Real world bug bounty wordlists

Go to file

Ciaran 3ad56c8452 Update Burp Suite Settings. Updated enabled plugins. Tuned connection timeout values. Changed proxy history view settings to hide .js files.		2023-02-17 11:44:20 +00:00
BurpSuitePro.vmoptions	Tune Burp Suite JVM options.	2023-02-09 18:48:51 +00:00
LICENSE	Create LICENSE	2022-10-06 11:33:00 +01:00
README.md	Update Documentation.	2023-02-11 13:12:44 +00:00
actions.txt	Split secrets/waf triggering requests into new file.	2022-11-06 14:32:44 +00:00
android.txt	Emulator command to use with MOBSF.	2023-02-03 21:41:44 +00:00
breakpoints.txt	Chrome Dev Tools Console commands.	2022-06-22 07:42:25 +01:00
burp-plugins.txt	Update Documentation.	2023-02-11 13:12:44 +00:00
burp-suite-project-settings.json	Update Burp Suite Settings.	2023-02-17 11:44:20 +00:00
burp-suite-user-settings.json	Update Burp Suite Settings.	2023-02-17 11:44:20 +00:00
dns.txt	Add GCP region name patterns.	2022-12-09 06:36:35 +00:00
graphql.txt	Use introspection query used by GraphQL Voyager.	2022-11-15 17:43:37 +00:00
headers.txt	HTTP headers to manipulate.	2022-06-28 07:10:27 +01:00
http.txt	Add more initial discovery paths and update burp suite settings.	2023-02-06 14:31:52 +00:00
java.security	Add some JVM optimisations.	2023-02-04 16:14:48 +00:00
javascript.txt	Remove DOM sinks.	2022-06-26 07:39:31 +01:00
jwt.secrets.list	Add wordlist for JWT secret key cracking.	2022-06-15 21:10:26 +01:00
objects.txt	More in the wild discoveries.	2022-09-29 11:36:24 +01:00
ports.txt	Prometheus related stuff and some more service ports.	2022-07-21 18:48:43 +01:00
regex.txt	Update Documentation.	2023-02-11 13:12:44 +00:00
resolvers.txt	Public highly caching DNS resolvers to query against.	2022-06-14 17:54:52 +01:00
secrets.txt	Split secrets/waf triggering requests into new file.	2022-11-06 14:32:44 +00:00
user.vmoptions	Tune Burp Suite JVM options.	2023-02-09 18:48:51 +00:00
xss.txt	Add basic XSS sink and payload	2022-12-31 19:21:41 +00:00

README.md

What

Wordlists I use for recon and content discovery on programs from hackerone and bugcrowd. These are only things I have actually encountered in production or in documentation of popular tooling. There is no point in having a huge wordlist but only ever getting 2 hits.

How I use these lists?

android.txt

This is just the command I use to launch an android VM to use with MobileSecurityFramework as Geny motion is having issues with the GPU drivers I have on Linux.

breakpoints.txt

These are commands that can be run the dev tools console of Chromium based browsers.

burp-plugins.txt

These are some of the plugins for Burp I have installed but does not mean I have turned on at all times. I try not to rely on plugins too much as they distract you from looking at the core application.

http.txt

I use this as my initial discovery list.

So for example if I found an endpoint that is returning 404 for the web root.

I will use http.txt to see if there is any content there.

Sometimes I may use it recursively.

objects.txt

I generally use this if I find some sort of API/RPC type endpoint like /api to discover the resources that the API can interact with.

actions.txt

I use this this after discovery API objects to try map out what actions are supported.

For example say you found /api, then you found /api/account and then you run this wordlist and you find /api/account/auth

regex.txt

You can use these in the burp suite search function, Logger++ or Highlight and Extract plugin.

xss.txt

This is just a basic taint query I use to then trace through the application so I can easily search for "taint" and then see where it is located and which characters are escaped.

secrets.txt

These were triggering WAFs too frequently so I split them out into their own file. Generally you are likely better off using Burps built in interesting files but this wordlist is nice and small.

*.vmoptions files

These tune the JVM for the JRE that ships with BurpSuite. I have modified the garbage collection algorithm to use a more efficient algorithm and I have applied several graphics related tweaks.