strings
 2018-11-26 10:09:44 +00:00
g0tmi1k
b99b0ed28f Added various User Agent strings 
Source: https://developers.whatismybrowser.com/useragents/explore/
 2018-11-26 09:56:22 +00:00
Somdev Sangwan
bb180d4e27
changed %3B to %26 (I'm sleep deprived sorry) 2018-11-21 14:53:27 +05:30
Somdev Sangwan
31167686f0
+5 payloads, some enhancements 2018-11-21 14:45:08 +05:30
Michael Henriksen
2dab37db43 Add best performing payloads from the XSS Polyglot Challenge 2018-11-01 07:37:16 +01:00
g0tmi1k
d68ba5f9ed Rename "_" -> "-" & found a few new homes 2018-10-15 13:08:10 +01:00
Somdev Sangwan
cebebee4b5
Create XSS-Somdev.txt 2018-10-15 02:13:17 +05:30
g0tmi1k
9f73b7e81a Add LFISuite 
Source: https://github.com/D35m0nd142/LFISuite
 2018-07-25 13:51:06 +01:00
Karan Saini
3911f92c82
Added numeric combinations 
Text files of numeric combinations (with leading zeros) for use during enumeration
 2018-04-08 00:54:51 +05:30
Daniel Miessler
25323690ce
Merge pull request #185 from ryan-wendel/master 
Update XSS-JHADDIX.txt
 2018-03-23 12:05:55 -07:00
Ryan Wendel
619f3afb71
Update XSS-JHADDIX.txt 
Removed offensive term from wordlist.
 2018-03-23 10:01:05 -06:00
g0tmi1k
3f79d071ce Quick move about 2018-03-21 17:47:29 +00:00
g0tmi1k
5278477235 Close #106 - XXE-Fuzzing / Grep PHP Auditing 2018-03-21 17:19:17 +00:00
g0tmi1k
401af588f6 Close #88 - Fuzzing List Integer fields 
Source: https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/FuzzLists/numeric_fields_only.txt
 2018-03-21 16:30:38 +00:00
g0tmi1k
7b6b792312 Close #69 - Fix SQLi Polyglot 
Source: https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

Source: https://twitter.com/SymbianSyMoh/status/707685783801454594
 2018-03-21 16:29:03 +00:00
g0tmi1k
9ae73c2ceb Add "Big List of Naughty Strings" 
Source: https://github.com/minimaxir/big-list-of-naughty-strings
 2018-03-21 16:20:10 +00:00
g0tmi1k
26cf832f9d Close ##152 - PHP base64 filter file read (XXE_Fuzzing) 2018-03-21 16:13:09 +00:00
g0tmi1k
d2282eee97 Added ] in (Fix #131) 2018-03-07 11:46:03 +00:00
g0tmi1k
7611257a60 Quick rename of files 2018-03-05 11:03:11 +00:00
g0tmi1k
7a55e1871c Remove pointless files. 2018-03-05 09:52:00 +00:00
Daniel Miessler
49a6d721ff
Merge pull request #128 from g0tmi1k/structure 
Structure Clean Up
 2018-03-04 12:23:06 -08:00
Daniel Miessler
7cf6e78ff5 Addded Darkweb 10,100,1K,10K to Passwords. 2018-01-02 21:46:14 -08:00
g0tmi1k
25d4ac447e rename 's/_/-/g' 2017-08-23 14:55:06 +01:00
g0tmi1k
a97be9373e Started sorting "Miscellaneous/" & "Fuzzing/" 2017-07-11 13:53:16 +01:00
g0tmi1k
6f69a35b5e Started clean up on "Discovery/Web_Content" 2017-07-11 13:36:01 +01:00
Jason Haddix
02b09becc3 Rename NoSQL to NoSQL.txt 2017-06-28 11:25:52 -07:00
Jason Haddix
46de2f6727 Create NoSQL 2017-06-28 11:25:16 -07:00
Daniel Miessler
ffce0051e4 Merge pull request #113 from ilyaglow/fix/bitquark-subdomains-location 
Move bitquark subdomains list to Discovery
 2017-05-11 21:51:25 -04:00
Daniel Miessler
7b131262e6 Merge pull request #110 from sneakerhax/add-useragents-ie 
Add useragents-ie
 2017-05-11 21:51:00 -04:00
Daniel Miessler
9aab1014e9 Merge pull request #92 from alexlauerman/master 
Improved test cases
 2017-05-11 21:47:55 -04:00
Ilya Glotov
2f921032f0
Move bitquark subdomains list to Discovery 2017-04-07 16:15:55 +03:00
Sneakerhax
d1b104a46f Add useragents-ie 2017-03-06 15:04:31 -08:00
Alex Lauerman
382c44dd97 Improved test cases 
Includes parameter entities and OOB test case.
