thekingofduck/fuzzdicts

fuzzDicts is a Chinese-maintained collection of wordlists for web security testing and penetration testing. The README is in Chinese, but the content itself (plain text lists of words, paths, and payloads) is language-neutral and usable in any testing tool. The description is direct: "Web Pentesting Fuzz dictionaries, one is enough." The repository is organized into separate folders by attack type. It includes: parameter name lists for fuzzing web form inputs (sourced from common PHP frameworks and CMS platforms like ThinkPHP, WordPress, and Discuz), XSS payload lists with hundreds of entries including official Burp Suite payloads, username dictionaries that include top Chinese surnames in phonetic spelling, common phone number patterns, and security researcher IDs, password dictionaries covering weak passwords for routers and security devices, webshell passwords, and a "strong-but-weak" password list of passwords that look complex but follow predictable patterns, directory path lists for finding hidden admin pages and common vulnerability paths, SQL injection fuzzing strings, SSRF test paths including Linux system file locations, XXE payloads, CTF challenge wordlists, API endpoint guesses, router admin panel default credentials, and file extension lists for upload bypass testing. There is also a subdomain dictionary and a JavaScript file dictionary. The repository is updated periodically. The maintainer recommends running git pull before use to pick up the latest additions. Community members can contribute new dictionaries by submitting pull requests. The README also lists recommended tools to pair with these dictionaries: Burp Suite, sqlmap, Wfuzz, xssfork, and webdirscan. These are standard penetration testing tools that accept wordlist files as input for automated scanning. This is a resource aimed at security professionals and penetration testers doing authorized assessments of web applications.