From 85d0e0a2e3978818bb10056fb07e6c621840b806 Mon Sep 17 00:00:00 2001 From: Ciaran Date: Sun, 6 Nov 2022 14:32:42 +0000 Subject: [PATCH] Split secrets/waf triggering requests into new file. I use the http.txt file as a general first go to wordlist. I noticed over time and with some targets that it is highly likely to trigger a WAF and get the rest of your requests blocked. So I have moved most of the offending words into a secrets.txt file. --- actions.txt | 1 + http.txt | 30 ++++++------------------------ secrets.txt | 24 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 24 deletions(-) create mode 100644 secrets.txt diff --git a/actions.txt b/actions.txt index ce922c7..45a04a3 100644 --- a/actions.txt +++ b/actions.txt @@ -36,6 +36,7 @@ service show signin signup +sso-settings suggest surveys transaction diff --git a/http.txt b/http.txt index c64272d..7b29a91 100644 --- a/http.txt +++ b/http.txt @@ -80,13 +80,9 @@ authorization auth-ui billing BitKeeper -.build build builds -.bzr callback -.chef -.chef/credentials cicd circleci cms @@ -94,18 +90,14 @@ cms/api common/oauth2/v2.0/ conf conf/defaults.ini -.config -.config/ config config/credentials.yml.enc config/slack.yml conf/zoo.cfg -.core core coupons credentials.yml custom.ini -._darcs dashboard debug debugger @@ -115,13 +107,10 @@ docs elements enduserapp en-us/rest -.env example examples fixtures3.json fixtures3.yml -.git -.gitconfig grafana grafana/api/ grafana/grafana.ini @@ -134,18 +123,10 @@ gw-web/api/ habitat/plan.sh header health -.hg -.hta -.htaccess -.htpasswd -.htpasswd-old -.htpasswd_test jenkins js jwks jwks.json -.kube -.kube/config kube_config_cluster.yml kustomization.yml legacy @@ -172,6 +153,7 @@ openid/register organizations password_resets password.txt +permissions personal php.ini platform/api/ @@ -179,6 +161,7 @@ probe prod prometheus prometheus.yml +proxy public rapidoc Readme.md @@ -190,12 +173,13 @@ rest/api/2 rest/api/2/ risk robots.txt +route +routes saml2/idp/sso script -.secret -.secrets secret.yml server-status +service sessions settings spec3.json @@ -206,14 +190,11 @@ staged staging static static_configs.yml -.svn swagger swagger.json swagger-ui swagger_ui telegraf.conf -.terraform -.tmp token tokens uploads @@ -221,6 +202,7 @@ user user/2fa user-info username.txt +user/permissions user/personal_access_tokens user/settings user-state diff --git a/secrets.txt b/secrets.txt new file mode 100644 index 0000000..b3b7f22 --- /dev/null +++ b/secrets.txt @@ -0,0 +1,24 @@ +.build +.bzr +.chef +.chef/credentials +.config +.config/ +.core +._darcs +.env +.git +.gitconfig +.hg +.hta +.htaccess +.htpasswd +.htpasswd-old +.htpasswd_test +.kube +.kube/config +.secret +.secrets +.svn +.terraform +.tmp