SecLists/README.md

![seclists.png](https://danielmiessler.com/images/seclists-long.png "seclists.png")

# About

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

This project is maintained by [Daniel Miessler](http://www.danielmiessler.com/ "Daniel Miessler") and [Jason Haddix](http://www.securityaegis.com "Jason Haddix").

## Contributing

If you have any ideas for things we should include, please use one of the following methods to submit them:

1. Send us pull requests
2. Create an issue in the project (right side)
3. Send us links through the issues feature, and we'll parse and incorporate them
3. Email daniel.miessler@owasp.org or jason.haddix@owasp.org with content to add

Significant effort is made to give attribution for these lists whenever possible, and if you are a list owner or know who the original author/curator is, please let us know so we can give proper credit.

### Attribution

- Adam Muntner and for the FuzzDB content, including all authors from the FuzzDB project (https://github.com/fuzzdb-project/fuzzdb)
- Ron Bowes of SkullSecurity for collaborating and including all his lists here (https://wiki.skullsecurity.org/Passwords)
- Clarkson University for their research that led to the Clarkson list
- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us
- Ferruh Mavitina for the beginnings of the LFI Fuzz list
- Kevin Johnson for laudnaum shells (https://sourceforge.net/projects/laudanum/)
- RSnake for fierce hostname list
- Charlie Campbell for Spanish word list, numerous other contributions
- Rob Fuller for the IZMY list
- Mark Burnett for the 10 million passwords list
- @shipCod3 for an SSH user/pass list
- Steve Crapo for doing splitting work on a number of large lists
- Thanks to Blessen Thomas for recommending Mario's/cure53's XSS vectors
- Thanks to Danny Chrastil for submitting an anonymous JSON fuzzing list
- Many thanks to @geekspeed, @EricSB, @lukebeer, @patrickmollohan, @g0tmi1k, @albinowax, and @kurobeats for submitting via pull requests
- Special thanks to @shipcod3 for MANY contributions!
- Thanks to Samar Dhwoj Acharya for allowing his Github Dorks content to be included!
- Thanks to Liam Somerville for the excellent list of default passwords
- Great thanks to Michael Henriksen for allowing us to include his Gitrob project's signatures
- Honored to have @Brutelogic's brilliant XSS Cheatsheet added to the Fuzzing section!
- 0xsobky's Ultimate XSS Polyglot!
- @otih for bruteforce collected username and password lists
- @govolution for betterdefaultpasslist (https://github.com/govolution/betterdefaultpasslist)
- Max Woolf (@minimaxir) for **big-list-of-naughty-strings** (https://github.com/minimaxir/big-list-of-naughty-strings) [`/Fuzzing/big-list-of-naughty-strings.txt`]
- Ian Gallagher (@craSH) for **http-request-headers** [`/Miscellaneous/http-request-headers/`]
- Arvind Doraiswamy (@arvinddoraiswamy) for **numeric-fields-only** [`/Fuzzing/numeric_fields_only.txt`]
- @badibouzouk for **Domino Hunter** (https://sourceforge.net/projects/dominohunter/) [`/Discovery/Web-Content/Domino-Hunter/`]
- @coldfusion39 for **domi-owned** (https://github.com/coldfusion39/domi-owned) [`/Discovery/Web-Content/domino-*-coldfusion39.txt`]

This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know…

## Licensing

This project is licensed under the MIT license.

![MIT License](https://danielmiessler.com/images/mitlicense.png)

—

<sup>NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.</sup>
README Drama. 2017-12-19 04:49:53 -08:00			`![seclists.png](https://danielmiessler.com/images/seclists-long.png "seclists.png")`
Fixed new SecLists logo again. 2016-01-21 10:00:25 -08:00
Standard commit. 2014-05-16 13:33:53 -07:00			`# About`

Updated README. 2015-08-05 07:43:01 -07:00			`SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.`
Added description clarification. 2013-07-23 12:27:52 -07:00
README Drama. 2017-12-19 04:49:53 -08:00			`This project is maintained by [Daniel Miessler](http://www.danielmiessler.com/ "Daniel Miessler") and [Jason Haddix](http://www.securityaegis.com "Jason Haddix").`
Updated README 2014-05-16 13:44:20 -07:00
Standard commit. 2014-05-16 13:33:53 -07:00			`## Contributing`

Updated README 2014-05-16 13:44:20 -07:00			`If you have any ideas for things we should include, please use one of the following methods to submit them:`

