loading
Loading content
loading
A wordlist is a plain file of candidate strings that a tool tries one after another. Each line is a guess: a directory name, a subdomain label, a parameter, a username, a password. The tool requests or tests each entry and keeps the ones that produce a meaningful response. The wordlist is the raw material that turns brute-force and discovery tools into something useful.
Quality decides results more than tool choice. A list built from real-world data, like the SecLists collection or wordlists derived from leaked breach corpora, hits far more than a generic dictionary. Context narrows it further: a PHP target wants different paths than a Java one, and a known naming convention lets you generate targeted candidates instead of spraying everything.
Wordlists drive several tasks. Directory brute-forcing and content discovery walk path lists against a web server, subdomain enumeration tries label lists against DNS, and fuzzing feeds payload lists into parameters to find flaws. The same file format serves all of them.
In a Trickest workflow, you keep wordlists as versioned inputs and swap them per target, so a tuned list flows into the discovery stage and the findings feed the next step without manual editing between runs.
Related terms