# Common web paths for directory/file brute-force
# Grouped by category — useful for web recon

# Admin & Management
admin
administrator
adminpanel
admincp
adm
cpanel
whm
webadmin
adminarea
admin-console
admin-console
dashboard
panel
manager
management
siteadmin
sysadmin
useradmin
backend

# Login & Authentication
login
logon
signin
signup
register
registration
auth
authenticate
oauth
sso
login.php
wp-login.php
admin/login
admin/login.php
user/login
password
forgot
reset
recover

# API & Development
api
api/v1
api/v2
rest
graphql
swagger
api-docs
docs
documentation
openapi.json
swagger.json
swagger-ui
redoc
api/v1/users
api/v1/admin
api/v1/auth
api/v1/login
api/v1/config
api/v1/status
api/v1/health
api/v1/metrics

# Configuration & Exposed Files
config
configuration
settings
env
.env
.env.example
env.php
config.php
configuration.php
wp-config.php
config.yml
config.yaml
config.json
config.xml
settings.php
database.yml
db.config
dbconfig
database
db
sql
mysql
mongo
redis

# Backup & Version Control
backup
backups
dump
dumps
.bak
old
temp
tmp
.git
.git/config
.git/HEAD
.gitignore
git
.svn
.svn/entries
.svn/wc.db
.hg
.bzr
CVS
.RCS
.DS_Store
Thumbs.db

# Source Code & Sensitive
src
source
dist
build
node_modules
vendor
composer.json
package.json
package-lock.json
yarn.lock
requirements.txt
Gemfile
Gemfile.lock
Cargo.toml
Pipfile
Dockerfile
docker-compose.yml
docker-compose.yaml
Makefile
Gruntfile.js
gulpfile.js
webpack.config.js
babel.config.js
tsconfig.json
.env.local
.env.production
.env.development
credentials
secret
secrets
token
tokens
key
keys
id_rsa
id_rsa.pub
.pem
cert
certs
certificate
certificates

# Common Web Paths
index
index.php
index.html
index.htm
default
default.aspx
default.php
main
home
homepage
landing
welcome

# Content Management
content
uploads
upload
download
downloads
files
assets
static
public
media
images
img
css
js
javascript
fonts
video
videos
audio
doc
docs
documents
pdf
csv
xml
rss
feed
atom

# Application Features
search
search.php
about
about-us
contact
contact-us
support
faq
help
terms
privacy
legal
blog
news
articles
products
product
services
service
portfolio
gallery
pricing
prices
shop
store
cart
checkout
order
orders
account
accounts
profile
profiles
users
user
members
member
subscribe
newsletter
feedback
survey
poll

# Technical Endpoints
status
health
healthcheck
healthz
readyz
metrics
prometheus
monitor
monitoring
info
phpinfo.php
info.php
test
debug
trace
log
logs
error
errors
error_log
access_log
cron
crons
cronjob
cron.php
worker
workers
queue
queues
webhook
webhooks
callback
hooks

# Common Files
robots.txt
sitemap.xml
sitemap_index.xml
favicon.ico
crossdomain.xml
clientaccesspolicy.xml
security.txt
humans.txt
ads.txt
apple-app-site-association
.well-known
.well-known/security.txt
.well-known/acme-challenge
.well-known/assetlinks.json
.well-known/change-password
.well-known/dnt-policy.txt
.well-known/webfinger

# Proxies & Gateways
proxy
gateway
reverse-proxy
loadbalancer

# Frameworks (Django, Rails, Laravel, etc)
admin/
static/
media/
storage/
uploads/
assets/
public/
system/
application/
vendor/
tmp/
cache/
logs/
sessions/
migrations/
tests/

# Common Wordpress
wp-admin
wp-content
wp-includes
wp-content/uploads
wp-content/plugins
wp-content/themes
wp-content/cache
wp-content/backup
wp-json
wp-json/wp/v2
wp-json/wp/v2/users
xmlrpc.php
wp-cron.php
wp-config.php.bak
wp-config.php.old
wp-config.php.save
wp-config.php~
wp-config-sample.php

# Common Joomla
administrator/
components/
modules/
plugins/
templates/
cache/
logs/
tmp/
language/
images/
media/

# Common Drupal
core/
modules/
profiles/
sites/
sites/default
sites/default/files
sites/default/private
sites/default/settings.php
themes/
vendor/

# Common Laravel
_app
storage
storage/logs
storage/framework
storage/app
public
resources
routes
bootstrap
artisan
.env.bak
.env.old

# Common ASP.NET
bin/
obj/
Properties/
App_Data/
App_Code/
App_Start/
Content/
Scripts/
Views/
Web.config
Web.Debug.config
Web.Release.config
Global.asax
packages.config
