> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Wordlists

> Manage and use custom wordlists for fuzzing and brute-force testing

Wordlists are collections of words, paths, usernames, or passwords used by various security testing tools. Pentest-Tools.com includes default wordlists, and you can create custom ones.

<Info>
  Creating and managing custom wordlists is available on **NetSec**, **WebNetSec**, and **Pentest Suite** plans. All users can view and use the default wordlists.
</Info>

## Tools that use wordlists

The following tools support custom wordlists:

| Tool                 | Wordlist Use                                       |
| -------------------- | -------------------------------------------------- |
| **URL Fuzzer**       | Directory and file discovery paths                 |
| **Password Auditor** | Username and password lists for credential testing |
| **Subdomain Finder** | Subdomain names for DNS enumeration                |

### URL Fuzzer

The URL Fuzzer uses wordlists to discover hidden directories, files, and endpoints on web servers.

* **Light scan**: Uses a smaller, focused wordlist for quick discovery
* **Deep scan**: Uses a large wordlist for wider coverage
* **Custom**: Use your own wordlist for specific testing needs

### Password auditor

The Password Auditor uses two types of wordlists:

* **Username wordlists**: Lists of common usernames to test
* **Password wordlists**: Lists of common passwords to attempt

### Subdomain finder

The Subdomain Finder tests each name in the wordlist against DNS to find valid subdomains.

## Default wordlists

Pentest-Tools.com includes several default wordlists that are available to all users:

| Wordlist              | Description                                      |
| --------------------- | ------------------------------------------------ |
| Common usernames      | Frequently used usernames for credential testing |
| Common passwords      | Popular passwords for dictionary attacks         |
| URL Fuzzer (Light)    | Small wordlist for quick directory discovery     |
| URL Fuzzer (Deep)     | Large wordlist for thorough fuzzing              |
| Subdomain enumeration | Common subdomain prefixes                        |

<Tip>
  Default wordlists cannot be edited or deleted. They're maintained by Pentest-Tools.com and optimized for common testing scenarios.
</Tip>

## Creating custom wordlists

To create a custom wordlist:

1. Go to **Settings > Wordlists**
2. Click **Create wordlist**
3. Enter a **name** and optional **description**
4. Add your words (one per line)
5. Save the wordlist

### Wordlist limits

| Limit               | Value          |
| ------------------- | -------------- |
| Maximum size        | 16 MB          |
| Maximum word length | 200 characters |

<Note>
  Some Unicode characters may take up more space than English characters. If your wordlist fails to save, try reducing its size.
</Note>

### Best practices for custom wordlists

<AccordionGroup>
  <Accordion title="Keep wordlists focused">
    Smaller, targeted wordlists are often more effective than huge generic ones. Create specialized wordlists for specific types of targets.
  </Accordion>

  <Accordion title="Remove duplicates">
    The system automatically removes duplicate entries, but starting with a clean list improves upload performance.
  </Accordion>

  <Accordion title="Use descriptive names">
    Name wordlists clearly (e.g., "API Endpoints", "Swedish Passwords") so you can easily find them later.
  </Accordion>

  <Accordion title="Include variations">
    For password lists, include common variations like numbers, special characters, and case changes.
  </Accordion>
</AccordionGroup>

## Managing wordlists

### Editing wordlists

1. Go to **Settings > Wordlists**
2. Click on the wordlist you want to edit
3. Modify the contents, name, or description
4. Save your changes

After saving, the system reports the number of distinct, non-empty words in your wordlist.

### Deleting wordlists

1. Go to **Settings > Wordlists**
2. Select the wordlist(s) to delete
3. Click **Delete**

<Warning>
  Deleted wordlists cannot be recovered. If a scheduled scan or robot uses a deleted wordlist, it will fall back to the default.
</Warning>

## Sharing wordlists

You can share wordlists with team members:

1. Go to **Team** in the sidebar
2. Select the team member you want to share with
3. Click **Share** and set the **Wordlists** permission level

### Permission levels

| Permission    | Capabilities                            |
| ------------- | --------------------------------------- |
| **No access** | Cannot see or use your wordlists        |
| **View**      | Can see and use your wordlists in scans |
| **Edit**      | Can see, use, and modify your wordlists |

<Note>
  Shared wordlists appear in the team member's wordlist dropdown when configuring scans.
</Note>

## Using wordlists in scans

When launching a scan that supports wordlists:

1. Configure your target and scan options
2. Select **Custom** scan type (or equivalent)
3. Choose your wordlist from the dropdown
4. The dropdown shows both your own wordlists and those shared with you

### Wordlists in scheduled scans

Scheduled scans remember your wordlist selection. If the wordlist is later deleted:

* The scheduled scan falls back to the default wordlist
* You'll be notified of the change

### Wordlists in robots

Pentest robots can use wordlists for tools like URL Fuzzer and Password Auditor. Configure the wordlist when setting up the robot block.

## Wordlist sources

Here are some popular external sources for security testing wordlists:

* [SecLists](https://github.com/danielmiessler/SecLists) - Collection of multiple wordlist types
* [fuzzdb](https://github.com/fuzzdb-project/fuzzdb) - Attack patterns and primitives
* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) - Useful payloads

<Note>
  When using external wordlists, check that they comply with your testing authorization and scope.
</Note>

## Related topics

* [URL Fuzzer](/tools/url-fuzzer)
* [Password Auditor](/tools/password-auditor)
* [Subdomain Finder](/tools/subdomain-finder)
* [Teams and roles](/capabilities/teams-and-roles)
