Comprehensive collection of the most used and best wordlists for penetration testing
The ultimate collection of all types of lists used during security assessments. Includes passwords, usernames, URLs, sensitive data patterns, fuzzing payloads, web shells, and much more.
The most famous password wordlist. Contains 14+ million passwords from the RockYou data breach. Essential for password cracking and authentication testing.
Classic directory and file brute-forcing wordlists. Perfect for web application enumeration and discovering hidden directories, files, and endpoints.
Comprehensive fuzzing patterns and payloads for application security testing. Contains attack patterns for XSS, SQLi, LDAP injection, and more.
Automated wordlist updates based on real-world data. Contains curated lists for subdomain enumeration and content discovery.
Massive list of useful payloads and bypasses for web application security. Includes XSS, SQL injection, SSRF, XXE, and many more attack vectors.
Compiled from BigQuery datasets containing most common English words and phrases. Great for password and subdomain enumeration.
Collection of leaked passwords from various data breaches. Continuously updated with new breach data for comprehensive password testing.
Massive 15GB wordlist containing every wordlist, dictionary, and password database leaked and published. Ultimate password cracking resource.
Default credentials for various products, services, and IoT devices. Essential for testing default password vulnerabilities.
Researched, Analyzed, Fuzzing and Tools wordlists. Optimized for web content discovery with small, medium, and large variants.
Collection from SecLists specifically for web content discovery. Includes common.txt, directory-list, and quickhits wordlists.
Comprehensive wordlist combining multiple directory brute-forcing lists. Perfect for thorough web application enumeration.
Specialized wordlists for API endpoint discovery. Contains common REST API paths, GraphQL queries, and API versioning patterns.
Top 1 million most common subdomains compiled from internet scan data. Essential for subdomain brute-forcing and enumeration.
Classic DNS enumeration wordlist from the Fierce tool. Optimized for discovering subdomains through DNS brute-forcing.
Comprehensive subdomain wordlist from Bitquark Research. Contains over 500k+ subdomain names from real-world data.
Massive combined wordlist by Jason Haddix. Merges multiple subdomain sources into one comprehensive list for maximum coverage.
Strings which have a high probability of causing issues when used as user-input data. Perfect for testing input validation and edge cases.
Comprehensive XSS (Cross-Site Scripting) payloads and bypass techniques. Includes polyglots, filters bypasses, and context-specific payloads.
Extensive SQL injection payloads for various database types. Includes authentication bypasses, time-based, error-based, and blind SQLi payloads.
Local and Remote File Inclusion attack payloads. Includes path traversal, wrapper abuse, and filter bypass techniques.