Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

SecLists: A Security Tester's Companion

danielmiessler ‎01-23-2014 05:41 PM - edited ‎07-07-2015 12:38 PM



As security testers we often need quality lists. Whether we're doing netpen, web assessments, or even forensics or static analysis, having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.


SecLists is an OWASP project and Github repository that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more.




The concept for the project is simple enough: You get onto a new box before a security assessment and you need your favorite lists. Well, instead of going on a treasure hunt through all your various testing boxes and such, you simply clone this repo and you're set.


How do you get your favorite lists into the repo? Just submit them and we'll add them.


List Types and Usage Examples


Here are a few of the list types in the project now.





This just a small subset of the complete list of password listsavailable in the project. We've collaborated with many of the other big collectors of passwords and added them to this single repo, as well as included lists submitted by others in the community. The README includes a list of contributors.


Uncommon List Types


In addition to passwords and usernames, we also have lists of grep strings, and even URL lists for various platforms. So if you have an assessment you are doing for a CMS, for example, it's often useful to let your proxy/scanner aware of every URL that's in the project by default. SecLists has a section for this called URLs.





Think of the various types of lists that can be useful to you during an assessment. Strings to search for in memory, strings to search for on the file system, lists of commonly seen Web Services endpoints, etc. We're really just limited by imagination.


Summary and How to Contribute


The takeaway here is simple: SecLists helps you during your security assessments, and the more you contribute the better the project becomes.


[ SecLists: A Security Tester's Companion ]


You can submit content through email, pull requests, or any other way you prefer. We'd love to see your input, and your name will be added to the growing contributors list.


We look forward to your submissions, and if you have any questions or comments feel free to ping us.



Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at and on Twitter at @danielmiessler

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all