Repository files navigation

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

This project is maintained byDaniel Miessler andJason Haddix.

• Adam Muntner (@amuntner) and for theFuzzDB content, including all authors from the FuzzDB project (https://github.com/fuzzdb-project/fuzzdb) [./Fuzzing/*.fuzzdb.txt]
• Ron Bowes (@iagox86) ofSkullSecurity for collaborating and including all his lists here (https://wiki.skullsecurity.org/Passwords)
• Clarkson University for their research that led to theClarkson password list [./Passwords/clarkson-university-82.txt]
• All the authors listed in the XSS with context doc, which was found on pastebin and added to by us
• Ferruh Mavituna for the beginnings of theLFI Fuzz list
• Kevin Johnson forLaudanum shells (https://sourceforge.net/projects/laudanum/) [./Web-Shells/laudanum-0.8/]
• RSnake forfierce DNS hostname list [./Discovery/DNS/fierce-hostlist.txt]
• Charlie Campbell forSpanish word list, numerous other contributions
• Rob Fuller (@mubix) for the IZMY list [./Passwords/Leaked-Databases/izmy.txt]
• Mark Burnett for the10 million passwords list
• Steve Crapo for doing splitting work on a number of large lists
• Thanks to Blessen Thomas for recommendingMario's/cure53's XSS vectors
• Thanks to Danny Chrastil for submitting an anonymousJSON fuzzing list
• Many thanks to @geekspeed, @EricSB, @lukebeer, @patrickmollohan, @g0tmi1k, @albinowax, and @kurobeats for submitting via pull requests
• Special thanks to @shipCod3 for MANY contributions and for aSSH user/pass list
• Thanks to Samar Dhwoj Acharya for allowing hisGitHub Dorks content to be included
• Thanks to Liam Somerville for the excellent list ofdefault passwords
• Great thanks to Michael Henriksen for allowing us to include hisGitrob project's signatures
• Honored to have @Brutelogic's brilliantXSS Cheatsheet added to the Fuzzing section [./Fuzzing/XSS*-BruteLogic.txt]
• 0xsobky'sUltimate XSS Polyglot [./Fuzzing/Polyglots/XSS-Polyglot-Ultimate-0xsobky.txt]
• @otih forbruteforce collected user/pass lists [./Passwords/Honeypot-Captures/multiplesources-passwords-fabian-fingerle.de.txt]
• @govolution forBetterDefaultPassList (https://github.com/govolution/betterdefaultpasslist) [./Passwords/Default-Credentials/*-betterdefaultpasslist.txt]
• Max Woolf (@minimaxir) forBig List of Naughty Strings (https://github.com/minimaxir/big-list-of-naughty-strings) [./Fuzzing/big-list-of-naughty-strings.txt]
• Ian Gallagher (@craSH) forHTTP Request Headers [./Miscellaneous/http-request-headers/]
• Arvind Doraiswamy (@arvinddoraiswamy) fornumeric-fields-only [./Fuzzing/numeric_fields_only.txt]
• @badibouzouk forDomino Hunter (https://sourceforge.net/projects/dominohunter/) [./Discovery/Web-Content/Domino-Hunter/]
• @coldfusion39 fordomi-owned (https://github.com/coldfusion39/domi-owned) [./Discovery/Web-Content/domino-*-coldfusion39.txt]
• Ella Rose (@erose1337) forsecurity-question-answers (https://github.com/erose1337/penetration_testing/tree/master/data) [./Miscellaneous/security-question-answers/]
• @D35m0nd142 forLFISuite (https://github.com/D35m0nd142/LFISuite) [./Fuzzing/LFI-LFISuite-pathtotest*.txt]

This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know...

SeeCONTRIBUTING.md

This project is licensed under the MIT license.

—

^{NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.}