Pentest 101: Content bruteforcing lists

This post is also available in: Русский (Russian)

When it comes to black-box testing of web applications, one of the main things is to search through possible web paths to find new entry points and “forgotten” data. That is, any list of popular directory names (like /uploads/) and files (data.txt, file.php, etc.) is taken and a sequential search of valid paths is performed. The technique is well-known, old, there are many utilities to exploit it, many public lists of such paths. Among the most popular are the following utilities:

Lots of them...
Personally I prefer wfuzz (pretty fast, convenient filtering of web server responses by several criteria), or Burp Suite.

There are as many popular lists for web fuzzing as there are utilities, since most of them come with a default list. The following third-party lists can be noted:

Eventually every pentester compiles and maintains a similar list and not one, but many: all-in-one list, most productive and short (like the idea of top1000 open ports in nmap), an infinite number for specific web technologies, frameworks and CMS.

I spent some time creating such lists too, and would like to share them, not the common ones, but for some well-known web-based database management interfaces (like phpMyAdmin) and file managers (I don’t even know which example to bring). In my experience, many pentesters neglect such specialized lists.

I've made lists for the following products:

Also, I uploaded the lists to Github, to make it easier to maintain, and in case someone would like to provide lists for other products.
Repository link:

Leave a Reply

Your email address will not be published. Required fields are marked *