There's Nothing so Permanent as Temporary
bo0om / fuzz.txt Goto Github PK
View Code? Open in Web Editor NEWPotentially dangerous files
Home Page: https://t.me/webpwn
License: Do What The F*ck You Want To Public License
Potentially dangerous files
Home Page: https://t.me/webpwn
License: Do What The F*ck You Want To Public License
There's Nothing so Permanent as Temporary
.circleci/.firebase.secrets.json.enc
.circleci/.firebase.secrets.json
Если загуглить как посмотреть все роуты ASP.NET, много рекомендаций в первой выдаче - создать новый роут /debug/routes
или /routes
, который их будет перечислять. Возможно, такие же "рекомендации" есть и для других фреймворков.
https://www.meziantou.net/list-all-routes-in-an-asp-net-core-application.htm
https://stackoverflow.com/questions/41908957/get-all-registered-routes-in-asp-net-core
Добавить:
debug/routes
routes
This was reported in danielmiessler/SecLists#943
Two entries in the list was caught by akamai waf
remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd
remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
This is meant to be an informative notice so no immediate actions need to be taken.
How about adding /phpbb
path?
I think this word should be added
vtigercrm
.dmp and .sav
.dmp is sometimes generated by windows unattended upgrade/migration scripts/tools
.sav commom for doze nimdas to name their +1 old backup of registry hives
.sys while you're at it.. pagefile(s)
.out
Consider adding checks for Spring Boot Actuator, which if openly accessible in production can be leveraged to run trace, dump memory, manipulate environment variables, etc. [1][2][3]
/actuator
/actuator/auditevents
/actuator/autoconfig
/actuator/beans
/actuator/caches
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/flyway
/actuator/health
/actuator/httptrace
/actuator/info
/actuator/integrationgraph
/actuator/loggers
/actuator/liquibase
/actuator/metrics
/actuator/mappings
/actuator/scheduledtasks
/actuator/sessions
/actuator/shutdown
/actuator/threaddump
/actuator/heapdump
/actuator/jolokia
/actuator/logfile
/actuator/prometheus
.bak
g
I think if there are robots.txt
in you wordlist, it would be nice to add security.txt file:
.well-known/security.txt
script to run it?
Any image file could be dangerous; people will click on to open.
PDFs are in themselves dangerous, esp if they execute scripts inside.
N
Not sure if you want a PR for this, but I suggest removing potential logout URLs. They are a lot more problematic than useful in my opinion, and don't fit this targeted list well.
logout
logout.asp
logout/
Add fuzz.txt to the list. How is it dangerous? SkriptKiddies could use this to find out how the listed files are dangerous, and use them.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.