The catalog of security wordlists.

Common file and directory names typically extracted from leaked macOS .DS_Store files. Useful as a content-discovery seed list for sites that may have exposed .DS_Store metadata.

Unique plaintext passwords from the 2015 000webhost breach, a real-world set reflecting modern user password choices.

Leetspeak permutations of common base words (e.g. apple -> app|3). Useful for cracking passwords that substitute letters with symbols/digits.

The 200 most used passwords of 2020 as published in annual breach analyses. A tiny, high-yield list for fast credential spraying.

The classic 500 worst passwords list. Tiny and ideal for fast online brute-force checks against login services.

Adobe Experience Manager (AEM) / CQ paths and dispatcher bypass URLs for enumerating AEM instances and content nodes.

ColdFusion CFIDE administrator and component endpoint paths for fingerprinting and probing Adobe ColdFusion installations.

Adobe ColdFusion administrative and component paths (CFIDE, cfdocs, administrator, BlazeDS) for fingerprinting and probing ColdFusion installs.

Default sample-app and WEB-INF paths exposed by Adobe JRun / Java servlet runner deployments for server fingerprinting.

Passwords from the 2014 dump of ~5 million alleged Gmail credentials. Sorted lexically, includes many keyboard-pattern and ASCII-art style entries.

Single-character set covering punctuation, symbols and the full alphanumeric range, for character-level input fuzzing and filter/encoding boundary testing.

Apache Tomcat manager, host-manager, and internal paths (META-INF, WEB-INF, manager/html) for enumerating Tomcat servers.

Apache-specific paths and files including .htaccess, log locations, cgi directories, and server-status endpoints. Use when fingerprinting or targeting Apache servers.

Common API action/verb names (add, delete, activate, login) used to construct and fuzz API operation paths.

Curated list of common REST API endpoint paths (api/auth, api/users, etc.) for content discovery against API roots.

Large list of API resource/method tokens and identifiers harvested from real APIs, useful for deep API endpoint fuzzing.

API tokens and endpoint fragments observed in real-world traffic and codebases, aimed at discovering live API surfaces.

Common API object/noun names (users, orders, products, ids) for building or fuzzing RESTful resource paths.

The top 487 most common passwords used by Arabic-speaking users, including Arabic transliterated names appended with digits. A compact list for Middle East and North Africa targets.

Arjun's large HTTP parameter-name wordlist (~26k) for discovering hidden request parameters.

Arjun's medium HTTP parameter-name wordlist for balanced hidden-parameter discovery.

Plaintext passwords recovered from the 2015 Ashley Madison breach (bcrypt/MD5 hashes cracked), sorted lexically.

Known/leaked ASP.NET validationKey,decryptionKey pairs (machineKey secrets) for testing ViewState deserialization and forged-token attacks.

Assetnote's curated ~2-million-entry subdomain wordlist derived from CommonSpeak2 and scan data, a popular mid-size list for DNS brute-forcing.

Assetnote's flagship 9.5-million-entry DNS/subdomain brute-force wordlist, frequency-ordered from large-scale internet scans. One of the most effective mass subdomain bruteforce lists available.

Assetnote's auto-generated API route wordlist mined from the HTTP Archive crawl (2024-05-28), containing real /api and versioned endpoint paths for API endpoint discovery.

Assetnote's auto-generated directory/path wordlist mined from the top HTTP Archive sites (2024-05-28), with full path prefixes ordered by real-world frequency.

Assetnote's auto-generated subdomain wordlist mined from the HTTP Archive crawl dataset (2024-05-28), frequency-ranked from real-world hostnames.

Atlassian Confluence administrative action endpoints (space permissions, OAuth consumers, page templates) for enumerating Confluence admin areas.

The well-known Big List of Naughty Strings: reserved words, special characters, Unicode edge cases, script/SQL snippets and other inputs that often break naive software. A general-purpose input-validation fuzzing list.

Bitquark's top 100,000 subdomain labels mined from DNS datasets and public data. A widely-used, high-quality list ordered by real-world frequency.

Bo0oM's curated file-extension fuzzing list (backup, config, source, archive suffixes) for discovering sensitive files via extension brute-forcing.

The 100,000 most common Brazilian given names, lowercased one per line. Useful for username enumeration and name-based password guessing against Brazilian/Portuguese-speaking targets.

Wordlist of HTTP parameter names compiled from Burp Suite, used for fuzzing hidden GET/POST parameters.

The default password dictionary bundled with the Cain & Abel Windows recovery tool, containing roughly 306,000 entries. A well-rounded general-purpose cracking list.

Passwords recovered from the breach of the carders.cc carding forum, skewed heavily toward German-language passwords. Useful for profiling underground-forum and German-user credentials.

Large list of classic cgi-bin scripts and legacy CGI endpoints (.cgi, .exe, .pl, .cfm). Useful for discovering vulnerable legacy CGI handlers on older web servers.

The full Chinese-language common password corpus, the complete frequency-ranked set behind the top-N Chinese tiers.

The 10,000 most common Chinese-user passwords ordered by frequency, including patterns like 5201314 and 7758521. Useful for targeting Chinese-speaking accounts.

Top 1,000,000 Chinese-language passwords ranked by frequency, including phone-number patterns and culturally specific numeric sequences (e.g. 5201314).

Default and built-in account usernames collected from the cirt.net default password database. Useful for spraying common vendor/admin accounts across many devices and services.

Default passwords aggregated from the CIRT.net default-password database. Ideal for default-credential checks across many devices.

Known default credentials for Citrix products such as NetScaler (nsroot) and Unidesk. Small high-value list for Citrix appliance login testing.

Paths to configuration files of common CMSes (wp-config.php, configuration.php, settings.php, app/etc/env.php) for hunting credential-bearing config disclosure.

A large 653,920-entry list merging multiple subdomain sources for maximum coverage. Best run with a fast resolver such as puredns for thorough enumeration.

Command injection payloads combining shell separators, quoting and encoded newlines with commands like id and cat /etc/passwd. For detecting OS command execution in web parameters.

Large OS command-injection payload set generated in the style of the Commix tool, using echo-marker probes and many separator/encoding combinations. For detecting shell command injection sinks.

Common privileged account names (root, administrator, superuser, etc.) each paired with its Base64 encoding, useful for HTTP Basic-Auth and other base64-encoded credential fields. Format is plaintextname:base64name per line.

Mazen Gamal's compact list of common API endpoint and version paths for quick API surface enumeration.

The 10,000 most common passwords compiled by Mark Burnett. A fast, high-hit-rate baseline list for any password attack.

Targeted list of common database backup filenames and archive extensions (sql, tar.gz, zip, 7z, etc.). Useful for hunting exposed database dumps left on web servers.

List of common HTTP/HTTPS service ports for web service discovery and port-based fuzzing across non-standard web ports.

Large collection of common .php filenames seen across PHP applications and frameworks. Tailored for enumerating PHP-based sites.

A short, high-value list of the most common default SNMP community strings (public, private, vendor defaults) for quick SNMP credential checks.

The onesixtyone-ready version of the common default SNMP community-string list for rapid scanning of SNMP services with onesixtyone.

The classic SecLists common.txt of frequently encountered web paths, including dotfiles, VCS folders, and admin endpoints. A reliable default wordlist for everyday discovery.

Compressed and archive file extensions (7z, zip, tar, gz, rar, arj, etc.) for hunting exposed backups and archive files on web servers.

CRLF injection payloads using various encodings of carriage-return/line-feed to inject a Set-Cookie header. For testing HTTP response splitting and header injection.

URL scheme/protocol prefixes supported by curl (file, gopher, dict, ftp, etc.) for probing SSRF and URL-parsing bugs.

Top 10,000 passwords aggregated from dark web breach dumps in 2017. Good modern complement to older common-password lists.

The classic darkc0de wordlist, a large mixed dictionary of passwords, dictionary words and symbol sequences long bundled with pentest distros.

Pattern-matching strings for detecting database, ASP.NET and server error messages in HTTP responses, useful for SQLi/error-leak detection grep lists.

Every date from 1900 to 2020 in DDMMYYYY form. Effective against date-of-birth style passwords and numeric PIN-pattern guesses.

Deeply nested ../ path-traversal sequences for reaching files several directory levels above the web root.

The top 500 DNS prefixes compiled by deepmagic.com from large-scale reverse-DNS data. A tiny, quick-pass list useful for ISP and infrastructure naming patterns.

The top 50,000 DNS prefixes compiled by deepmagic.com from large-scale reverse-DNS data. A broad list strong on ISP, hosting and infrastructure naming conventions.

Curated list of vendor/device default passwords. Use against routers, IoT, and appliances that ship with factory credentials.

The smallest DirBuster 2.3 directory list, a priority-ordered case-sensitive set of paths found on at least 3 different hosts. A fast, low-noise starting point for directory brute-forcing.

The all-lowercase variant of the DirBuster 2.3 medium directory list, useful against case-insensitive web servers. Priority-ordered by entries found on at least 2 different hosts.

The all-lowercase small DirBuster 2.3 directory list for case-insensitive targets. Entries are priority-ordered and were found on at least 3 different hosts.

The original first-draft DirBuster 1.0 unordered case-sensitive list, containing entries found on at least two hosts. A broad legacy directory/file discovery wordlist.

The full case-sensitive DirBuster 2.3 directory/file brute-force list, priority-ordered with entries found on at least one host. The canonical large web-content discovery wordlist.

The legendary DirBuster medium list of directory and file names ordered by real-world hit frequency. The default deep-dive wordlist for thorough web directory brute-forcing.

The case-insensitive (all lowercase) variant of the full DirBuster 2.3 big list, priority-ordered. Useful against case-insensitive web servers to reduce duplicate requests.

Path/directory traversal payloads targeting Windows win.ini with many encoding and double-encoding variations of ../ and backslash sequences. For testing path-traversal filters and WAF bypass.

File and directory paths derived from the Django CMS / Django framework source tree, including admin, templates and Python module paths. Useful for content discovery against Django-based sites.

The 1,000 most frequently observed subdomain labels curated by the dnscan project, ideal for fast, high-hit-rate subdomain brute-forcing.

The top 10,000 subdomain labels from the dnscan project, a broader frequency-ranked list for deeper DNS subdomain discovery.

The default subdomain brute-force namelist bundled with the dnsrecon enumeration tool, blending numeric prefixes with common service hostnames.

dnsrecon's top 5,000 most common subdomain labels derived from the top-1-million dataset, a balanced mid-size list for subdomain brute-forcing.

Docker Engine remote API endpoints (containers/json, images, build, exec, debug/pprof) for probing exposed Docker daemons.

DotNetNuke (DNN) CMS file and directory paths (admin containers, skins, modules, install) for enumerating DNN installations.

All 256 byte values double-URL-encoded (%25xx) for testing double-decoding bugs, WAF bypass and filter evasion.

Differential URL list of files shipped with Drupal 7.20 (includes, modules, themes) for fingerprinting Drupal core paths.

List of Drupal theme directory paths under themes/. Useful for enumerating installed Drupal themes during CMS assessments and version fingerprinting.

