Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
🎯 Command Injection Payload List
Quick Overview
The assetnote/wordlists repository is a collection of wordlists for security testing and research purposes. It contains various types of wordlists, including subdomains, content discovery, and parameters, which are regularly updated and maintained by the Assetnote team and community contributors.
Pros
- Comprehensive collection of wordlists for different security testing scenarios
- Regularly updated with new entries and improvements
- Includes both general-purpose and specialized wordlists
- Community-driven project with contributions from security researchers
Cons
- Large file sizes may be challenging for users with limited storage or bandwidth
- Some wordlists may contain irrelevant or outdated entries
- Potential for misuse if not used responsibly in security testing
- Lack of detailed documentation for each wordlist's specific use case
As this is not a code library, we'll skip the code examples and getting started instructions sections.
Competitor Comparisons
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Pros of SecLists
- More comprehensive collection of wordlists covering various security testing scenarios
- Well-organized directory structure for easy navigation
- Regularly updated with contributions from the security community
Cons of SecLists
- Large repository size may be overwhelming for some users
- Some wordlists may be outdated or less relevant for specific use cases
- Potential for duplicate entries across different lists
Code Comparison
SecLists:
admin
administrator
root
user
guest
wordlists:
admin
admin123
administrator
root
user
Summary
SecLists offers a more extensive collection of wordlists with better organization, making it suitable for a wide range of security testing scenarios. However, its large size may be overwhelming for some users, and some lists might contain outdated entries.
wordlists, on the other hand, provides a more focused set of wordlists that are regularly updated and optimized for specific use cases. While it may not cover as many scenarios as SecLists, it offers high-quality, curated lists that are particularly useful for certain types of security testing.
Both repositories have their strengths and can be valuable resources for security professionals, depending on their specific needs and preferences.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Pros of PayloadsAllTheThings
- Comprehensive collection of payloads for various attack vectors and security testing scenarios
- Well-organized structure with categories for different types of vulnerabilities
- Includes explanations and methodologies alongside payloads
Cons of PayloadsAllTheThings
- May require more filtering and customization for specific use cases
- Less focused on pure wordlists, which can be more efficient for certain tasks
- Potentially overwhelming for beginners due to the breadth of information
Code Comparison
PayloadsAllTheThings (SQL Injection):
' OR '1'='1
' OR 1=1--
' UNION SELECT NULL,NULL,NULL--
Wordlists (common.txt):
admin
password
123456
test
root
PayloadsAllTheThings offers more complex, attack-specific payloads, while Wordlists provides simple, commonly used strings for various purposes. The former is better suited for targeted security testing, while the latter is more versatile for general fuzzing and brute-force attempts.
Both repositories serve different purposes in the security testing ecosystem. PayloadsAllTheThings is ideal for penetration testers and security researchers looking for specific attack payloads, while Wordlists is more suitable for tasks requiring extensive lists of common words, usernames, or passwords.
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
Pros of fuzzdb
- More comprehensive collection of fuzzing payloads and attack patterns
- Includes additional resources like web-discovery lists and regex patterns
- Better organized directory structure for easier navigation
Cons of fuzzdb
- Less frequently updated compared to wordlists
- May contain outdated or less relevant entries
- Larger repository size, which can be overwhelming for some users
Code comparison
fuzzdb:
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
wordlists:
admin
password
123456
12345678
qwerty
Summary
Both repositories offer valuable resources for security testing and fuzzing. fuzzdb provides a more extensive collection of attack patterns and discovery lists, while wordlists focuses on frequently updated, targeted wordlists. The choice between the two depends on the specific needs of the user and the type of security testing being performed.
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
Pros of IntruderPayloads
- More diverse payload types, including XSS, SQLi, and command injection
- Organized into specific attack categories for easier navigation
- Includes some custom scripts and tools for payload generation
Cons of IntruderPayloads
- Less frequently updated compared to wordlists
- Smaller overall collection of wordlists and payloads
- Some payloads may be outdated or less effective against modern security measures
Code Comparison
IntruderPayloads:
<script>alert(1)</script>
<img src=x onerror=alert(1)>
';--
wordlists:
admin
password
123456
root
Summary
IntruderPayloads focuses on providing a variety of attack-specific payloads, while wordlists offers a more extensive collection of general-purpose wordlists. IntruderPayloads is better suited for targeted penetration testing scenarios, whereas wordlists is more useful for broader fuzzing and brute-force attempts.
IntruderPayloads excels in offering ready-to-use payloads for specific vulnerabilities, making it valuable for quick tests. However, wordlists provides a larger and more frequently updated collection, which can be more beneficial for comprehensive security assessments and staying current with evolving attack vectors.
The choice between these repositories depends on the specific needs of the security professional, with IntruderPayloads being more suitable for targeted attacks and wordlists for broader, more general testing scenarios.
🎯 Command Injection Payload List
Pros of command-injection-payload-list
- Focused specifically on command injection payloads, making it more targeted for this type of vulnerability
- Includes a variety of payload types, including OS-specific and encoding variations
- Well-organized structure with clear categories for different payload types
Cons of command-injection-payload-list
- Limited scope compared to wordlists, which covers a broader range of security testing scenarios
- Smaller overall collection of payloads and less frequently updated
- May not include as many edge cases or specialized payloads as wordlists
Code comparison
command-injection-payload-list:
;netstat -a;
|netstat -a|
`netstat -a`
wordlists:
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ
/proc/self/cmdline
The code snippets show that command-injection-payload-list focuses on command execution payloads, while wordlists includes a broader range of potential targets and file paths.
Both repositories serve different purposes in security testing. command-injection-payload-list is more specialized for command injection vulnerabilities, while wordlists provides a comprehensive collection of wordlists for various security testing scenarios. The choice between them depends on the specific testing requirements and the scope of the security assessment being conducted.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Assetnote Wordlists
See and download all the wordlists at https://wordlists.assetnote.io/
When performing security testing against an asset, it is vital to have high quality wordlists for content and subdomain discovery. This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet.
Wordlists are generated on the 28th of each month, using Commonspeak2 and GitHub Actions. If there's an extension or technology that you would like a wordlist for, but it's not included in this repo, send us a PR and it will be included on this page after the next run.
Assetnote Continuous Security automatically maps your external assets and monitors them for changes and security issues to help prevent serious breaches. If you want to protect your attack surface and would like a demonstration of our product, please reach out to us by submitting our contact form.
Download all wordlists
You can download all the wordlists generated by this project by using the following command:
wget -r --no-parent -R "index.html*" -e robots=off https://wordlists-cdn.assetnote.io/data/ -nH
How this repo works
On the 28th of every month, GitHub actions are used to generate wordlists using Commonspeak2. These wordlists are then committed to a web server being served through Cloudflare (CDN).
As a part of the GitHub actions, JSON files are generated using the gen-json.py script. These JSON files are also pushed to the repo, and then are loaded in index.html using DataTables.
Credits
- cqsd for his initial work on automating Commonspeak2 with GitHub actions.
- SecLists for their excellent wordlists for content discovery.
License
Copyright 2020 Assetnote
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Assetnote Pty. Ltd. - Twitter @assetnote
Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
🎯 Command Injection Payload List
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot