The wordlists repository has been established to provide a collection of curated wordlists that are generated through manual efforts by contributors from around the world. Researchers can generate custom wordlists by analyzing their Burp projects after conducting penetration testing on their targets for a few days. The precise process for manually creating these wordlists is outlined below.
Please be aware that the data added by our contributors has been generated through manual work on Burp Project files. To preserve the authenticity of this data, we kindly request that you refrain from contaminating it with wordlists already present in public repositories such as Assetnote, Seclists, and other comparable sources.
To download the wordlist, please execute the commands provided below in your shell:
curl "https://raw.githubusercontent.com/rashahacks/wordlists/main/master.txt" -o <filename.txt>
OR
wget "https://raw.githubusercontent.com/rashahacks/wordlists/main/master.txt" -o <filename.txt>
Users can extract all the possible words(parameters, values, endpoints) by piping the URLs from Burp project to few linux commands.
- Data Collection: Collect URLs in Burpsuite Project
- Words Extraction: Pipe the URLs to linux commands to extract words
- Cleaning: Remove researcher and program related words.
- Send a Pull Request.
- Hack at the organization for few days atleast and collect URLs with most of the application covered.
- Save the Burpsuite Project, Copy all URLs from HTTP history or Sitemap.
- Sort the URLs and Save in a text file.
cat burp_urls.txt| cut -d'/' -f4-100 | tr '/' '\n' | tr '?' '\n' | tr '&' '\n' | tr '=' '\n' | sort -u | tee wordlist.txt
cat wordlist.txt | grep -v <words-t-remove> | tee final_wordlist.txt
Please clean the wordlist after removing your personal data and program related data (program name, sensitive words that can reveal program info).
After completing all previous phases, create a PR and the team will accept your PR within a week.