Comprehensive list of Drupal core files, modules, themes, and translation files. Built for deep enumeration of Drupal-powered sites.

Elasticsearch and Kibana API endpoints (_all, _cat, _search, api/saved_objects) for enumerating exposed ELK stack interfaces.

Passwords leaked from the EliteHacker forum breach. A compact, security-community-flavored list useful for cracking and credential guessing.

Top 100 email provider domains, useful for generating email/IDN payloads, account-enumeration tests, and email-parser fuzzing.

Passwords from the breach of the FaithWriters Christian writing community, rich in religious and faith-themed terms. Useful for targeting religiously-themed password patterns.

Top 1000 most common US family (last) names. Useful for generating username candidates and for password-spray / AD account enumeration in surname-based naming conventions.

Top 1000 most common US female first names. Useful for building username permutations and for Active Directory user enumeration in first-name-based schemes.

The built-in subdomain brute-force list shipped with the modern Python fierce DNS reconnaissance tool, covering common hostnames and numeric prefixes.

The classic 2,280-entry hostname list shipped with the Fierce DNS reconnaissance tool. A compact starter list of common host prefixes.

PHP file-upload filter bypass extensions (double extensions, .php3-.php8, .pht, .phar, .phtml) for testing insecure upload handlers.

Top 150 most common Finnish-language passwords from the Pwdb dataset, including local profanity and keyboard patterns. Useful for Finnish-locale credential guessing.

Top 1000 most common Indian first names. Useful for region-specific username generation and account enumeration against India-based organizations.

Format-string attack payloads (%p, %x, %n and repeated/long variants) for probing C-style printf vulnerabilities. For testing native back ends and logging sinks.

VPN passwords leaked in the 2021 Fortinet SSL-VPN dump. Highly relevant for testing enterprise/VPN credential reuse.

All 10,000 four-digit PINs sorted by real-world frequency with occurrence counts. Use for PIN brute-forcing or masks where 4-digit PINs apply.

The 20,000 most common French-language passwords ordered by frequency, including French keyboard patterns like azerty. Ideal for French-speaking targets.

Curated user:password combos for FTP services covering common vendor and appliance defaults. Drop-in for FTP brute-force tooling that accepts colon-separated credential pairs.

Comprehensive list of fully-qualified Java class names, useful for Java deserialization, JNDI/Log4j gadget discovery, and class-name parameter fuzzing.

Predictable paths for Microsoft Active Directory Federation Services (ADFS), including App_Code, resource files and localized resx assets. Helps fingerprint and discover content on ADFS portals.

Time-based blind SQL injection payloads for MSSQL WHERE clauses using WAITFOR DELAY across escalating quote and parenthesis breakout contexts.

Time-based blind SQL injection payloads for MySQL WHERE clauses using BENCHMARK() delays across varied quote/parenthesis breakout contexts.

Filenames associated with malware/botnet command-and-control panels and dropped PHP files. Helps locate C2 panels and backdoor artifacts on compromised servers.

Common application method/action names (add, admin, auth, change, delete, etc.) for fuzzing hidden business-logic endpoints, RPC methods, and undocumented actions.

Large cross-platform list of CGI scripts and known-vulnerable CGI request paths for fuzzing inside cgi-bin and script directories. Includes legacy CGI exploits and traversal probes.

Windows-specific CGI executables and known-vulnerable script paths (cart32.exe, cmd.exe probes, fpsrvadm.exe) for fuzzing IIS-style cgi/scripts directories.

Common REST/API resource names and action verbs (account, balance, block, change, check) for fuzzing API endpoints and method names. Useful for discovering undocumented API routes.

CRLF injection payloads for HTTP response splitting and header injection using encoded carriage-return/line-feed sequences, UTF-7 XSS, and Content-Type smuggling.

Alternate PHP file extensions and casing/null-byte/trailing-char variants (phtml, php3, pHp%00, etc.) for bypassing upload filters to achieve code execution.

Format-string attack payloads combining printf-style conversion specifiers (%s, %p, %x, %n) in long repeating sequences to probe for format-string vulnerabilities and memory disclosure.

Predictable paths exposed by Microsoft FrontPage Server Extensions, including author/admin DLLs, .pwd credential files and _fpclass artifacts. Useful for legacy IIS/FrontPage fingerprinting.

HTTP request methods including standard verbs and WebDAV/extension methods for testing method-based access control bypasses and verb tampering.

Boundary integer values (signed/unsigned 32-bit limits in decimal and hex) for testing integer-overflow and off-by-one conditions in numeric parameters.

Malformed and edge-case JSON documents (null bytes, nested arrays, prototype/class pollution keys, oversized structures) for stress-testing JSON parsers and API endpoints.

Broad general-purpose list of common web directory names for brute-force content discovery across any web server. A catch-all directory wordlist covering numbers, admin areas and typical app folders.

LDAP injection metacharacters and filter-breakout payloads in both raw and URL-encoded forms, including wildcard and objectClass enumeration filters.

Common login and administration page filenames across multiple languages and extensions (asp, aspx, cfm, jsp, php, pl, py, rb). Ideal for quickly locating authentication endpoints.

Predictable .nsf databases and adm-bin executables exposed by IBM Lotus Notes/Domino servers. Targets sensitive databases and admin interfaces during discovery.

MongoDB NoSQL injection payloads using $where JavaScript evaluation, $ne/$or operators, and regex match tricks to bypass auth and extract data.

Microsoft SQL Server injection detection payloads including comment terminators, xp_cmdshell probes, and UNION-based @@version disclosure tests.

Short set of MySQL-oriented SQL injection detection strings using boolean and quote-breakout tests to fingerprint injectable parameters.

