mirror of https://github.com/danielmiessler/SecLists synced 2025-12-10 02:44:59 +01:00

History

Ignacio J. Perez Portal c295d9ea54 fix(docs): Moved 'Jenkins-Hudson.txt' into the Service-Specific directory		2025-02-21 20:35:26 -03:00
..
api	Revert "feat(docs): Improve readme files for better clarity and usage examples"	2025-01-24 22:16:31 -03:00
BurpSuite-ParamMiner
CMS	fix(docs): Moved 'aem2.txt' into the CMS directory	2025-02-21 20:30:29 -03:00
Domino-Hunter
dutch	Removed offensive/harmful entries in files.	2024-03-29 12:29:53 -07:00
File-Extensions-Universal-SVNDigger-Project	feat(docs): Renamed 'SVNDigger' folder to a more descriptive folder name	2025-02-21 20:15:56 -03:00
Programming-Language-Specific	feat(docs): Moved programming-language-specific wordlists into their own directory	2025-02-18 02:39:43 -03:00
Service-Specific	fix(docs): Moved 'Jenkins-Hudson.txt' into the Service-Specific directory	2025-02-21 20:35:26 -03:00
trickest-robots-disallowed-wordlists	[Github Action] Automated trickest wordlists update.	2025-01-24 19:03:25 +00:00
URLs	Revert "feat(docs): Improve readme files for better clarity and usage examples"	2025-01-24 22:16:31 -03:00
Web-Servers	fix(docs): Moved 'jboss.txt' into the Web-Servers directory	2025-02-21 20:35:25 -03:00
AdobeXML.fuzz.txt
ApacheTomcat.fuzz.txt
big.txt	Merge pull request #1073 from newyork167/master	2024-11-20 10:08:16 +00:00
burp-parameter-names.txt
CGI-HTTP-POST-Windows.fuzz.txt
CGI-HTTP-POST.fuzz.txt
CGI-Microsoft.fuzz.txt
CGI-XPlatform.fuzz.txt
CGIs.txt
coldfusion.txt
combined_directories.txt	Added gem/rack better errors	2024-08-14 17:11:52 -04:00
combined_words.txt	Added gem/rack better errors	2024-08-14 17:11:52 -04:00
common-and-dutch.txt
common-and-french.txt
common-and-italian.txt
common-and-portuguese.txt
common-and-spanish.txt
common-api-endpoints-mazen160.txt
Common-DB-Backups.txt
common.txt	feat(wordlist): Added 'daloradius' to common.txt	2025-01-24 22:33:29 -03:00
common_directories.txt	feat(wordlist): created 'common_directories.txt' wordlist	2024-09-10 22:52:36 -03:00
default-web-root-directory-linux.txt
default-web-root-directory-windows.txt
directory-list-1.0.txt
directory-list-2.3-big.txt	Removed offensive/harmful entries in files.	2024-03-29 12:29:53 -07:00
directory-list-2.3-medium.txt	Removed offensive/harmful entries in files.	2024-03-29 12:29:53 -07:00
directory-list-2.3-small.txt
directory-list-lowercase-2.3-big.txt
directory-list-lowercase-2.3-medium.txt
directory-list-lowercase-2.3-small.txt
dirsearch.txt
domino-dirs-coldfusion39.txt
domino-endpoints-coldfusion39.txt
dsstorewordlist.txt
graphql.txt
hashicorp-consul-api.txt
hashicorp-vault.txt
hpsmh.txt
HTTP-POST-Microsoft.fuzz.txt
JavaScript-Miners.txt
JavaServlets-Common.fuzz.txt
keycloak.txt	Update keycloak.txt	2024-01-06 10:21:48 +03:30
KitchensinkDirectories.fuzz.txt
LinuxFileList.txt
local-ports.txt
Logins.fuzz.txt
LotusNotes.fuzz.txt
Microsoft-Frontpage.txt	fix(wordlist): renamed wordlist 'Frontpage.fuzz.txt' to 'Microsoft-Frontpage.txt'	2025-02-18 01:48:56 -03:00
netware.txt
nginx.txt
ntlm-directories.txt	Create ntlm-directories.txt	2024-03-30 17:28:41 +01:00
oauth-oidc-scopes.txt
Oracle-EBS-wordlist.txt
oracle.txt
Oracle9i.fuzz.txt
OracleAppServer.fuzz.txt
Passwords.fuzz.txt
proxy-conf.fuzz.txt
Public-Source-Repo-Issues.json
pulsesecure.txt
quickhits.txt
raft-large-directories-lowercase.txt
raft-large-directories.txt
raft-large-extensions-lowercase.txt
raft-large-extensions.txt
raft-large-files-lowercase.txt
raft-large-files.txt
raft-large-words-lowercase.txt
raft-large-words.txt
raft-medium-directories-lowercase.txt
raft-medium-directories.txt
raft-medium-extensions-lowercase.txt
raft-medium-extensions.txt
raft-medium-files-lowercase.txt
raft-medium-files.txt
raft-medium-words-lowercase.txt
raft-medium-words.txt
raft-small-directories-lowercase.txt
raft-small-directories.txt
raft-small-extensions-lowercase.txt
raft-small-extensions.txt
raft-small-files-lowercase.txt
raft-small-files.txt
raft-small-words-lowercase.txt
raft-small-words.txt
Randomfiles.fuzz.txt
README.md	fix(docs): Moved 'AdobeCQ-AEM.txt' into the CMS directory	2025-02-21 20:30:28 -03:00
reverse-proxy-inconsistencies.txt
Roundcube-123.txt
rssfeed-files.txt	Add files via upload	2024-07-04 07:57:17 +02:00
sap-analytics-cloud.txt
sap.txt
sharepoint-ennumeration.txt
SOAP-functions.txt	feat(docs): Removed mis-categorized 'Web-Services' folder	2025-02-18 02:58:14 -03:00
spring-boot.txt	feat(wordlist): Update spring-boot.txt to v2.1.7	2025-01-24 21:59:37 -03:00
swagger.txt	Update swagger.txt	2024-11-21 12:42:33 +04:00
tests.txt
tftp.fuzz.txt
UnixDotfiles.fuzz.txt
uri-from-top-55-most-popular-apps.txt
url-params_from-top-55-most-popular-apps.txt
versioning_metafiles.txt
Vignette.fuzz.txt
vulnerability-scan_j2ee-websites_WEB-INF.txt
web-all-content-types.txt	Merge branch 'master' into sync	2024-12-20 02:45:55 -03:00
web-extensions-big.txt	Added .vue file extension at web-extensions-big, reference : https://vuejs.org/api/sfc-spec	2024-11-22 06:46:22 +08:00
web-extensions.txt	added .json	2024-11-11 02:15:04 +08:00
web-mutations.txt
weblogic.txt
websphere.txt
wso2-enterprise-integrator.txt

