Skip to main content
Wordlists are collections of words, paths, usernames, or passwords used by various security testing tools. Pentest-Tools.com includes default wordlists, and you can create custom ones.
Creating and managing custom wordlists is available on NetSec, WebNetSec, and Pentest Suite plans. All users can view and use the default wordlists.

Tools that use wordlists

The following tools support custom wordlists:
ToolWordlist Use
URL FuzzerDirectory and file discovery paths
Password AuditorUsername and password lists for credential testing
Subdomain FinderSubdomain names for DNS enumeration

URL Fuzzer

The URL Fuzzer uses wordlists to discover hidden directories, files, and endpoints on web servers.
  • Light scan: Uses a smaller, focused wordlist for quick discovery
  • Deep scan: Uses a large wordlist for wider coverage
  • Custom: Use your own wordlist for specific testing needs

Password auditor

The Password Auditor uses two types of wordlists:
  • Username wordlists: Lists of common usernames to test
  • Password wordlists: Lists of common passwords to attempt

Subdomain finder

The Subdomain Finder tests each name in the wordlist against DNS to find valid subdomains.

Default wordlists

Pentest-Tools.com includes several default wordlists that are available to all users:
WordlistDescription
Common usernamesFrequently used usernames for credential testing
Common passwordsPopular passwords for dictionary attacks
URL Fuzzer (Light)Small wordlist for quick directory discovery
URL Fuzzer (Deep)Large wordlist for thorough fuzzing
Subdomain enumerationCommon subdomain prefixes
Default wordlists cannot be edited or deleted. They’re maintained by Pentest-Tools.com and optimized for common testing scenarios.

Creating custom wordlists

To create a custom wordlist:
  1. Go to Settings > Wordlists
  2. Click Create wordlist
  3. Enter a name and optional description
  4. Add your words (one per line)
  5. Save the wordlist

Wordlist limits

LimitValue
Maximum size16 MB
Maximum word length200 characters
Some Unicode characters may take up more space than English characters. If your wordlist fails to save, try reducing its size.

Best practices for custom wordlists

Smaller, targeted wordlists are often more effective than huge generic ones. Create specialized wordlists for specific types of targets.
The system automatically removes duplicate entries, but starting with a clean list improves upload performance.
Name wordlists clearly (e.g., “API Endpoints”, “Swedish Passwords”) so you can easily find them later.
For password lists, include common variations like numbers, special characters, and case changes.

Managing wordlists

Editing wordlists

  1. Go to Settings > Wordlists
  2. Click on the wordlist you want to edit
  3. Modify the contents, name, or description
  4. Save your changes
After saving, the system reports the number of distinct, non-empty words in your wordlist.

Deleting wordlists

  1. Go to Settings > Wordlists
  2. Select the wordlist(s) to delete
  3. Click Delete
Deleted wordlists cannot be recovered. If a scheduled scan or robot uses a deleted wordlist, it will fall back to the default.

Sharing wordlists

You can share wordlists with team members:
  1. Go to Team in the sidebar
  2. Select the team member you want to share with
  3. Click Share and set the Wordlists permission level

Permission levels

PermissionCapabilities
No accessCannot see or use your wordlists
ViewCan see and use your wordlists in scans
EditCan see, use, and modify your wordlists
Shared wordlists appear in the team member’s wordlist dropdown when configuring scans.

Using wordlists in scans

When launching a scan that supports wordlists:
  1. Configure your target and scan options
  2. Select Custom scan type (or equivalent)
  3. Choose your wordlist from the dropdown
  4. The dropdown shows both your own wordlists and those shared with you

Wordlists in scheduled scans

Scheduled scans remember your wordlist selection. If the wordlist is later deleted:
  • The scheduled scan falls back to the default wordlist
  • You’ll be notified of the change

Wordlists in robots

Pentest robots can use wordlists for tools like URL Fuzzer and Password Auditor. Configure the wordlist when setting up the robot block.

Wordlist sources

Here are some popular external sources for security testing wordlists:
When using external wordlists, check that they comply with your testing authorization and scope.