Many encodings of the null byte (%00, \0, \x00, \u0000, etc.) for testing null-byte injection, string truncation, and filter-bypass conditions.

Templated open-redirect query strings and path variants (url=, next=, schemeless //, encoded slashes) with a {target} placeholder for the attacker-controlled destination host.

Oracle-specific SQL injection detection and out-of-band payloads leveraging utl_http, utl_inaddr.get_host_address, and SYS catalog queries for error-based and exfiltration testing.

Templated OS command injection prefixes/separators using a {cmd} placeholder, covering shell delimiters, redirects, and CRLF-encoded breakouts. Substitute your command into the template before fuzzing.

Predictable locations of password and credential files such as htpasswd, passwd, secring and config.php. Targets exposed secrets during web content discovery.

Directory-traversal payloads up to 8 levels deep using exotic and mixed encodings (hex, URL, double-encoded, slash/backslash variants) with a {FILE} placeholder for the target file.

PHP magic-hash strings that hash to 0e... patterns, exploiting loose (==) type-juggling comparisons to bypass authentication and hash checks.

Exhaustive list of predictable file and directory paths for the PHP-Nuke CMS, including admin scripts, modules, blocks and language files. Useful for fingerprinting and content discovery on PHP-Nuke installs.

Server-Side Includes (SSI) injection directives (#config, #echo, #exec, #include) for testing SSI processing and information disclosure on web servers.

Predictable servlets, JSP sample apps and admin endpoints for Sun Application Server and GlassFish. Helps fingerprint and discover content on these Java app servers.

Unix hidden dotfiles commonly exposed via misconfigured web roots, including .bash_history, .htaccess, .ssh and .DS_Store. Some entries also probe for known dotfile-related vulnerabilities.

Filenames commonly used by uploaded web shells and backdoors, plus sensitive config files attackers target. Useful for detecting compromised hosts or discovering planted backdoors.

List of Windows shell command names useful for testing command-injection sinks and validating remote code execution on Windows targets.

XML attack payloads including XXE external-entity file reads (/etc/passwd, boot.ini, /dev/random DoS), CDATA-wrapped SQLi/XSS, and MS data-island injections.

XPath injection payloads using boolean tautologies, node-count expressions, and name() probes to bypass authentication and enumerate XML document structure.

Ashar Javed's XSS polyglot and its component fragments wrapped in many HTML contexts (input, img, a, math, iframe, style, textarea) to fire across multiple injection points at once.

Cross-browser XSS payloads abusing custom URI scheme handlers (aim:, firefoxurl:, navigatorurl:, res:) to achieve script execution or local command launch.

Time-based blind SQL injection payloads using sleep() and WAITFOR DELAY across multiple quoting and parenthesis contexts. Designed for inference attacks where no error output is returned.

Database-agnostic SQL injection probes mixing error-based, boolean, time-based and stacked-query payloads. A solid general-purpose detection list for unknown back ends.

The full German-language common password corpus, the complete frequency-ranked set behind the top-N German tiers.

The 10,000 most common German-language passwords ordered by frequency. Useful for targeting German-speaking users and DACH-region accounts.

Top 1,000,000 German-language passwords ranked by frequency, useful for targeting German-speaking user populations (e.g. passwort, schalke04).

GitHub search dorks targeting leaked API keys, credentials, and config files in public source-code repositories.

GitLab admin and instance endpoints (admin/application_settings, audit_events, deploy_keys) for enumerating self-hosted GitLab servers.

Grafana admin and API endpoints (admin/users, api/datasources, api/dashboards) for enumerating Grafana dashboards and settings.

Common GraphQL endpoint and IDE paths (graphql, graphiql, altair, playground) for locating GraphQL interfaces.

Top 150 most common Greek-language passwords from the Pwdb dataset. Useful for locale-specific attacks against Greek targets.

Passwords leaked from a Hak5 forum breach. A compact real-world leak list useful for testing and supplementing larger lists.

HashiCorp Consul HTTP API endpoints for discovering exposed service-mesh, KV-store, and agent management interfaces.

Top 150 most common Hebrew-locale passwords from the Pwdb dataset. Useful for credential guessing against Israeli/Hebrew-speaking users.

Username,password pairs captured by the Heralding honeypot in 2019. Represents what automated attackers actually try in the wild.

Top 150 most common Hindi/India-region passwords from the Pwdb dataset. Useful for locale-aware attacks against Indian targets.

Passwords captured by honeypot/honeynet sensors observing real attacker login attempts. Great for default and bot-targeted credentials.

Passwords captured across multiple honeypot sensors (fabian-fingerle.de), reflecting what real automated attackers try. Strong for bot/default-credential and SSH brute-force simulation.

Usernames actually observed in live honeypot login attempts, aggregated from multiple sources by fabian-fingerle.de. Reflects real-world attacker username guesses against exposed services.

Passwords from the 2009 Hotmail phishing leak, skewed toward Spanish-speaking users. Useful for real-world email-account password cracking.

Burp Param Miner wordlist of lowercase HTTP header names, for header injection, hidden-header discovery, Host-header attacks, CORS and cache-poisoning testing.

List of HTTP request methods/verbs including WebDAV and uncommon verbs, useful for HTTP verb tampering, method-based access-control bypass, and 403/405 testing.

Default passwords shipped on Huawei routers and ONT/HGW gateways. Vendor-specific list for Huawei device login testing.

Top 150 most common Hungarian-language passwords from the Pwdb dataset. Useful for locale-specific attacks against Hungarian targets.

