Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

SecLists: A Security Tester's Companion

danielmiessler ‎01-23-2014 05:41 PM - edited ‎07-07-2015 12:38 PM



As security testers we often need quality lists. Whether we're doing netpen, web assessments, or even forensics or static analysis, having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.


SecLists is an OWASP project and Github repository that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more.




The concept for the project is simple enough: You get onto a new box before a security assessment and you need your favorite lists. Well, instead of going on a treasure hunt through all your various testing boxes and such, you simply clone this repo and you're set.


How do you get your favorite lists into the repo? Just submit them and we'll add them.


List Types and Usage Examples


Here are a few of the list types in the project now.





This just a small subset of the complete list of password listsavailable in the project. We've collaborated with many of the other big collectors of passwords and added them to this single repo, as well as included lists submitted by others in the community. The README includes a list of contributors.


Uncommon List Types


In addition to passwords and usernames, we also have lists of grep strings, and even URL lists for various platforms. So if you have an assessment you are doing for a CMS, for example, it's often useful to let your proxy/scanner aware of every URL that's in the project by default. SecLists has a section for this called URLs.





Think of the various types of lists that can be useful to you during an assessment. Strings to search for in memory, strings to search for on the file system, lists of commonly seen Web Services endpoints, etc. We're really just limited by imagination.


Summary and How to Contribute


The takeaway here is simple: SecLists helps you during your security assessments, and the more you contribute the better the project becomes.


[ SecLists: A Security Tester's Companion ]


You can submit content through email, pull requests, or any other way you prefer. We'd love to see your input, and your name will be added to the growing contributors list.


We look forward to your submissions, and if you have any questions or comments feel free to ping us.



Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at and on Twitter at @danielmiessler

0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all