Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

SecLists: A Security Tester's Companion

danielmiessler ‎01-23-2014 05:41 PM - edited ‎07-07-2015 12:38 PM

 

 

As security testers we often need quality lists. Whether we're doing netpen, web assessments, or even forensics or static analysis, having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.

 

SecLists is an OWASP project and Github repository that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more.

 

Concept

 

The concept for the project is simple enough: You get onto a new box before a security assessment and you need your favorite lists. Well, instead of going on a treasure hunt through all your various testing boxes and such, you simply clone this repo and you're set.

 

How do you get your favorite lists into the repo? Just submit them and we'll add them.

 

List Types and Usage Examples

 

Here are a few of the list types in the project now.

 

Passwords 

 


 

This just a small subset of the complete list of password listsavailable in the project. We've collaborated with many of the other big collectors of passwords and added them to this single repo, as well as included lists submitted by others in the community. The README includes a list of contributors.

 

Uncommon List Types

 

In addition to passwords and usernames, we also have lists of grep strings, and even URL lists for various platforms. So if you have an assessment you are doing for a CMS, for example, it's often useful to let your proxy/scanner aware of every URL that's in the project by default. SecLists has a section for this called URLs.

 

 

 

 

Think of the various types of lists that can be useful to you during an assessment. Strings to search for in memory, strings to search for on the file system, lists of commonly seen Web Services endpoints, etc. We're really just limited by imagination.

 

Summary and How to Contribute

 

The takeaway here is simple: SecLists helps you during your security assessments, and the more you contribute the better the project becomes.

 

[ SecLists: A Security Tester's Companion ]

 

You can submit content through email, pull requests, or any other way you prefer. We'd love to see your input, and your name will be added to the growing contributors list.

 

We look forward to your submissions, and if you have any questions or comments feel free to ping us.

 

::

Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at daniel.miessler@hp.com and on Twitter at @danielmiessler

0 Kudos
About the Author

danielmiessler

https://danielmiessler.com/about

Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all