Default user:password pairs for IBM DB2 instances (db2inst1, db2admin, dasusr1, etc.). Targets out-of-the-box DB2 service accounts.

IBM Lotus Domino .nsf database files (names.nsf, admin4.nsf, log.nsf, webadmin.nsf) for enumerating exposed Domino databases.

IBM WebSphere Application Server endpoints, servlet patterns and sample-application paths (.do, .jsp, services/*, WSDL). Useful for enumerating WebSphere admin and sample app surfaces.

Microsoft IIS-specific paths, sample ASP applications, and classic directory traversal payloads. Targeted for enumerating Windows/IIS web servers.

Top 150 most common Indonesian-language passwords from the Pwdb dataset. Useful for locale-aware attacks against Indonesian targets.

The 150 most common Italian-language passwords derived from the Pwdb dataset, including football clubs and Italian first names. A fast quick-hit list for Italian targets.

A region-focused subdomain wordlist of 20,000 hostnames commonly seen on Italian organizations' DNS, useful for localized subdomain brute-forcing.

J2EE WEB-INF and META-INF descriptor files (web.xml, jboss-app.xml, ejb-jar.xml) for probing exposed Java EE deployment internals.

Top 150 most common Japanese-locale passwords from the Pwdb dataset. Useful for credential guessing against Japanese users.

JBoss/WildFly administrative endpoints such as jmx-console, web-console, and the JMXInvokerServlet used to enumerate JBoss application servers.

Jenkins/Hudson CI endpoints (script console, cli, configure, credentials, asynchPeople) for discovering Jenkins management interfaces.

The classic default wordlist shipped with the John the Ripper password cracker. A small, fast list of common passwords and dictionary words.

List of Joomla component paths under components/com_*. Useful for enumerating installed Joomla extensions during CMS assessments.

Malformed and edge-case JSON bodies for fuzzing JSON parsers and API endpoints, including null bytes, type confusion and nested structures. For robustness and injection testing of JSON APIs.

Real-world JSONP callback endpoints (Google, Yandex, VK, etc.) abusable for whitelisted-domain XSS, CORS/CSP bypass and script-source smuggling.

Generated keyboard-walk patterns (e.g. zaq1xsw2). Targets passwords built from adjacent-key sequences on the keyboard.

Keycloak identity and access management admin/realm endpoints for enumerating realms, clients, users, and role mappings.

Kubernetes API server endpoints (api, apis, version, healthz, metrics) for probing exposed kube-apiserver and kubelet interfaces.

Common Laravel framework file and directory paths (bootstrap, routes, config, artisan, .env.example) expanded across path depths. Useful for fingerprinting Laravel applications and spotting exposed config or environment files.

Active Directory LDAP attribute names (accountExpires, member, userPrincipalName, etc.) for LDAP enumeration and injection fuzzing.

Active Directory LDAP object class names (account, group, user, organizationalUnit, etc.) for schema enumeration and LDAP fuzzing.

LDAP injection metacharacters and filter payloads (both raw and URL-encoded) such as wildcard objectclass/mail filters. For testing directory-backed authentication and search.

OpenLDAP attribute names for directory enumeration and LDAP query/injection fuzzing against OpenLDAP-backed services.

Local file inclusion target paths with a %00 null-byte appended to bypass extension-appending filters in vulnerable include() handlers.

Local File Inclusion payloads targeting both Linux and Windows log and config files with traversal and null-byte variants.

A broad catalog of interesting Linux files to target via Local File Inclusion, from config files to credential stores. Ideal for enumerating readable files through an LFI sink.

Local File Inclusion path-to-test payloads bundled from LFISuite, covering common Unix/Linux files and PHP wrapper/proc tricks. Useful for parameter fuzzing to detect file disclosure.

Jhaddix's curated Local File Inclusion and path-traversal payloads (encoded /etc/passwd, boot.ini, and more). Feed into a fuzzer's parameter position to test for LFI and directory traversal.

Large list of sensitive Windows absolute file paths (logs, config, registry hives) for Local File Inclusion and path traversal testing.

Liferay DXP control-panel portlet management URLs (group/control_panel/manage?p_p_id=...). Useful for enumerating default portlets reachable on a Liferay DXP portal.

Passwords from the leaked Lizard Squad LizardStresser booter-service database. A snapshot of passwords chosen by users of a DDoS-for-hire platform.

Authentication-bypass payloads combining SQL injection, default credentials and logic tricks to fuzz login forms.

Magento e-commerce file and directory map (skin, media, app, includes, downloader) for enumerating Magento store installations.

Top 1000 most common US male first names. Useful for generating username candidates and for password-spray / AD account enumeration in first-name-based naming conventions.

Strings for finding backdoor shells, rootkits and dangerous PHP functions (system, eval, base64_decode) in source or responses during detection scans.

A large dictionary of plaintext passwords recovered by the md5decrypter.co.uk service, useful for MD5 and general hash cracking.

Special characters and metacharacter sequences (XML entities, format specifiers, null markers, broken markup) for general input-handling and injection fuzzing. A grab-bag for triggering parser errors.

MongoDB-specific NoSQL injection payloads using $where, $ne, $or operators and JavaScript evaluation, for authentication bypass and blind extraction.

Minimal list of the most common executable web extensions (php, asp, jsp variants) for quick fuzzing.

A large list of the most popular alphabetic/symbol-prefixed password strings. Useful as a broad supplemental dictionary for offline cracking.

Default user:password combinations for Microsoft SQL Server, including many sa-account defaults from shipped applications. Ideal for credential testing against exposed MSSQL instances.

Microsoft SQL Server specific injection payloads including xp_cmdshell execution, login/role creation and version disclosure unions. Targets back ends confirmed to be MSSQL.

