A comprehensive collection of directory and path payloads for web application security testing, penetration testing, and bug bounty hunting. This repository contains carefully curated wordlists designed to discover hidden directories, files, and endpoints during web application reconnaissance and enumeration.
- Overview
- Payload Categories
- Installation
- Usage
- Payload Descriptions
- Best Practices
- Contributing
- Legal Disclaimer
- License
This repository provides organized and categorized payload lists specifically designed for directory and file enumeration during web application security assessments. Each payload list is carefully crafted to target specific technologies, frameworks, and common misconfigurations.
- β Organized Categories: Payloads are grouped by technology, purpose, and target
- β Regular Updates: Continuously updated with new patterns and discoveries
- β Burp Suite Ready: All payloads are formatted for direct use with Burp Suite Intruder
- β Tool Agnostic: Compatible with all major enumeration tools
- β No Duplicates: Each list is deduplicated and optimized
- β Real-World Tested: Payloads derived from actual penetration testing scenarios
| File | Description | Count | Best For |
|---|---|---|---|
| common-directories.txt | Most common web directories and paths | 206 | Initial reconnaissance, quick scans |
| webserver-directories.txt | Web server specific paths and config files | 101 | Server configuration discovery, version detection |
| backup-sensitive.txt | Backup files and sensitive data locations | 184 | Finding exposed backups, credentials, logs |
| cms-directories.txt | CMS-specific paths (WordPress, Joomla, Drupal, etc.) | 329 | CMS identification and exploitation |
| api-endpoints.txt | API paths, REST/GraphQL endpoints, documentation | 254 | API discovery, endpoint enumeration |
| dev-test-directories.txt | Development and testing environment paths | 239 | Finding dev/staging environments |
| cloud-platforms.txt | Cloud service paths (AWS, Azure, GCP, etc.) | 251 | Cloud infrastructure discovery |
| admin-panels.txt | Admin panel locations and login pages | 299 | Access control testing, authentication bypass |
| database-directories.txt | Database-related paths and management tools | 277 | Database exposure, admin interfaces |
| language-framework.txt | Programming language and framework specific paths | 464 | Technology stack identification |
| special-encoded.txt | Path traversal, encoding variations | 308 | Path traversal attacks, filter bypass |
| file-extensions.txt | Common file extensions for content discovery | 342 | File type enumeration, upload testing |
git clone https://github.com/payload-box/directory-payload-list.git
cd directory-payload-list# Navigate to the Intruder directory
cd Intruder
# List all available payloads
ls -la
# View a specific payload file
cat common-directories.txt-
Configure Intruder Position
- Send a request to Burp Suite Intruder
- Set the injection point:
GET /§payload§ HTTP/1.1
-
Load Payloads
- Go to the "Payloads" tab
- Click "Load" and select a payload file from the
Intruder/directory - Start the attack
-
Recommended Settings
- Payload type: Simple list
- Payload processing: URL-encode special characters (if needed)
- Grep - Match: Add common success indicators (200, 301, 302, 403)
# Basic directory fuzzing
ffuf -w Intruder/common-directories.txt -u https://target.com/FUZZ
# With custom wordlist and filters
ffuf -w Intruder/api-endpoints.txt -u https://target.com/FUZZ \
-mc 200,301,302,401,403 -fs 0
# Multiple wordlists
ffuf -w Intruder/common-directories.txt:DIRS \
-w Intruder/file-extensions.txt:EXTS \
-u https://target.com/DIRS.EXTS
# Recursive scanning
ffuf -w Intruder/common-directories.txt -u https://target.com/FUZZ \
-recursion -recursion-depth 2# Basic scan
dirsearch -u https://target.com -w Intruder/common-directories.txt
# CMS-specific scan
dirsearch -u https://target.com -w Intruder/cms-directories.txt \
-e php,html,js,txt
# Multiple targets
dirsearch -l targets.txt -w Intruder/api-endpoints.txt \
--format=json -o results.json# Directory enumeration
gobuster dir -u https://target.com \
-w Intruder/common-directories.txt \
-t 50 -s "200,204,301,302,307,401,403"
# API endpoint discovery
gobuster dir -u https://target.com \
-w Intruder/api-endpoints.txt \
-p pattern.txt
# With extensions
gobuster dir -u https://target.com \
-w Intruder/backup-sensitive.txt \
-x php,txt,bak,old,zip# Basic fuzzing
wfuzz -w Intruder/common-directories.txt \
https://target.com/FUZZ
# Filter by response code
wfuzz -w Intruder/admin-panels.txt \
--sc 200,301,302,401,403 \
https://target.com/FUZZ
# Hide specific response codes
wfuzz -w Intruder/dev-test-directories.txt \
--hc 404 \
https://target.com/FUZZContains the most frequently encountered directory names in web applications. Perfect for initial reconnaissance and quick scans. Includes standard paths like /admin, /api, /upload, /backup, etc.
