Post Image

Your Fuzzing & Busting Enumeration is only as good as the wordlist you have.

What is a Seclist?
A Seclist (Security List) is a large list of words or payloads with the intention of being thorough with assessments.
Are you using wordlists that are either maintained or worked on by the Community?

When testing for Sanitization of User Input in your Web Assessments - make sure to check here!

I got you.

+ Seclists.
https://github.com/danielmiessler/SecLists


[ Here are some wordlists that I think are pretty important]

+ Busting Files/Directories.

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-medium-directories.txt

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-medium-files.txt

You can obviously use the large versions of RAFT if you would like.



+ Checking to see if a page has data parameters that are not from the User-End of a web application?
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/burp-parameter-names.txt



+ XSS (Cross Site Scripting) Checks:
https://github.com/payloadbox/xss-payload-list


+ LFI (Local File Inclusion) Checks:
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt

+ Command Injection Checks:
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/command-injection-commix.txt

+ SQL Injection Checks:
https://github.com/trietptm/SQL-Injection-Payloads/blob/master/LINKS.md


+ Also See Payloads All The Things.
https://github.com/swisskyrepo/PayloadsAllTheThings

Comments are closed.