Microsoft SQL Server account names observed in the Nansh0u campaign analyzed by Guardicore. A short, high-signal list of service accounts targeted against exposed MSSQL instances.

Passwords recovered from the breach of the muslimMatch dating site, containing many Islamic and Arabic-themed terms. Useful for community-specific password profiling.

Passwords from the MySpace breach, notable for trailing-digit patterns (e.g. name1). Useful for studying complexity-policy workarounds.

Default user:password combinations for MySQL/MariaDB, mostly root-account defaults shipped by appliances and applications. Drop-in for credential testing against exposed MySQL services.

The 3-million-entry 'huge' variant of n0kovo's subdomain wordlist, built from billions of observed DNS names and frequency-ranked. Designed for mass DNS brute-forcing with puredns.

The 500k-entry 'medium' variant of n0kovo's frequency-ranked subdomain wordlist, a balanced choice between coverage and speed for DNS brute-forcing.

The UK National Cyber Security Centre's list of the 100,000 most-breached passwords (from Have I Been Pwned). Excellent broad coverage of real-world weak passwords.

Passwords from a NordVPN credential-stuffing leak. Real user passwords useful as a small supplementary list.

Top 150 most common Norwegian-language passwords from the Pwdb dataset. Good for targeting Norwegian users in regional engagements.

NoSQL (primarily MongoDB) injection payloads using $where, $ne, $or operators and JavaScript match() expressions. For testing document databases and JSON APIs.

MongoDB/NoSQL injection payloads using $where, $ne, and $or operators to bypass auth and extract data.

The 'short' build of OneListForAll, a de-duplicated mega-merge of many fuzzing/content wordlists (SecLists, assetnote, fuzzdb and more) for one-shot web content discovery.

Open-redirect payloads using URL-encoding, backslash and slash-prefix tricks to bypass redirect validation and reach attacker domains.

Open redirect bypass payloads using whitelist-evasion tricks (@ tricks, encoded slashes, double slashes) against a placeholder whitelisteddomain.tld. Designed for fuzzing redirect/return-url parameters.

OpenCart shopping-cart file and directory paths expanded across all path depths, generated by Trickest from the OpenCart source tree. Useful for enumerating OpenCart admin models, catalog files and storefront structure.

The merged all-languages Openwall wordlist, a large multilingual dictionary historically distributed by the Openwall/John the Ripper project.

OpenWrt LuCI web-interface admin endpoints (cgi-bin/luci/admin/*) for discovering and enumerating OpenWrt router management surfaces.

Operating system and distribution names for fuzzing user-agent, banner, and platform-identification parameters.

Administration and management paths (admin-serv, admpw, dsgw) for Oracle/Sun iPlanet (Netscape) web servers.

Servlet and example endpoint names exposed by Oracle 9i Application Server for fingerprinting and discovery.

Oracle Application Server admin, servlet and console paths (BPELConsole, EMDServlet, isqlplus, etc.) for enumerating Oracle middleware.

Extensive list of default user:password combinations for Oracle Database, including SYSTEM and application-account defaults. Ideal for credential testing against Oracle TNS listeners.

Oracle E-Business Suite (OA_HTML, _pages, admin) endpoint wordlist for enumerating Oracle EBS web deployments.

Oracle-specific SQL injection payloads leveraging UTL_HTTP, UTL_INADDR out-of-band exfiltration and PL/SQL constructs. For probing Oracle DB back ends.

Oracle WebLogic console, deployment, and servlet paths for enumerating WebLogic application servers and admin interfaces.

The classic Phenoelit default-password database of vendor user:password pairs covering hundreds of networking and embedded devices. Long-standing reference set for default-credential testing.

PHP convert.iconv filter chain segments used in php://filter LFI-to-RCE and blind file-read oracle attacks against PHP wrappers.

Magic-hash strings that evaluate as loose-equal in PHP type juggling, used to bypass weak == hash comparisons.

PHP magic method names (__wakeup, __destruct, __toString, etc.) for PHP object injection / insecure deserialization gadget hunting and source-code review.

Passwords from the phpBB forum breach. A solid mid-size real-world leak list for general cracking.

phpBB forum software file and directory paths expanded across all path depths, generated by Trickest from the phpBB source tree. Useful for enumerating phpBB board files, config and administration paths.

A roughly one-million-entry list of common Polish-language passwords, including Polish names and words like polska and misiek. Useful for cracking Polish-user accounts.

Top 150 most common Portuguese and Brazilian-Portuguese passwords from the Pwdb dataset. Ideal for engagements involving Portugal or Brazil.

Default user:password combinations for PostgreSQL, covering common postgres and admin account defaults. Drop-in for credential testing against exposed Postgres services.

PostgreSQL information-disclosure SELECT statements for enumerating version, current user/database and server settings once injection is confirmed. Useful post-detection on Postgres back ends.

Comprehensive PrestaShop e-commerce file and directory paths expanded across all path depths, generated by Trickest from the PrestaShop source tree. Useful for fingerprinting and enumerating PrestaShop installations and admin controllers.

Sample from Berzerk0's Probable-Wordlists project, ordered by real-world frequency. Use as an efficient mid-size general-purpose list.

The top 1,575 entries from the Probable-Wordlists v2 frequency-ranked dataset. A fast, high-hit-rate tier for online guessing and quick offline runs.

The Top 304 Thousand tier of berzerk0's Probable-Wordlists v2, statistically ranked from billions of real leaked passwords for high hit-rate cracking.

Prometheus and Alertmanager API endpoints (api/v1/query, targets, alerts, admin/tsdb) for probing exposed monitoring backends.