Targets web server-specific files and directories including configuration files, version control systems, environment files, and common server management interfaces like phpMyAdmin, server-status, and various admin consoles.
Focuses on discovering backup files, database dumps, configuration backups, sensitive files, credentials, and logs. Essential for finding exposed sensitive data and security misconfigurations.
Comprehensive list of paths for popular Content Management Systems including WordPress, Joomla, Drupal, Magento, PrestaShop, Typo3, and many others. Includes plugin directories, theme paths, and admin interfaces.
Targets modern API architectures including REST, GraphQL, SOAP endpoints, API documentation (Swagger, OpenAPI), health checks, webhooks, and various API versioning patterns.
Identifies development, testing, staging, and debugging environments. Useful for finding pre-production systems, test data, debug interfaces, and experimental features.
Cloud-specific paths for AWS, Azure, GCP, Firebase, Heroku, and other cloud platforms. Includes service-specific endpoints, management interfaces, and cloud storage paths.
Extensive collection of admin panel locations, login pages, control panels, and administrative interfaces across different technologies and languages.
Database-related paths including database management tools (phpMyAdmin, Adminer), database backup locations, database configuration files, and various database technologies.
Technology stack-specific paths for programming languages and frameworks (PHP, Python, Java, Node.js, Ruby, .NET, Go, and many others). Helps identify the underlying technology.
Advanced payload list featuring path traversal sequences, encoding variations, null byte injections, and special character combinations for filter bypass and security testing.
Comprehensive list of file extensions for content discovery, upload testing, and identifying different file types in web applications.
- Start Broad: Begin with
common-directories.txtfor initial reconnaissance - Identify Technology: Use responses to determine the technology stack
- Target Specific: Switch to technology-specific lists (CMS, framework, etc.)
- Deep Dive: Use specialized lists like
backup-sensitive.txtorapi-endpoints.txt - Bypass Filters: Employ
special-encoded.txtif encountering input validation
- Rate Limiting: Always respect rate limits and implement delays
- Thread Control: Start with fewer threads (10-20) and increase gradually
- Response Filtering: Filter out noise (404s, error pages) to focus on interesting results
- Time Management: Use timeouts to avoid hanging on slow responses
- β Only test applications you have explicit permission to test
- β Follow coordinated disclosure practices
- β Respect bug bounty program rules and scope
- β Don't perform DoS attacks or resource exhaustion
- β Report vulnerabilities responsibly
Contributions are welcome! If you have additional payloads, improvements, or bug fixes:
- Fork the repository
- Create a new branch (
git checkout -b feature/new-payloads) - Add your payloads with proper categorization
- Ensure no duplicates exist
- Commit your changes (
git commit -m 'Add new payloads') - Push to the branch (
git push origin feature/new-payloads) - Open a Pull Request
- Maintain alphabetical ordering within files
- One entry per line
- Remove duplicates before submitting
- Add description to README if adding new category
- Test payloads before submitting
This repository is intended for educational purposes and authorized security testing only.
Important:
- Only use these payloads on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The authors and contributors are not responsible for misuse or damage caused by this tool
- Always comply with local laws and regulations
- Follow responsible disclosure practices
By using this repository, you agree to use it responsibly and ethically.
This project is licensed under the MIT License - see the LICENSE file for details.
- Thanks to the security research community
- Inspired by various enumeration tools and wordlists
- Contributors and bug bounty hunters who helped improve these lists
- GitHub Issues: Report bugs or request features
- Pull Requests: Contribute to the project
If you find this project useful, please consider giving it a star β
Happy Hunting! π―
Remember: With great power comes great responsibility. Always test ethically and legally.