A curated collection of wordlists for security testing — content discovery, fuzzing, password cracking, username enumeration, payload generation, and source-code pattern matching.
⚠️ For authorized security testing and education only. These lists are intended for use against systems you own or have explicit permission to test. The password and credential lists in particular contain real leaked/default data — handle and use them responsibly.
📦 This is a large repo (~1.6 GB, 5,300+ files). A full
git clonepulls everything. To grab just one category, use a sparse / partial checkout (see Cloning a subset below) rather than cloning the whole thing.
| Category | Files | What's in it |
|---|---|---|
| Discovery | ~275 | Content & infrastructure discovery. Web-Content/ (246 files — directory/file brute lists), plus DNS/, SNMP/, Mainframe/, Infrastructure/, and template Variables/. |
| Fuzzing | ~4,590 | The bulk of the repo. Fuzz strings and injection payloads — format strings, "big list of naughty strings", command-injection, charset/digit brute lists (3–6 digit, alphanumeric), file extensions, and database-/tech-specific fuzz sets. |
| Passwords | ~170 | Password cracking lists — darkweb2017 top-N, darkc0de, default-credential sets, per-language lists, leaked-database dumps, honeypot captures, and cracked-hash collections. |
| Usernames | ~14 | Username enumeration — xato-net-10-million-usernames, default usernames (cirt, SAP, MSSQL), common admin names, and name lists. |
| Payloads | ~37 | Malicious-file payloads for upload/handling tests — zip bombs, zip-traversal, AV test files, Flash, crafted images, PHPInfo. |
| Pattern-Matching | ~11 | Grep strings for source-code auditing — dangerous PHP/Angular functions, PHP magic hashes, error strings, and malicious-pattern signatures. |
| Miscellaneous | ~210 | Everything else — language wordlists (EN/FR/DE/ES/PT), DNS resolvers, top-domain lists (Alexa/Majestic), EFF dice lists, security-question answers, and source-code samples. |
| IOCs | ~6 | Indicators of compromise — Kaspersky "Careto" / The Mask APT C2, domains, file paths, and registry keys. |
common-php-files.txt— common PHP filenames for web content discovery.graphql.txt— GraphQL endpoint / field name wordlist.password_files— common password-file paths (useful as an LFI / path-traversal target list).
The whole repo is large. To pull only the directory you need, use a sparse checkout:
git clone --no-checkout --depth 1 https://github.com/magikh0e/Wordlists.git
cd Wordlists
git sparse-checkout init --cone
git sparse-checkout set Discovery/Web-Content # just one subtree
git checkoutOr download a single file directly without cloning:
curl -O https://raw.githubusercontent.com/magikh0e/Wordlists/main/common-php-files.txtThis is an aggregated collection. A large portion of the directory layout and contents derives from SecLists (Daniel Miessler, Jason Haddix, g0tmi1k, and contributors) — if you want the canonical, continually-updated upstream, go there.
Other notable sources represented here include the darkc0de and darkweb2017 password lists, the xato-net 10-million-usernames corpus, and Kaspersky's published IOCs for the "Careto" / The Mask campaign. Each wordlist remains under its original author's license and terms — this repo is a convenience mirror/aggregation, not a claim of authorship over the underlying lists.
No blanket license is applied to this collection — the constituent wordlists carry their own licenses from their respective upstreams (see Sources & attribution). Treat each list according to its origin.