fuzzdb-project/fuzzdb

FuzzDB is a large collection of text files used by security testers to find weaknesses in web applications and other software. It is not a program you run on its own. Instead, it is a library of test inputs, patterns, and lists that you feed into security testing tools to see how a target application responds to unusual or malicious input. The collection is organized into three main categories. Attack patterns are lists of strings that have historically caused applications to misbehave: things like SQL injection payloads, scripts that could trigger cross-site scripting (XSS) vulnerabilities, inputs that expose files on a server, authentication bypass tricks, and many others. Discovery lists contain common file and directory names that administrators often leave in predictable locations, such as log files, admin panels, and configuration files, sorted by platform and application type. Response analysis contains regular expressions you can use to search server responses for signs of success, such as error messages, credit card numbers, or social security number patterns. The repository also includes webshells (scripts attackers sometimes upload to gain control of a server), common username and password lists, and other wordlists useful during penetration testing. Many directories contain their own notes explaining how to use the contents. Security testers use FuzzDB alongside tools like Burp Suite, OWASP ZAP, and Metasploit. It is already bundled into several well-known security tools and Linux distributions aimed at security professionals. The README warns that antivirus software may flag the files, which is expected given the content, and advises against storing the repository on a production server. The project was created in 2010 and is licensed under a combination of the New BSD License and Creative Commons Attribution. Anyone using FuzzDB in their work or products is asked to credit the project.