A curated list of wordlists for API Hacking


  1. API endpoints & objects - Yassine Aboukir’s list of 3203 common API endpoints and objects designed for fuzzing
  2. api-wordlist - A wordlist of API names for web application assessments
  3. Assetnote Wordlists - Automated & Manual Wordlists provided by Assetnote
  4. Cook - An overpower wordlist generator, splitter, merger, finder, saver, create words permutation and combinations, apply different encoding/decoding and everything you need
  5. fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery
  6. fuzz.txt - Potentially dangerous files
  7. Hacking-APIs - hAPI Hacker’s collection of API paths and wordlists
  8. leaky-paths - A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs etc…
  9. PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
  10. SecLists - It’s a collection of multiple types of lists used during security assessments, collected in one place


  1. https://github.com/carlospolop/Auto_Wordlists
  2. https://github.com/cr0hn/nosqlinjection_wordlists
  3. https://github.com/orwagodfather/My-WordLISTs
  4. https://github.com/SilverPoision/a-full-list-of-wordlists
  5. https://github.com/Dormidera/WordList-Compendium
  6. https://github.com/trickest/wordlists
  7. https://github.com/3ndG4me/KaliLists
  8. https://github.com/trickest/mkpath
  9. https://github.com/YaS5in3/Bug-Bounty-Wordlists
  10. https://github.com/Karanxa/Bug-Bounty-Wordlists
  11. https://github.com/shifty0g/wordlist-tools
  12. https://github.com/Net-hunter121/API-Wordlist
  13. https://github.com/BlackArch/wordlistctl
  14. https://github.com/initstring/passphrase-wordlist