Common locations and filename mutations for proxy auto-configuration (.pac, proxy.pac) files exposed on web servers.

Pulse Secure / Ivanti Connect Secure VPN endpoints (dana-admin, dana-na, hc.cgi) for enumerating Pulse Secure appliances.

The top 1,000,000 passwords from the Pwdb aggregated breach dataset, ranked by real-world frequency across many leaks.

The top 10,000,000 passwords from the Pwdb aggregated breach dataset. One of the largest frequency-ranked plaintext password lists in SecLists.

The top 100,000 passwords from the Pwdb aggregated leak dataset, ranked by frequency. A solid mid-size general-purpose cracking list.

Top 10,000 entries from the Pwdb (passwords database) project, ranked by occurrence across many breaches. Strong general list.

A short, high-signal set of SQL injection test strings (quotes, OR-based auth bypasses). Use for a fast first-pass SQLi check on input parameters and login forms.

A curated list of high-signal paths likely to reveal sensitive files such as dotfiles, backups, config files, and admin panels. Great for a rapid, high-value first pass.

RAFT-project directory names ranked by frequency from real web crawls. Excellent for discovering app directories (CMS, admin, framework paths) during web enumeration.

Large RAFT-derived list of file extensions ordered by frequency for thorough extension brute-forcing.

Lowercase-normalized variant of the large RAFT extension list for case-insensitive targets.

RAFT-project filenames ranked by frequency, including script and config files. Pair with an extension filter to hunt for specific files (login.php, xmlrpc.php, etc.) on a target.

Frequency-ranked directory names from the RAFT project, with broader coverage than the small list. A balanced choice for thorough directory brute-forcing.

Medium-sized RAFT file-extension list balancing coverage and speed for extension fuzzing.

Frequency-ranked file names from the RAFT project with broader coverage than the small list. Good for enumerating files when directories are already known.

Frequency-ranked raw words from the RAFT project with broader coverage, designed for fuzzing with user-supplied extensions for both files and directories.

Frequency-ranked list of directory names derived from the RAFT research project. The small variant prioritizes the most common directories for quick discovery sweeps.

Small RAFT file-extension list for fast scans focused on the most common extensions.

Frequency-ranked list of file names (with extensions) from the RAFT project. The small variant focuses on the most common files for fast content discovery.

Frequency-ranked raw words (no fixed extension) from the RAFT project, ideal for fuzzing both files and directories with custom extensions appended.

ISO-style country codes for fuzzing locale, region, and country parameters in web applications and APIs.

Paths harvested from Disallow directives across the most popular sites' robots.txt files, ranked by frequency. These paths often point to sensitive or interesting content site owners intended to hide.

A larger RockYou subset (65% frequency tier) with broader coverage than rockyou-50 while staying far smaller than the full list.

A trimmed subset of the classic RockYou breach list (entries up to 75 chars). The go-to starter password list for offline hash cracking and credential brute-forcing when the full rockyou.txt is too large.

File and directory paths from the Roundcube 1.2.3 webmail application, covering bin scripts, config, plugins and skins. Useful for fingerprinting and enumerating Roundcube webmail installations.

Deduplicated union of all default usernames and passwords from SecLists' per-vendor router collection. A single combined wordlist for spraying default logins across consumer/ISP routers.

Common Ruby on Rails application file and directory paths (Gemfile, Rakefile, app/controllers, config, sign-in endpoints). Useful for fingerprinting Rails apps and locating exposed framework files.

The 150 most common Russian-user passwords from the Pwdb dataset, including keyboard walks adapted to Russian keyboards. A fast quick-hit list for Russian targets.

Salesforce Aura/Lightning object names for enumerating exposed Aura endpoints and probing object-level access controls.

Standard SAP service and administrative account names (DDIC, SAP*, EARLYWATCH, etc.) shipped with SAP systems. Ideal for targeting SAP NetWeaver and related enterprise deployments.

SAP NetWeaver web application paths and service endpoints (Adobe Document Services, config and WSDL endpoints). Useful for enumerating exposed SAP NetWeaver Java services and admin interfaces.

SCADA StrangeLove list of default and hardcoded credentials for ICS/SCADA devices (PLCs, controllers, industrial routers), with vendor, device, port and source columns. Reference and credential source for industrial-control assessments.

Season-based passwords (Spring/Summer/Fall/Winter) with leet and suffix variations. Highly effective against corporate 90-day rotation passwords.

The dirb 'big' list, a larger alphabetically-sorted set of web paths. Use for more comprehensive content discovery than common.txt without the heavy size of directory-list-2.3-medium.

SecLists' de-duplicated merge of many directory wordlists into a single ordered directory-discovery list. A strong general-purpose directory brute-force list.

SecLists' merged and de-duplicated subdomain wordlist combining multiple sources for DNS brute-forcing and subdomain enumeration.

SecLists' merged and de-duplicated wordlist of file/word entries (including dotfiles and VCS paths) for content discovery against web servers.

The classic dirb 'common' list of frequently found web files and directories. The standard quick-pass wordlist for initial web content discovery on any target.

A large general-purpose DNS subdomain wordlist (the classic fierce/DNS brute namelist). Use for exhaustive subdomain enumeration when the top-5000 list is not enough.

Jason Haddix's massive all.txt subdomain brute-force wordlist, a classic for DNS enumeration and recon during bug bounty work. Contains millions of candidate subdomain labels.

A large list of human first names, useful for generating or guessing username accounts. Use when targets use firstname-based logins or for building username permutations.

Directory names mined from real-world source repositories by the SVNDigger project, covering frameworks, CMS internals and common app folders. A high-signal directory discovery list.

