This post is also available in: Русский (Russian)
When it comes to black-box testing of web applications, one of the main things is to search through possible web paths to find new entry points and “forgotten” data. That is, any list of popular directory names (like /uploads/) and files (data.txt, file.php, etc.) is taken and a sequential search of valid paths is performed. The technique is well-known, old, there are many utilities to exploit it, many public lists of such paths. Among the most popular are the following utilities:
- dirb (http://dirb.sourceforge.net/)
- wfuzz (https://github.com/xmendez/wfuzz)
- DirBuster (https://sourceforge.net/projects/dirbuster/)
- nikto (https://github.com/sullo/nikto)
- dirsearch (https://github.com/maurosoria/dirsearch)
- nmap (http-enum module) (https://nmap.org)
- Metasploit Framework (dir_scanner and files_dir modules) (https://www.metasploit.com/)
- Burp Suite (using Intruder) (https://portswigger.net/burp)
Lots of them...
Personally I prefer wfuzz (pretty fast, convenient filtering of web server responses by several criteria), or Burp Suite.
There are as many popular lists for web fuzzing as there are utilities, since most of them come with a default list. The following third-party lists can be noted:
- SecLists (Discovery -> Web-Content) (https://github.com/danielmiessler/SecLists)
- PayloadsAllTheThings (not much paths and content is scattered throughout files) (https://github.com/swisskyrepo/PayloadsAllTheThings)
- FuzzDB (discovery -> predictable-filepaths) (https://github.com/fuzzdb-project/fuzzdb)
Eventually every pentester compiles and maintains a similar list and not one, but many: all-in-one list, most productive and short (like the idea of top1000 open ports in nmap), an infinite number for specific web technologies, frameworks and CMS.
I spent some time creating such lists too, and would like to share them, not the common ones, but for some well-known web-based database management interfaces (like phpMyAdmin) and file managers (I don’t even know which example to bring). In my experience, many pentesters neglect such specialized lists.
I've made lists for the following products:
- phpMyAdmin (https://github.com/phpmyadmin)
- Adminer (https://github.com/vrana/adminer)
- PHP Mini SQL Admin (https://sourceforge.net/projects/phpminiadmin/)
- Sypex Dumper (https://sypex.net)
- phpFileManager (https://www.dulldusk.com/phpfm)
- tinyfilemanager (https://github.com/prasathmani/tinyfilemanager)
- extplorer (https://extplorer.net/)
- FileRun (http://www.filerun.com/)
- Encode Explorer (https://sourceforge.net/projects/encode-explorer/)
- phpLiteAdmin (https://www.phpliteadmin.org/)
Also, I uploaded the lists to Github, to make it easier to maintain, and in case someone would like to provide lists for other products.
Repository link: https://github.com/kaimi-io/web-fuzz-wordlists