SecLists.org is an online repository managed by , the creator of the ubiquitous Nmap Security Scanner. The site hosts searchable archives for dozens of the most influential mailing lists in the history of information security.
: Perhaps the most famous (and controversial) list, it was founded on the philosophy that vulnerabilities should be released publicly to force vendors into action, rather than being kept secret.
: Managed by Peter G. Neumann, this list focuses on the broader societal risks of computer systems—ranging from AI-assisted code overload to physical safety failures. seclists.org
Disclaimer: SecLists is intended for educational purposes and authorized security testing only. Using these lists against systems you do not own or have permission to test is illegal.
Last updated review: 2025. SecLists continues to be actively maintained as part of OWASP. SecLists
It's not a polished commercial product, but it doesn't need to be. For anyone serious about security testing, this should be your first stop after installing your fuzzing tools.
Originally created by , it is now maintained by the community under the OWASP (Open Web Application Security Project) foundation. : Managed by Peter G
| Feature | Description | |---------|-------------| | | RockYou, 10-million password list, common passwords, default credentials | | Usernames | Top usernames, common admin names, names from breaches | | Subdomains | Massive subdomain lists (from DNS dumpster, common names, etc.) | | Fuzzing | SQLi, XSS, LFI, XXE, and other injection payloads | | Web Content | Directory/file brute-force lists (common directories, backup files, logs, etc.) | | Pattern Matching | Regex patterns for credit cards, SSNs, API keys, etc. | | Misc | User-agents, fuzzing strings, secrets, and RT (real-time) wordlists |