SecLists

mirror of https://github.com/danielmiessler/SecLists synced 2025-12-06 08:53:59 +01:00

History

ItsIgnacioPortal 11a47a36b8 feat(docs): Added documentation for the 'Java-Spring-Boot.txt' wordlist Related to #1220		2025-06-24 23:18:03 -03:00
..
ASP.NET	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
Common-PHP-Filenames.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-JSP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-PHP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
CommonBackdoors-PL.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
golang.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
Java-Spring-Boot.txt	feat(wordlist): Added prefixes to deal with Java-Spring-Boot being behind spring-cloud-gateway (PR #1220 )	2025-06-24 23:00:15 -03:00
PHP.fuzz.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
README.md	feat(docs): Added documentation for the 'Java-Spring-Boot.txt' wordlist	2025-06-24 23:18:03 -03:00
ror.txt	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00

README.md

Java-Spring-Boot.txt

Use for: Detecting actuator endpoints, and testing for RCEs in Spring-Boot instances.

Note that it's possible for a spring-boot backend to be behind a spring-cloud-gateway, which may only route all traffic prefixed with /api/ to the backend. Consider fuzzing the starting prefix api with many different values to find what reaches the backend. A recommended wordlist to fuzz this value with is at Fuzzing/Miscellaneous/schemes.txt