README.md

Web discovery wordlists

AdobeXML.fuzz.txt

Use for: Discovering sensitive filepaths of Adobe ColdFusion

Creation date: Aug 27, 2012

No updates have been made to this wordlist since its creation.

CGI-HTTP-POST-Windows.fuzz.txt

Use for: Exploiting various vulnerabilities in the now defunct WYSIWYG HTML editor and website administration tool, Microsoft FrontPage

Source: https://github.com/deepak0401/Front-Page-Exploit

Date of last update: Aug 27, 2012

The last version of FrontPage was released on 2003.

CGI-HTTP-POST.fuzz.txt

Use for: Exploiting/Discovering various vulnerabilities in extremely old systems (Circa 1998) that use "CGI".

Date of last update: Aug 27, 2012

This wordlist tests for the following vulnerabilities:

Default password in the Nortel Meridian private branch exchange telephone switching system. Source: Nikto.
XSS in the "Bajie HTTP JServer" (software site completely defunct, no archives exist). Source: Nikto
CGI Vulnerability in an unknown system (payload lastlines.cgi?process) which would allow attackers to "read arbitrary files and/or execute commands". Source: Nikto
Remote File Include in myPHPNuke. Source: Nessus
DoS in the "D-Link Ethernet/Fast Ethernet Print Server DP-300+". Source: Sullo's Security Advisory Archive.

CGI-Microsoft.fuzz.txt

Use for: Exploiting/Discovering various vulnerabilities in miscelaneous CGI scripts that run on Microsoft operating systems.

Date of last update: Aug 27, 2012

raft-* wordlists

Use for: Directory and file brute-forcing leading to identification of vulnerabilities in web applications.

Source: Google's RAFT

combined_words.txt

Use for: discovering files
This list is automatically updated by a github action whenever any of the lists it's composed by is modified.

This list is a combination of the following wordlists:

big.txt
common.txt
raft-large-words-lowercase.txt
raft-large-words.txt
raft-medium-words-lowercase.txt
raft-medium-words.txt
raft-small-words-lowercase.txt
raft-small-words.txt

combined_directories.txt

Use for: discovering files and directories

This list is automatically updated by a github action whenever any of the lists it's composed by is modified.

These are the wordlists that compose this wordlist:

apache.txt
combined_words.txt
directory-list-1.0.txt
directory-list-2.3-big.txt
directory-list-2.3-medium.txt
directory-list-2.3-small.txt
raft-large-directories-lowercase.txt
raft-large-directories.txt
raft-medium-directories-lowercase.txt
raft-medium-directories.txt
raft-small-directories-lowercase.txt
raft-small-directories.txt
common_directories.txt

Usage

Use for: discovering files and directories

Source

This list is automatically updated by a GitHub action whenever any of the lists it's composed by is modified.

dsstorewordlist.txt

SOURCE: https://github.com/aels/subdirectories-discover

Perfect wordlist to discover directories and files on target site with tools like ffuf.

It was collected by parsing Alexa top-million sites for .DS_Store files (https://en.wikipedia.org/wiki/.DS_Store), extracting all the found files, and then extracting found file and directory names from around 300k real websites.
Then sorted by probability and removed strings with one occurrence.
resulted file you can download is below. Happy Hunting!

vulnerability-scan_j2ee-websites_WEB-INF.txt

Use for: discovering sensitive j2ee files exploiting a lfi

References:

Microsoft-Frontpage.txt

Use for: Fuzzing for common filepaths in webpages designed with Microsoft Frontpage

Year of the first release of Microsoft Frontpage: 1997 Year of the last release of Microsoft Frontpage: 2003

Oracle-EBS-wordlist.txt

Use for: Fuzzing for common filepaths of Oracle E-Business Suite (EBS) version 11.

EBS v11 exposes:

usernames
ports
OS information
protocol information
Unauthenticated file upload
Cookie contents
SHA-1 hashed passwords

As an Unauthenticated user it's also possible to:

Create forms
Get servlets status
Get certain configuration files

Reference: https://the-infosec.com/2017/03/29/do-you-know-what-your-erp-is-telling-us/

Date of last update: Oct 7, 2019

iis-systemweb.txt

Use for: Fuzzing the /aspnet_client/system_web/ directory on Microsoft IIS servers to detect CGIs and scripts even even if the two ladder directories are inaccessible.

Reference: https://github.com/irsdl/IIS-ShortName-Scanner Discussion: https://github.com/danielmiessler/SecLists/pull/783

Date of last update: Jun 27, 2022