SecLists: A Security Tester's Companion

Screen Shot 2014-01-23 at 4.36.44 PM.png

 

 

As security testers we often need quality lists. Whether we're doing netpen, web assessments, or even forensics or static analysis, having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.

 

SecLists is an OWASP project and Github repository that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more.

 

Concept

 

The concept for the project is simple enough: You get onto a new box before a security assessment and you need your favorite lists. Well, instead of going on a treasure hunt through all your various testing boxes and such, you simply clone this repo and you're set.

 

How do you get your favorite lists into the repo? Just submit them and we'll add them.

 

List Types and Usage Examples

 

Here are a few of the list types in the project now.

 

Passwords 

 

Screen Shot 2014-01-23 at 5.09.23 PM.png

 

This just a small subset of the complete list of password listsavailable in the project. We've collaborated with many of the other big collectors of passwords and added them to this single repo, as well as included lists submitted by others in the community. The README includes a list of contributors.

 

Uncommon List Types

 

In addition to passwords and usernames, we also have lists of grep strings, and even URL lists for various platforms. So if you have an assessment you are doing for a CMS, for example, it's often useful to let your proxy/scanner aware of every URL that's in the project by default. SecLists has a section for this called URLs.

 

 

 Screen Shot 2014-01-23 at 5.22.46 PM.png

 

Think of the various types of lists that can be useful to you during an assessment. Strings to search for in memory, strings to search for on the file system, lists of commonly seen Web Services endpoints, etc. We're really just limited by imagination.

 

Summary and How to Contribute

 

The takeaway here is simple: SecLists helps you during your security assessments, and the more you contribute the better the project becomes.

 

[ SecLists: A Security Tester's Companion ]

 

You can submit content through email, pull requests, or any other way you prefer. We'd love to see your input, and your name will be added to the growing contributors list.

 

We look forward to your submissions, and if you have any questions or comments feel free to ping us.

 

::

Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at daniel.miessler@hp.com and on Twitter at @danielmiessler

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
http://www.danielmiessler.com/about
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.