SecLists: A Security Tester's Companion

Screen Shot 2014-01-23 at 4.36.44 PM.png



As security testers we often need quality lists. Whether we're doing netpen, web assessments, or even forensics or static analysis, having a solid source of usernames, passwords, strings used for grep searches, etc. is critical.


SecLists is an OWASP project and Github repository that consolidates all these lists into one place. It includes multiple types of lists, such as usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, URL lists, and many more.




The concept for the project is simple enough: You get onto a new box before a security assessment and you need your favorite lists. Well, instead of going on a treasure hunt through all your various testing boxes and such, you simply clone this repo and you're set.


How do you get your favorite lists into the repo? Just submit them and we'll add them.


List Types and Usage Examples


Here are a few of the list types in the project now.




Screen Shot 2014-01-23 at 5.09.23 PM.png


This just a small subset of the complete list of password listsavailable in the project. We've collaborated with many of the other big collectors of passwords and added them to this single repo, as well as included lists submitted by others in the community. The README includes a list of contributors.


Uncommon List Types


In addition to passwords and usernames, we also have lists of grep strings, and even URL lists for various platforms. So if you have an assessment you are doing for a CMS, for example, it's often useful to let your proxy/scanner aware of every URL that's in the project by default. SecLists has a section for this called URLs.



 Screen Shot 2014-01-23 at 5.22.46 PM.png


Think of the various types of lists that can be useful to you during an assessment. Strings to search for in memory, strings to search for on the file system, lists of commonly seen Web Services endpoints, etc. We're really just limited by imagination.


Summary and How to Contribute


The takeaway here is simple: SecLists helps you during your security assessments, and the more you contribute the better the project becomes.


[ SecLists: A Security Tester's Companion ]


You can submit content through email, pull requests, or any other way you prefer. We'd love to see your input, and your name will be added to the growing contributors list.


We look forward to your submissions, and if you have any questions or comments feel free to ping us.



Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at and on Twitter at @danielmiessler

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.