z0rs
/
bugbounty-wordlist
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Real world bug bounty wordlists
57 Commits 1 Branch 0 Tags 177 KiB
Text 100%
Go to file
Ciaran 1529ec1095 Tune Burp Suite JVM options. 2023-02-09 18:48:51 +00:00
BurpSuitePro.vmoptions Tune Burp Suite JVM options. 2023-02-09 18:48:51 +00:00
LICENSE Create LICENSE 2022-10-06 11:33:00 +01:00
README.md Update README.md 2022-11-12 11:04:49 +00:00
actions.txt Split secrets/waf triggering requests into new file. 2022-11-06 14:32:44 +00:00
android.txt Emulator command to use with MOBSF. 2023-02-03 21:41:44 +00:00
breakpoints.txt Chrome Dev Tools Console commands. 2022-06-22 07:42:25 +01:00
burp-plugins.txt Update burp plugins. 2022-12-31 19:20:21 +00:00
burp-suite-project-settings.json Logger++ is currently very graphically glitchy for me. 2023-02-04 21:57:32 +00:00
burp-suite-user-settings.json Add more initial discovery paths and update burp suite settings. 2023-02-06 14:31:52 +00:00
dns.txt Add GCP region name patterns. 2022-12-09 06:36:35 +00:00
graphql.txt Use introspection query used by GraphQL Voyager. 2022-11-15 17:43:37 +00:00
headers.txt HTTP headers to manipulate. 2022-06-28 07:10:27 +01:00
http.txt Add more initial discovery paths and update burp suite settings. 2023-02-06 14:31:52 +00:00
java.security Add some JVM optimisations. 2023-02-04 16:14:48 +00:00
javascript.txt Remove DOM sinks. 2022-06-26 07:39:31 +01:00
jwt.secrets.list Add wordlist for JWT secret key cracking. 2022-06-15 21:10:26 +01:00
objects.txt More in the wild discoveries. 2022-09-29 11:36:24 +01:00
ports.txt Prometheus related stuff and some more service ports. 2022-07-21 18:48:43 +01:00
regex.txt Update regex. 2023-02-04 22:51:58 +00:00
resolvers.txt Public highly caching DNS resolvers to query against. 2022-06-14 17:54:52 +01:00
secrets.txt Split secrets/waf triggering requests into new file. 2022-11-06 14:32:44 +00:00
user.vmoptions Tune Burp Suite JVM options. 2023-02-09 18:48:51 +00:00
xss.txt Add basic XSS sink and payload 2022-12-31 19:21:41 +00:00

README.md

What

Wordlists I use for recon and content discovery on programs from hackerone and bugcrowd. These are only things I have actually encountered in production or in documentation of popular tooling. There is no point in having a huge wordlist but only ever getting 2 hits.

How I use these lists?

http.txt

I use this as my initial discovery list.

So for example if I found an endpoint that is returning 404 for the web root.

I will use http.txt to see if there is any content there.

Sometimes I may use it recursively.

objects.txt

I generally use this if I find some sort of API/RPC type endpoint like /api to discover the resources that the API can interact with.

actions.txt

I use this this after discovery API objects to try map out what actions are supported.

For example say you found /api, then you found /api/account and then you run this wordlist and you find /api/account/auth