Real-world infosec wordlists, updated regularly
These wordlists are based on the source code of the CMSes/servers/frameworks listed here. The current wordlists include:
There are 2 versions of each wordlist:
webapps/examples/WEB-INF/classes/websocket/echo/servers.json
webapps/examples/WEB-INF/classes/websocket/echo/servers.json
examples/WEB-INF/classes/websocket/echo/servers.json
WEB-INF/classes/websocket/echo/servers.json
websocket/echo/servers.json
echo/servers.json
servers.json
Inspired by Daniel Miessler's RobotsDisallowed project, these wordlists contain the robots.txt
Allow
and Disallow
paths in the top 100, top 1000, and top 10000 websites according to Domcop's Open PageRank dataset.
This wordlist contains the subdomains found for each target on the Inventory project. It consists of 1.4 million words generated from the subdomains of over 50 public bug bounty programs.
This wordlist contains the subdomains found through enumerating cloud assets. It consists of 940k words generated from the subdomains extracted from the Common Name
s and Subject Alternative Name
s of over 7 million SSL certificates.
And more wordlists to come!
A Trickest workflow clones the repositories in technology-repositories.json, lists the paths of all their files, removes non-interesting files, generates combinations, and pushes the wordlists to this repository.
Another Trickest workflow gets the top 100, 1000, and 1000 websites from Domcop's Open PageRank dataset, uses meg to fetch their robots.txt
files (Thanks, @tomnomnom!), removes irrelevant entries, cleans up the paths, and pushes the wordlists to this repository.
All contributions/suggestions/questions are welcome! Feel free to create a new ticket via GitHub issues, tweet at us @trick3st, or join the conversation on Discord.
We believe in the value of tinkering. Sign up for a demo on trickest.com to customize this workflow to your use case, get access to many more workflows, or build your own from scratch!