Lightweight, web-application-focused fork of Daniel Miessler's SecLists. Web shells, credential dumps, and AV-test artifacts are gone so you can clone it safely and quickly. If you need the full, wide-coverage lists, grab upstream SecLists; this is intentionally a lighter subset for web app testing.
discovery/: general discovery wordlists tiered by size (quick/,medium/,deep/) plus language variants underlang/.paths/: tech-specific endpoint maps:appservers/,cms/,frameworks/,cgi/,api/,libs/, and vuln-path references undervulns/.payloads/: attack payloads grouped by class (xss/,sqli/,command-injection/,lfi-rfi/,auth-bypass/,misc/).data/: helper data (extensions, user-agents, ports, mutations, variants, grep strings, misc context).
- Credentials: all password and username lists.
- Web shells/backdoor scripts (
scripts/backdoors). - DNS/subdomain lists and other network-focused content.
- Content discovery (fast):
ffuf -w discovery/quick/common.txt -u https://target/FUZZ - Content discovery (deeper):
ffuf -w discovery/medium/raft-medium-directories.txt -u https://target/FUZZ - Platform paths:
ffuf -w paths/cms/urls_wordpress_3.3.1 -u https://target/FUZZ - Payload fuzzing:
ffuf -w payloads/command-injection/fuzzdb_metacharacters.txt -u 'https://target/page?FUZZ=value'
- Keep web-app primitives separated:
discovery/for general wordlists,paths/for tech-specific endpoints,payloads/for attack strings, anddata/for helpers. - Format rules: no leading
/, prefer lowercase, one entry per line, no trailing whitespace, avoid duplicates, keep commonly-used lists small enough for fast tooling.
Keep additions web-app focused, compact, and formatting-consistent. If you need to add a large/general list, please link to the upstream SecLists project instead.