:keyboard: Wordlists, Dictionaries and Other Data Sets for Writing Software Security Test Cases

View on GitHub


      Folder  Name       Description of Contents
acme-challenge-paths Path names within a /.well-known/acme-challenge/ folder
admin-paths-cwd list of administrative filenames and directories that may be in the CWD (Current Working Directory)
admin-path-formats format strings for pathnames of to administration consoles via https://pastebin.com/raw/JRBCYMcU
admin-path-names pathnames of various admin console pages found on web servers
adobecq-path-names paths to content on Adobe Experience Manager a.k.a. CQ
apache-james-paths paths taken from the quick-start.html doc on http://james.apache.org
apache-path-names path names commonly found under web root of an Apache install
apache-struts-filepaths Path names under the webapp directories (i.e the web root folder) found in Apache Struts release packages
apache-tapestry-paths Apache Tapestry paths created from source tree
bbscan-request-rules List of path names taken from the rules folder distributed with the BBScan tool
biomedical-porn-datasets Locations parsed from a proxy log that ended up containing pornographic, biological and medical style paths; extracted from https://www.secrepo.com/squid/access.log.gz
breacher-paths-list paths.txt file distributed with Breacher
cakephp-paths-list Paths list created from the CakePHP source tree
coldfusion-cfmx-cfide pathnames to admin pages on Adobe ColdFusion app server
common-path-names several of the files in this folder, sorted and uniqified
cpan-module-paths paths in CPAN (Comprehensive Perl Archive Network) modules
dirb-vulns-paths pathnames of all vulnerabilities scanned for by the dirb tool
direct-web-remoting paths for Direct Web Remoting
dirsearch-paths-list dict.txt file packaged with the dirsearch tool
drupal-path-names path names typically found under the web root of a Drupal install
falcon-jsp-paths FalconPathScan .php extensions changed to .jsp
falcon-path-scan The paths.txt file distributed with the FalconPathScan
fingerprinter-db-paths Path names extracted from JSON data files distributed with the Fingerprinter tool https://github.com/erwanlr/Fingerprinter/tree/master/db
font-file-names List of names for various OpenType and TrueType font files
forcepoint-ink-files file names for scanning custom extensions
generic-path-names general path names that could be used on any web server
github-gitignore-paths path names parsed from .gitignore files in various GitHub repositories via scripts/make-gitignore-paths
httpoxyscan-cgilist-paths cgi_list.txt
http301-redirect-syntax HTTP 301 redirect syntax for various programming languages that support CGI programming.
ibm-bea-paths paths for both J2EE app servers IBM WebSphere and Oracle WebLogic
iis-path-names path names commonly found under the web root of an IIS install
j2ee-paths-large long list of custom created J2EE targeted path names
javascript-tooling-paths The Front-end Tooling Book
jboss-path-names path names often handled by the JBoss J2EE application server
jira-paths-list Jira path names to test for
joomla-path-names file names found in the directory hierarchy of Joomla sites
locale-paths-short locale paths formatted in various manners, i.e. dash, underscore, slash, etc.
locale-paths-long locale paths list identical to locales-paths-short, but also has upper-case language abbreviations and no seperator
login-path-names pathnames that could reference login pages on a web server
magento-path-names file names often found under Magento’s directory hierarchy
nmap-rtsp-urls taken from nmap’s nselib/data/rtsp-urls.txt
nodejs-paths-list list of path names likely to be served by a NodeJS web app
open-door-directories directories.dat file from Open Door
open-door-ignored ignored.dat file from Open Door
oracle-business-intelligence paths taken from Oracle Business Intelligence docs
oracle-path-names pathnames usually served by Oracle Application Server
oracle-robots-text the robots.txt file containing documentation pathnames served at http://www.oracle.com/robots.txt
paths-below-webinf paths most commonly found under the WEB-INF directory
proxy-ssrf-paths Paths to be used in requests that test SSRF attacks on proxies
quick-hit-paths pathnames that are most likely to exist
restricted-paths-annotated paths to files often in web root directories needing access control (annotated by single-line comments.)
search-engine-settings Search Engines
sharepoint-path-names common Microsoft SharePoint path names
skipfish-path-names web path names used by the skipfish web app recon tool
spike-proxy-words The words file packaged with ImmunitySec SPIKE Proxy
top-robots-parsed most popular entries from RobotsDisallowed repository parsed
top1k-robots-sitemaps Sitemap paths from robots.txt of top 1,000 Alexa sites
unix-traverse-passwd UNIX path names for directory traversing to passwd file
w3brute-admin-paths administrative pathnames taken from adminPaths SQLite3 database of the w3brute tool
web-inf-paths list of path names typically found under the WEB-INF directory
web-inf-paths typical path names to be founder under a WEB-INF folder
weblogic-j2ee-paths common paths found on the J2EE WebLogic application server
websphere-class-path IBM WebSphere CLASSPATH runtime environment variable
websphere-path-names pathnames usually available from IBM WebSphere listeners
well-known-paths Well-Known URI path names taken from IANA assignment
wfuzz-vulns-list combined list of paths from the wfuzz tool’s vulns folder
xml-sitemap-paths Location of XML sitemap(s) as specified by: sitemaps.org