# ExploitGraph - Common HTTP Paths Wordlist
# Generic paths for endpoint enumeration against any web application
# Format: one path per line, lines starting with # are comments

# Root and API bases
/
/api
/api/v1
/api/v2
/api/v3
/v1
/v2

# Documentation
/docs
/api/docs
/swagger
/swagger.json
/swagger-ui.html
/swagger-ui/
/openapi.json
/openapi.yaml
/redoc
/api-docs
/api/swagger
/apidocs

# Authentication
/login
/auth
/auth/login
/api/auth/login
/api/login
/api/auth
/oauth
/oauth/token
/token
/api/token
/signin
/api/signin

# User / Account
/api/users
/api/user
/api/me
/api/account
/api/profile
/users
/account

# Admin
/admin
/admin/
/api/admin
/api/admin/users
/api/admin/config
/dashboard
/console
/management
/api/management
/panel
/control
/backend

# Health / Status
/health
/api/health
/status
/ping
/api/status
/api/ping
/metrics
/api/metrics
/actuator
/actuator/health
/actuator/env
/actuator/beans
/actuator/mappings
/actuator/info

# Debug / Config (often left enabled accidentally)
/debug
/api/debug
/api/debug/config
/config
/api/config
/settings
/api/settings
/env
/api/env
/__debug__
/api/internal

# Cloud Storage
/static/
/static/backups/
/backups/
/backup/
/uploads/
/files/
/storage/
/assets/
/media/

# Exposed files
/.env
/.env.production
/.env.local
/.env.backup
/.env.example
/config.json
/config.yaml
/config.yml
/app.yaml
/app.json
/settings.json
/secrets.json

# Git exposure
/.git/config
/.git/HEAD
/.git/COMMIT_EDITMSG

# Common backup filenames
/backup.zip
/backup.tar.gz
/backup.sql
/dump.sql
/db.sql
/database.sql
/site.zip
/app.zip
/source.zip

# Web server files
/robots.txt
/sitemap.xml
/.htaccess
/.htpasswd
/web.config
/phpinfo.php
/server-status
/server-info
/info.php

# AWS / Cloud specific
/latest/meta-data/
/latest/user-data
/?list-type=2
