SecLists/Discovery/Web-Content

Web discovery wordlists

combined_words.txt

Use for: discovering files
This list is automatically updated by a github action whenever any of the lists it's composed by is modified.

This list is a combination of the following wordlists:

• big.txt
• common.txt
• raft-large-words-lowercase.txt
• raft-large-words.txt
• raft-medium-words-lowercase.txt
• raft-medium-words.txt
• raft-small-words-lowercase.txt
• raft-small-words.txt

combined_directories.txt

Use for: discovering files and directories
This list is automatically updated by a github action whenever any of the lists it's composed by is modified.

This list is a combination of the following wordlists:

• apache.txt
• combined_words.txt
• directory-list-1.0.txt
• directory-list-2.3-big.txt
• directory-list-2.3-medium.txt
• directory-list-2.3-small.txt
• raft-large-directories-lowercase.txt
• raft-large-directories.txt
• raft-medium-directories-lowercase.txt
• raft-medium-directories.txt
• raft-small-directories-lowercase.txt
• raft-small-directories.txt

dsstorewordlist.txt

SOURCE: https://github.com/aels/subdirectories-discover

Perfect wordlist to discover directories and files on target site with tools like ffuf.

• It was collected by parsing Alexa top-million sites for .DS_Store files (https://en.wikipedia.org/wiki/.DS_Store), extracting all the found files, and then extracting found file and directory names from around 300k real websites.
• Then sorted by probability and removed strings with one occurrence.
• resulted file you can download is below. Happy Hunting!

vulnerability-scan_j2ee-websites_WEB-INF.txt

Use for: discovering sensitive j2ee files exploiting a lfi

References:

• https://gist.github.com/harisec/519dc6b45c6b594908c37d9ac19edbc3
• https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/generic/generic-j2ee-lfi.yaml
• https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java