bugbounty-wordlist

Real world bug bounty wordlists

Go to file

Ciaran 85d0e0a2e3 Split secrets/waf triggering requests into new file. I use the http.txt file as a general first go to wordlist. I noticed over time and with some targets that it is highly likely to trigger a WAF and get the rest of your requests blocked. So I have moved most of the offending words into a secrets.txt file.		2022-11-06 14:32:44 +00:00
LICENSE	Create LICENSE	2022-10-06 11:33:00 +01:00
README.md	README.md	2022-06-07 02:31:29 +01:00
actions.txt	Split secrets/waf triggering requests into new file.	2022-11-06 14:32:44 +00:00
breakpoints.txt	Chrome Dev Tools Console commands.	2022-06-22 07:42:25 +01:00
burp-plugins.txt	Update burp-plugins.txt	2022-07-28 11:46:03 +01:00
dns.txt	Intigriti and YesWeHack.	2022-08-01 20:35:49 +01:00
graphql.txt	More endpoints and a graphql scheme discover query.	2022-07-20 12:20:09 +01:00
headers.txt	HTTP headers to manipulate.	2022-06-28 07:10:27 +01:00
http.txt	Split secrets/waf triggering requests into new file.	2022-11-06 14:32:44 +00:00
javascript.txt	Remove DOM sinks.	2022-06-26 07:39:31 +01:00
jwt.secrets.list	Add wordlist for JWT secret key cracking.	2022-06-15 21:10:26 +01:00
objects.txt	More in the wild discoveries.	2022-09-29 11:36:24 +01:00
ports.txt	Prometheus related stuff and some more service ports.	2022-07-21 18:48:43 +01:00
resolvers.txt	Public highly caching DNS resolvers to query against.	2022-06-14 17:54:52 +01:00
secrets.txt	Split secrets/waf triggering requests into new file.	2022-11-06 14:32:44 +00:00

README.md

What

Wordlists I use for recon and content discovery on programs from hackerone and bugcrowd. These are only things I have actually encountered in production or in documentation of popular tooling. There is no point in having a huge wordlist but only ever getting 2 hits.