{"id":20553501,"url":"https://github.com/johnsaigle/scary-strings","last_synced_at":"2025-04-14T11:53:57.037Z","repository":{"id":47462013,"uuid":"90898488","full_name":"johnsaigle/scary-strings","owner":"johnsaigle","description":"Collection of wordlists containing dangerous function calls in many languages","archived":false,"fork":false,"pushed_at":"2024-10-24T01:27:48.000Z","size":67,"stargazers_count":22,"open_issues_count":22,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-10-24T16:47:24.578Z","etag":null,"topics":["application-security","appsec","bug-bounty","bugbounty","go","hacking","infosec","penetration-testing","penetration-testing-tools","pentesting","php","rust","security","security-tools","source-code-analysis","static-analysis","white-box-testing","wordlist","wordlists"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/johnsaigle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-10T18:57:10.000Z","updated_at":"2024-10-24T01:27:52.000Z","dependencies_parsed_at":"2024-05-09T16:43:27.298Z","dependency_job_id":"f316aae1-0745-4cb3-b7f8-3acab30f078a","html_url":"https://github.com/johnsaigle/scary-strings","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsaigle%2Fscary-strings","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsaigle%2Fscary-strings/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsaigle%2Fscary-strings/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsaigle%2Fscary-strings/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/johnsaigle","download_url":"https://codeload.github.com/johnsaigle/scary-strings/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248877985,"owners_count":21176241,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","appsec","bug-bounty","bugbounty","go","hacking","infosec","penetration-testing","penetration-testing-tools","pentesting","php","rust","security","security-tools","source-code-analysis","static-analysis","white-box-testing","wordlist","wordlists"],"created_at":"2024-11-16T02:42:11.906Z","updated_at":"2025-04-14T11:53:57.002Z","avatar_url":"https://github.com/johnsaigle.png","language":"Makefile","funding_links":[],"categories":["Makefile"],"sub_categories":[],"readme":"# :scream: Scary Strings! :scream:\n\n**Flag potentially dangerous API calls** in source code, a.k.a. lines containing **_scary strings_** from a security perspective!\n\n## Overview\nThis repository contains a list of strings (usually function names) that are relevant to security auditing, usually because\nthey perform a sensitive operation like changing the state of a database or accessing the filesystem.\n\nIn addition to technology-specific wordlists, there `comments` folder contains strings likely to be related to\ndeveloper notes left in source code.\n\n### For Hackers\nSearch for these strings and generate ideas for hacking. Maybe you can spot where the database is being modified and work\nyour way backward to finding a SQL injection. Maybe a 'TODO' message reveals a bug that the devs didn't fix. The possibilities\nare endless. Save yourself time and repetitive-stress injury by jumping to the dangerous parts of the app. This collection\nof wordlists will show you all thermal exhaust ports on the Death Star so you don't have to explore the whole thing.\n\n### For Developers\nScanning for these strings is a good way to improve the security of your app. Typically there are good practices and patterns\nfor doing things safely according to the language you're using. If you can verify that such function calls are handled safely, \ngreat! Your app is more secure than when you started.\n\n### Wordlists\n\n\u003c!-- To update:\n:r!tree wordlists\n--\u003e\n```\nwordlists\n├── blockchain\n│   └── all\n├── comments\n│   ├── all\n│   ├── derogatory\n│   ├── security\n│   └── todo\n├── cosmossdk\n│   ├── abci\n│   ├── module-auth\n│   ├── module-authz\n│   ├── module-bank\n│   ├── module-group\n│   └── module-staking\n├── cryptography\n│   └── all\n├── go\n│   ├── all\n│   ├── cryptography\n│   ├── db-access\n│   ├── deprecated\n│   ├── err\n│   ├── randomness\n│   └── unsafe\n├── java\n│   ├── db_access\n│   ├── file_access\n│   ├── file_inclusion\n│   ├── os_command_execution\n│   └── url_redirect\n├── javascript\n│   ├── all\n│   ├── deprecated\n│   ├── dom-xss\n│   ├── generic\n│   ├── randomness\n│   ├── react\n│   └── redos\n├── linters\n│   └── all\n├── perl\n│   └── all\n├── php\n│   ├── all\n│   ├── db_access\n│   ├── dynamic_code_execution\n│   ├── file_access\n│   ├── file_inclusion\n│   ├── os_command_execution\n│   ├── randomness\n│   ├── redos\n│   ├── serialization\n│   ├── sockets\n│   ├── superglobals\n│   ├── url_redirection\n│   └── xxe\n├── python\n│   ├── all\n│   ├── bypass\n│   ├── object_serialization\n│   ├── os_command_execution\n│   └── string_formatting\n├── rust\n│   ├── all\n│   ├── clone\n│   ├── panic-macros\n│   ├── randomness\n│   ├── resource-exhaustion\n│   ├── slices\n│   ├── unsafe\n│   ├── unwrap\n│   └── vectors\n├── secrets\n│   ├── all\n│   ├── api-keys\n│   └── public-keys\n├── solana\n│   └── all\n└── solidity\n    └── all\n\n16 directories, 65 files\n```\n\n## Sources\n\nMost of the entries in the wordlists come from my work experience as a security engineer\nand penetration tester. References for some of these choices can be found in the git commit\nhistory as well as the project's GitHub Issues.\n\nFor many programming of the supported programming languages, the lists come from well-known hacking books\nlisted below. Note that these books were published in 2011 so some of the information may be dated.\n\n- The [Web Application Hacker's Handbook](http://mdsec.net/wahh/).\n- [The Art of Software Security Assessment](https://www.oreilly.com/library/view/the-art-of/0321444426/).\n\n## Similar projects\n\n- [SecLists](https://github.com/danielmiessler/SecLists)\n- [Assetnote Wordlists](https://wordlists.assetnote.io/)\n- [fuzz.txt](https://github.com/Bo0oM/fuzz.txt)\n- [FuzzDB](https://github.com/fuzzdb-project/fuzzdb)\n- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnsaigle%2Fscary-strings","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohnsaigle%2Fscary-strings","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnsaigle%2Fscary-strings/lists"}