Updated README. 2015-08-05 07:42:18 -07:00			`1. Send us pull requests`
			`2. Create an issue in the project (right side)`
			`3. Send us links through the issues feature, and we'll parse and incorporate them`
Updated README 2014-05-16 13:44:20 -07:00			`3. Email daniel.miessler@owasp.org or jason.haddix@owasp.org with content to add`
Adding basic layout. 2012-02-20 17:50:41 -08:00
Updated README. 2015-08-05 07:42:18 -07:00			`Significant effort is made to give attribution for these lists whenever possible, and if you are a list owner or know who the original author/curator is, please let us know so we can give proper credit.`
Added URLs directory and READMEs. 2012-02-23 05:55:35 -08:00
Updated readme with attribution clarification. 2015-08-04 10:57:26 -07:00			`### Attribution`
Added URLs directory and READMEs. 2012-02-23 05:55:35 -08:00
README.md clean up 2018-03-05 10:30:50 +00:00			`- Adam Muntner and for the FuzzDB content, including all authors from the FuzzDB project (https://github.com/fuzzdb-project/fuzzdb)`
			`- Ron Bowes of SkullSecurity for collaborating and including all his lists here (https://wiki.skullsecurity.org/Passwords)`
Added URLs directory and READMEs. 2012-02-23 05:55:35 -08:00			`- Clarkson University for their research that led to the Clarkson list`
added attributions 2013-03-15 16:42:54 -07:00			`- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us`
Fixed typo 2016-08-07 16:24:15 +10:00			`- Ferruh Mavitina for the beginnings of the LFI Fuzz list`
README.md clean up 2018-03-05 10:30:50 +00:00			`- Kevin Johnson for laudnaum shells (https://sourceforge.net/projects/laudanum/)`
README Drama. 2017-12-19 04:49:53 -08:00			`- RSnake for fierce hostname list`
Added credit to shipcod3 2015-02-03 19:40:43 -08:00			`- Charlie Campbell for Spanish word list, numerous other contributions`
			`- Rob Fuller for the IZMY list`
Updated credits section for Mark Burnett. 2015-08-13 07:43:49 -07:00			`- Mark Burnett for the 10 million passwords list`
Added betterdefaultpasslist (Fix #143) Source: https://github.com/govolution/betterdefaultpasslist 2018-03-07 10:42:27 +00:00			`- @shipCod3 for an SSH user/pass list`
Updated credits. 2015-02-10 22:18:14 -08:00			`- Steve Crapo for doing splitting work on a number of large lists`
Updated credits. 2015-06-11 15:24:10 -07:00			`- Thanks to Blessen Thomas for recommending Mario's/cure53's XSS vectors`
Added Danny Chrastil to credits. 2015-09-08 21:20:23 -07:00			`- Thanks to Danny Chrastil for submitting an anonymous JSON fuzzing list`
README.md clean up 2018-03-05 10:30:50 +00:00			`- Many thanks to @geekspeed, @EricSB, @lukebeer, @patrickmollohan, @g0tmi1k, @albinowax, and @kurobeats for submitting via pull requests`
			`- Special thanks to @shipcod3 for MANY contributions!`
Updated credits to include Samar Dhwoj Acharya 2016-03-29 15:41:54 -07:00			`- Thanks to Samar Dhwoj Acharya for allowing his Github Dorks content to be included!`
Added Liam Somerville to the credits. 2016-06-04 23:10:04 -07:00			`- Thanks to Liam Somerville for the excellent list of default passwords`
README Drama. 2017-12-19 04:49:53 -08:00			`- Great thanks to Michael Henriksen for allowing us to include his Gitrob project's signatures`
Removed merged list taking up tons of room. 2016-07-14 18:45:42 -07:00			`- Honored to have @Brutelogic's brilliant XSS Cheatsheet added to the Fuzzing section!`
Added betterdefaultpasslist (Fix #143) Source: https://github.com/govolution/betterdefaultpasslist 2018-03-07 10:42:27 +00:00			`- 0xsobky's Ultimate XSS Polyglot!`
Quick rename 2018-03-21 16:02:59 +00:00			`- @otih for bruteforce collected username and password lists`
Added betterdefaultpasslist (Fix #143) Source: https://github.com/govolution/betterdefaultpasslist 2018-03-07 10:42:27 +00:00			`- @govolution for betterdefaultpasslist (https://github.com/govolution/betterdefaultpasslist)`
Add Domino-Hunter Source: https://sourceforge.net/projects/dominohunter/ 2018-03-21 16:57:50 +00:00			- Max Woolf (@minimaxir) for big-list-of-naughty-strings (https://github.com/minimaxir/big-list-of-naughty-strings) [`/Fuzzing/big-list-of-naughty-strings.txt`]
			- Ian Gallagher (@craSH) for http-request-headers [`/Miscellaneous/http-request-headers/`]
Update missing credit in README.md Add credits for a coworker's addition (#88) 2018-03-23 14:28:42 -07:00			- Arvind Doraiswamy (@arvinddoraiswamy) for numeric-fields-only [`/Fuzzing/numeric_fields_only.txt`]
Add Domino-Hunter Source: https://sourceforge.net/projects/dominohunter/ 2018-03-21 16:57:50 +00:00			- @badibouzouk for Domino Hunter (https://sourceforge.net/projects/dominohunter/) [`/Discovery/Web-Content/Domino-Hunter/`]
Add domi-owned Source: https://github.com/coldfusion39/domi-owned 2018-03-21 17:04:37 +00:00			- @coldfusion39 for domi-owned (https://github.com/coldfusion39/domi-owned) [`/Discovery/Web-Content/domino-*-coldfusion39.txt`]
Added URLs directory and READMEs. 2012-02-23 05:55:35 -08:00
Updated Readme credits section. 2018-04-06 04:52:17 -07:00			`This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know…`
README Drama. 2017-12-19 04:49:53 -08:00
			`## Licensing`

README.md clean up 2018-03-05 10:30:50 +00:00			`This project is licensed under the MIT license.`
README Drama. 2017-12-19 04:49:53 -08:00
Cleanup. 2017-12-19 05:26:21 -08:00			`![MIT License](https://danielmiessler.com/images/mitlicense.png)`

			`—`
README Drama. 2017-12-19 04:49:53 -08:00
Updated licensing. 2017-12-19 05:24:06 -08:00			`<sup>NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.</sup>`