Comprehensive SVNDigger wordlist of file and directory names harvested from public source repositories. A large, real-world web content discovery list spanning many languages and frameworks.

A tiny, high-value list of the most common service and admin usernames. Perfect as the username side of a credential brute-force or password spray against SSH, FTP, and web logins.

Common family surnames for answering 'mother's maiden name' security questions and seeding name-based credential guesses.

Named colors (HTML color list) for answering 'What is your favorite color?' security questions during account recovery.

Street names for guessing 'What street did you grow up on?' security-question answers in account-recovery attacks.

World city names for guessing 'What city were you born in?' style security-question answers and password-reset flows.

A focused 1,419-entry list of common service- and application-oriented subdomain names (api, graphql, admin, staging, etc.). Ideal for quickly surfacing modern app and API hosts.

Microsoft SharePoint-specific paths including _layouts, _catalogs, and _admin endpoints. Targeted for enumerating SharePoint deployments.

A 64,721-entry subdomain wordlist by Shubham Shah derived from StackOverflow data, rich in user- and project-style host names. Useful for catching unconventional, human-generated subdomains.

Shubham Shah's (assetnote) curated 484,699-entry subdomain wordlist built from bug-bounty resolution data. A go-to list for deep, real-world subdomain discovery.

Plaintext passwords from the breach of the Christian dating site singles.org, heavy on faith-themed words. Great for themed password cracking and dictionary attacks.

SkullSecurity buffer/boundary fuzzing notation ("A" x N repeat counts and format-string specifiers) for overflow and length-handling tests.

The onesixtyone-formatted variant of the large SecLists SNMP community-string list, ready to feed directly into the onesixtyone scanner.

The comprehensive SecLists SNMP community-string wordlist (~3,200 entries) for guessing read/write community strings on SNMP-enabled devices.

A deduplicated, sorted merge of the default wordlists from Knock, DNSRecon, Fierce and Recon-ng. Consolidates several tool defaults into one 102,582-entry list.

A large combined list of common Spanish-language usernames and passwords. Useful for credential-spraying Spanish and Latin American accounts.

A minimal one-per-line list of special/punctuation characters for single-character injection and boundary fuzzing. Useful for quickly probing which metacharacters a field rejects or mishandles.

Special/metacharacters paired with their URL-encoded forms, for fuzzing input filters, WAF bypass and detecting improper decoding.

Spring Boot Actuator management endpoint paths (env, heapdump, jolokia, etc.) for discovering exposed admin/management interfaces leading to info disclosure and RCE.

Spring Boot Actuator endpoints (env, heapdump, beans, mappings, health) for enumerating exposed actuator interfaces on Java apps.

SQL injection strings crafted to bypass login authentication by tampering with WHERE-clause logic.

Generic UNION SELECT payloads with varying column counts for extracting data via union-based SQL injection.

Generic error-based SQL injection probe strings (OR/AND boolean conditions, HAVING, quote-escaping) used to trigger and detect SQL errors across DB engines.

Compact SQL injection polyglot payloads that trigger in multiple contexts (single/double quote, time-based) across MySQL with a single string.

Common SSH default credentials in user:pass form. Feed directly to tools that accept combined credential lists for SSH brute-forcing.

Server-Side Includes (SSI) and Edge-Side Includes (ESI) injection payloads using #echo, #config, #exec directives for variable disclosure and command execution.

Server-Side Template Injection probes for many engines (Jinja2, Twig, Freemarker, ERB, Velocity and more), from simple math markers to object-introspection chains. For detecting and exploiting template injection.

A 5,370-entry list of Spanish-language subdomain labels for targeting Spanish and Latin American infrastructure. A useful regional supplement to English-centric lists.

The 110,000 most common subdomain labels from the Rapid7 Sonar 'top 1 million' DNS dataset. A deeper enumeration list that balances coverage and runtime.

The 20,000 most common subdomain labels derived from the Rapid7 Sonar 'top 1 million' DNS dataset. A fast, high-signal list for everyday subdomain brute-forcing.

The 5,000 most common subdomain labels derived from a million-entry corpus. The default fast list for DNS subdomain brute-forcing (gobuster dns / ffuf vhost).

The large subbrute names list (~129k entries) used by Sublist3r for DNS subdomain brute-forcing, suitable for comprehensive enumeration sweeps.

Swagger and OpenAPI documentation endpoints (api-docs, swagger-ui, openapi.json, _wadl) for discovering exposed API specs and UIs.

Top 150 most common Swedish-language passwords from the Pwdb dataset. Useful for locale-aware credential attacks against Swedish targets.

File and directory paths from a Symfony 3.1.5 demo application, covering app config, kernel, cache and bundle layout. Useful for fingerprinting Symfony installations and locating exposed config files.

Curated user:password default-credential pairs for Telnet-exposed devices and appliances. Ideal for spraying default logins against Telnet services on IoT and embedded gear.

Polyglot template-injection expressions (42*42) spanning Jinja, Twig, Freemarker, ERB, Smarty and others to detect server-side template injection by the 1764 result.

Default user:password combinations for Apache Tomcat Manager and related admin accounts. Ideal for testing exposed Tomcat /manager interfaces with HTTP-auth brute-force tools.

The 20 passwords most frequently tried against SSH services by automated bots and scanners. Ideal for quick, low-noise online SSH brute-force checks.

A list of TLDs and public suffixes (each prefixed with a dot) for horizontal domain enumeration and TLD-sweeping across an organization's apex domains.

Subdomain labels harvested from Trickest's continuous inventory of public bug-bounty programs. A high-signal real-world subdomain brute-force list.