 2016-10-29 20:11:36 -05:00
Daniel Miessler
b012b32ee4 Added 0xsobky's Ultimate XSS Polyglot. 2016-07-20 10:54:35 -07:00
Daniel Miessler
4cd6f77ac1 Added Bitquark's Top 100K Subdomains. 2016-07-20 10:50:27 -07:00
Daniel Miessler
b4f21b34f5 Added BruteLogic's XSS strings. 2016-07-20 10:02:28 -07:00
Daniel Miessler
601038eb4e Added @Brutelogic's brilliant XSS Cheatsheet. 2016-07-13 12:58:49 -07:00
g0tmi1k
457997fd6a Changing permissions to everything matches - 0644 2016-05-17 12:04:45 +01:00
Daniel Miessler
486d847fd7 Merge pull request #41 from lukebeer/master 
commix.py INJECT_HERE payloads, all credits & thanks to commix devs.
 2016-01-04 13:26:39 -08:00
Jason Haddix
1d1030ec28 Create XXE_Fuzzing.txt 2015-11-27 15:51:45 -08:00
lukebeer
68c75f1c5d commix.py INJECT_HERE payloads, all credits & thanks to commix devs. 2015-11-09 14:35:06 +00:00
Jason Haddix
34aaaa98a3 Update SQLi_Polyglots.txt 2015-11-03 12:51:43 -08:00
Daniel Miessler
5504f74836 JSON fuzzing list submitted by Danny Chrastil. 2015-09-08 21:18:33 -07:00
Daniel Miessler
cafd775959 Added addition XSS polyglot. 2015-08-18 04:36:13 -07:00
Daniel Miessler
44d69f4678 Added XSS polyglots from polyglot.innerht.ml 2015-08-18 04:34:39 -07:00
Daniel Miessler
7690b959ec Moar directory motionz. 2015-08-04 10:53:50 -07:00
Daniel Miessler
32591928bd Added XSS vectors. 2015-06-11 15:10:12 -07:00
Daniel Miessler
fa2fd76540 Updated polyglot list. 2015-03-12 23:37:55 -07:00
Daniel Miessler
4a11eb48b1 Added polyglots. 2015-03-12 23:36:01 -07:00
JT
8c76412dac Update JHADDIX_LFI.txt 2015-01-26 20:22:10 +08:00
Jay Turla
726901c931 Create LDAP_FUZZ.txt 2014-11-19 15:31:08 +08:00
Jay Turla
39802ff82f Update XML_FUZZ 2014-11-19 15:27:31 +08:00
Jay Turla
3570ebcd2f Update XML_FUZZ 
Adding some payloads
 2014-11-19 15:21:10 +08:00
Jason Haddix
73c85e7d64 Create XML_FUZZ 2014-07-28 08:11:08 -07:00
Jason Haddix
6fae683c4d Update JHADDIX_FORMATSTRING 2014-07-28 08:06:35 -07:00
Jason Haddix
f0683ecead Create JHADDIX_FORMATSTRING 
initial dump
 2014-07-27 05:44:08 -07:00
Jason Haddix
2eaeada471 Update Generic_SQLi 2014-07-23 03:48:38 -07:00
Jason Haddix
13e3bbb403 Create Generic_SQLi 
cant remember where this is from =/
 2014-07-23 03:42:58 -07:00
jhaddix
96910294b0 Create JHADDIX_HTML5sec_Injections.txt 
initial HTML5Sec list
 2014-06-29 10:46:13 -07:00
Daniel Miessler
9dc0d15475 Added top 100 adobe passwords. 2013-12-21 10:18:08 -06:00
jhaddix
1574930a75 updated LFI list and added laudanum shells 2013-03-15 15:44:46 -07:00
jhaddix
0e3255e359 removed offending spaces 2013-03-12 12:56:21 -07:00
jhaddix
951ea38c65 LFI List 2013-03-12 12:02:43 -07:00
jhaddix
b258cbf37c XSS Strings with context 
XSS Strings with context iformation for those who want to know wtf the
xss is trying to do.
 2013-03-12 11:55:39 -07:00
jhaddix
026561d226 SSI Injections 2013-03-12 11:46:37 -07:00
jhaddix
e0e9382ea4 Revert "Revert "renamed"" 
This reverts commit d4f558be88.
 2013-03-12 11:40:46 -07:00
jhaddix
d4f558be88 Revert "renamed" 
This reverts commit 38ea38d9c5.
 2013-03-12 11:38:21 -07:00
jhaddix
38ea38d9c5 renamed 2013-03-12 11:12:52 -07:00
jhaddix
a2181239c9 Chnages naming structure 2013-03-12 11:09:21 -07:00
jhaddix
7a45990b37 Create advanced_xss_jhaddix.txt 
A list I've compiled from various sources, some from the html5sec.org challenge, so slight modifications may be necessary.
 2013-02-05 21:59:13 -08:00
Daniel Miessler
b9e6418c48 Many additions to the repository... 2012-08-26 20:04:09 -07:00
Daniel Miessler
90c26a2558 Changed name of SS fuzzing list... 2012-05-21 22:04:45 -07:00
Daniel Miessler
c6491fc635 Added fuzzing list from SkullSecurity... 2012-05-21 22:03:34 -07:00