# Sensitive paths wordlist — expanded
# Version control
/.git/HEAD
/.git/config
/.git/logs/HEAD
/.gitignore
/.svn/entries
/.svn/wc.db
/.hg/store
/.bzr/
/.gitattributes

# Environment & config
/.env
/.env.local
/.env.production
/.env.development
/.env.staging
/.env.backup
/.env.old
/.env.example

# Backups
/backup.zip
/backup.tar.gz
/backup.sql
/backup.rar
/backup/
/backups/
/dump.sql
/db.sql
/database.sql
/db.sqlite3
/data.sql
/mysql.sql
/site.sql
/www.zip
/site.zip
/website.zip
/public_html.zip
/html.zip
/web.tar.gz
/src.zip
/source.zip

# PHP configs
/config.php
/config.php.bak
/config.php.old
/config.php.save
/wp-config.php
/wp-config.php.bak
/wp-config.php.old
/configuration.php
/settings.php
/local.xml
/parameters.yml
/database.yml
/app.config

# Info disclosure
/robots.txt
/crossdomain.xml
/clientaccesspolicy.xml
/.htaccess
/.htpasswd
/.well-known/security.txt
/.well-known/openid-configuration
/phpinfo.php
/info.php
/test.php
/pi.php
/i.php

# Admin panels
/admin/
/administrator/
/admin.php
/login/
/login.php
/signin/
/wp-admin/
/wp-login.php
/phpmyadmin/
/pma/
/myadmin/
/adminer/
/adminer.php
/panel/
/cpanel/
/webmail/
/manager/
/controlpanel/

# API endpoints
/api/
/api/v1/
/api/v2/
/api/v3/
/graphql
/graphiql
/swagger.json
/swagger-ui/
/api-docs/
/openapi.json
/rest/
/_api/
/api/debug

# Common directories
/uploads/
/upload/
/files/
/images/
/assets/
/static/
/media/
/tmp/
/temp/
/cache/
/data/
/private/
/secret/
/internal/
/dev/
/staging/
/debug/
/test/

# Logs
/logs/
/log/
/error_log
/error.log
/access.log
/access_log
/debug.log
/app.log
/server.log
/php_errors.log
/laravel.log
/storage/logs/laravel.log

# Docker/CI
/.dockerenv
/Dockerfile
/docker-compose.yml
/.docker/
/Jenkinsfile
/.github/workflows/
/.gitlab-ci.yml
/.circleci/
/.travis.yml

# Cloud credentials
/.aws/credentials
/.aws/config
/.ssh/
/.ssh/id_rsa
/.ssh/id_rsa.pub
/.ssh/authorized_keys
/.bash_history
/.zsh_history
/.npmrc
/.netrc
/.pgpass

# Framework-specific
/server-status
/server-info
/elmah.axd
/trace.axd
/web.config
/Global.asax
/App_Data/
/WEB-INF/web.xml
/META-INF/
/composer.json
/composer.lock
/package.json
/package-lock.json
/yarn.lock
/Gemfile
/Gemfile.lock
/requirements.txt
/Pipfile
/Pipfile.lock

# CMS-specific
/wp-content/debug.log
/wp-content/uploads/
/wp-json/wp/v2/users
/xmlrpc.php
/wp-cron.php
/sites/default/settings.php
/sites/default/files/
/user/login
/node/1
