:keyboard: Wordlists, Dictionaries and Other Data Sets for Writing Software Security Test Cases

View on GitHub


|      Folder  Name      | Description of Contents |:——————–|——————————————————————————————————————————————————– | cors-bot-code | CORS test bot passes X-Requested-With and X-Request headers..from http://xssor.io/s/payload/iamanewbotnamedcorsbot.txt | dom-xss-points | points in the DOM where XSS attacks are likely to take place | ecmascript-attack-vectors | ECMAScript Attack Vectors from https://github.com/google/caja/wiki/AttackVectors
| gnucitizen-attackapi-payloads | gnucitizen.org AttackAPI payloads from http://xssor.io/s/payload/attackapi.txt | html-png-polyglot | Another file with HTML/CSS/JS code that’s also a PNG | html5sec-attack-vectors | vectors.txt file from the HTML5 Security Cheatsheet GitHub repository | joomla-components-targeted | list of Joomla components vulnerable to LFI targeted on a honeypot from http://tacticalwebappsec.blogspot.com/2011/11/mass-joomla-component-lfi-attacks.html | local-file-includes | locations of files that are typically provided in LFI attack queries
| mongodb-nosql-injection | nosqlinjection_wordlists | mssql-injection-strings | SQL injection attack strings specified to Microsoft SQL Server
| png-html-polyglot | a PNG image file also containing HTML, CSS and JavaScript | portswigger-attack-definitions | PortSwigger attack definitions https://portswigger.net/kb/issues | script-tag-encodings | a list of various web encodings for the string <script>
| vulnerability-rating-taxonomy | Bugcrowd Vulnerability Rating Taxonomy JSON via https://github.com/bugcrowd/vulnerability-rating-taxonomy
| wapples-vseries-rules | WAPPLES V-Series virtual WAF rules https://www.pentasecurity.co.kr/wp-content/uploads/2018/01/WAPPLES-V-Series-whitepaper.pdf | webapp-attack-strings | Various HTTP GET query strings that represent attacks | webapp-charset-attacks | Character set strings to test a web server’s content negotiation behavior.. | webapp-code-execution | HTTP GET queries that may result in remote code execution | webapp-pentest-checklist | Checklist for Web Application Penetration Testing https://hackercombat.com/web-application-penetration-testing-checklist | webapp-sql-injection | RDBMS query fragments for SQL injection testing | webapp-xss-scripts | JavaScript code fragments for testing Cross-Site Scripting | whitehat-top40vulns-list | WhiteHat Security Top 40 Vulnerabilities List via https://whitehatsec.com/faq/content/top-vulnerabilities-list
| wordpress-plugin-vulns | list of WordPress plugins with versions that have publicly known vulnerabilities | xml-vulns-attacks | sample attack syntaxes that exploit common XML vulnerabilities | xss-bypass-filter | rvrsh3ll | xss-payloads-misc | miscellaneous XSS payloads from http://xssor.io/s/payload/xssmisc.txt | xss-vectors-zephrfish | XSS Vectors.txt from ZephrFish user on GitHub | xxe-attack-payloads | XML eXternal Entity attack payloads