SecLists

mirror of https://github.com/danielmiessler/SecLists synced 2025-12-06 08:53:59 +01:00

History

Dominique RIGHETTO 527ec748ba feat(wordlist): Update list of Spring endpoints. (PR #1253 )		2025-10-11 21:10:44 -03:00
..
ASP.NET	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
Common-PHP-Filenames.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-JSP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-PHP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-PL.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
golang.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
Java-Spring-Boot.txt	feat(wordlist): Update list of Spring endpoints. (PR #1253 )	2025-10-11 21:10:44 -03:00
PHP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
README.md	feat(docs): Added documentation for the 'Java-Spring-Boot.txt' wordlist	2025-06-24 23:18:03 -03:00
ror.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00

README.md

Java-Spring-Boot.txt

Use for: Detecting actuator endpoints, and testing for RCEs in Spring-Boot instances.

Note that it's possible for a spring-boot backend to be behind a spring-cloud-gateway, which may only route all traffic prefixed with /api/ to the backend. Consider fuzzing the starting prefix api with many different values to find what reaches the backend. A recommended wordlist to fuzz this value with is at Fuzzing/Miscellaneous/schemes.txt