Skip to content

Common Wordlists

Famous Wordlists Cheat Sheet

Common Web Discovery Wordlists
Path Wordlist Description
/SecLists/Discovery/Web-Content/ common.txt A small list of common directories and files
/SecLists/Discovery/Web-Content/ big.txt A larger list for discovering more directories and files
/SecLists/Discovery/Web-Content/ directory-list-2.3-medium.txt Medium-sized list for directory discovery, commonly used with tools like Gobuster
/SecLists/Discovery/Web-Content/ directory-list-2.3-big.txt Larger version of the directory list for extensive discovery
/SecLists/Discovery/Web-Content/ raft-large-directories.txt Large list focused on directory names
/SecLists/Discovery/Web-Content/ raft-large-files.txt Large list focused on file names
/PayloadsAllTheThings/Wordlists/ top10000.txt Top 10,000 directory and file names
DNS and Subdomain Discovery Wordlists
Path Wordlist Description
/SecLists/Discovery/DNS/ subdomains-top1million-110000.txt Top 110,000 subdomains, useful for subdomain discovery
/SecLists/Discovery/DNS/ names.txt Common names for DNS brute-forcing
/SecLists/Discovery/DNS/ dns-Jhaddix.txt A curated list of DNS subdomains, optimized for speed and effectiveness
/SecLists/Discovery/DNS/ dnsmap.txt Wordlist used by dnsmap for subdomain discovery
/The-Wordlist-Collection/dns/ subdomains.txt Comprehensive subdomain discovery wordlist
/The-Wordlist-Collection/dns/ subdomains-100000.txt Top 100,000 subdomains
Password Cracking Wordlists
Path Wordlist Description
/SecLists/Passwords/Common-Credentials/ 10k-most-common.txt 10,000 most common passwords
/SecLists/Passwords/Common-Credentials/ 500-worst-passwords.txt A list of 500 worst passwords
/SecLists/Passwords/Leaked-Databases/ rockyou.txt Famous password list from the RockYou breach
/SecLists/Passwords/Leaked-Databases/ linkedin-2021.txt Passwords leaked from the LinkedIn breach
/SecLists/Passwords/Leaked-Databases/ phpbb.txt Passwords leaked from the phpBB breach
/The-Wordlist-Collection/passwords/ 100k-most-common.txt 100,000 most common passwords
/The-Wordlist-Collection/passwords/ 1-million-passwords.txt 1 million common passwords
/WordlistsByStealth/ passwd.txt A general-purpose password wordlist
Username Enumeration Wordlists
Path Wordlist Description
/SecLists/Usernames/ names.txt Common usernames, often used for brute force attacks
/SecLists/Usernames/ top-usernames-shortlist.txt A short list of top usernames
/SecLists/Usernames/ corporate-usernames.txt Common corporate usernames (e.g., admin, administrator)
/PayloadsAllTheThings/Wordlists/ usernames.txt Comprehensive list of usernames
/The-Wordlist-Collection/usernames/ default-usernames.txt Default usernames used by various applications and systems
Fuzzing and Parameter Discovery Wordlists
Path Wordlist Description
/SecLists/Fuzzing/ burp-parameter-names.txt Common parameter names for web application fuzzing
/SecLists/Fuzzing/ fuzzdb-attack-payloads.txt FuzzDB's payloads for various attack vectors
/SecLists/Fuzzing/ jbrofuzz-headers.txt Fuzzing payloads for HTTP headers
/SecLists/Fuzzing/ xss-payload-list.txt A list of XSS payloads for fuzzing
/PayloadsAllTheThings/Wordlists/ fuzz.txt General-purpose fuzzing wordlist
/The-Wordlist-Collection/fuzzing/ all-http-methods.txt A list of HTTP methods for fuzzing RESTful services
Other Useful Wordlists
Path Wordlist Description
/SecLists/Discovery/Web-Servers/ iis.txt Wordlist for discovering IIS-related directories and files
/SecLists/Miscellaneous/ user-agents.txt A list of User-Agent strings
/SecLists/Miscellaneous/ langs.txt Common language codes (e.g., en, es, fr)
/SecLists/Discovery/Web-Content/ robots-disallowed.txt Paths commonly disallowed in robots.txt files
/SecLists/Discovery/ api-endpoints.txt Common API endpoints for RESTful services
/The-Wordlist-Collection/web-servers/ apache.txt Wordlist for discovering Apache-related directories and files
/PayloadsAllTheThings/Wordlists/ common-api-endpoints.txt List of common API endpoints
/The-Wordlist-Collection/miscellaneous/ http-status-codes.txt List of HTTP status codes for fuzzing responses