The Paths That Win Engagements
Experienced pentesters carry a mental checklist of high-value paths. These are the URLs that routinely lead to admin access, data leaks, and critical findings — often missed by automated scanners focused on CVE matching.
Authentication & Session
- /login, /signin, /auth, /oauth/authorize, /sso
- /api/auth, /api/login, /api/token, /api/refresh
- /password/reset, /forgot-password, /register
- /session, /logout, /.well-known/openid-configuration
Admin & Management
- /admin, /administrator, /dashboard, /console, /manage
- /wp-admin, /wp-login.php, /phpmyadmin, /adminer
- /actuator, /actuator/env, /actuator/health (Spring Boot)
- /jenkins, /gitlab, /grafana, /kibana
API & Documentation
- /api, /api/v1, /api/v2, /api/v3, /graphql
- /swagger, /swagger-ui, /api-docs, /openapi.json
- /rest, /v1, /v2, /internal/api
- /webhook, /callback, /notify
Sensitive Files & Backups
- /.env, /.git/config, /.svn/entries, /web.config
- /backup, /backups, /dump, /db.sql, /database.sql
- /config.json, /settings.py, /application.yml
- /robots.txt, /sitemap.xml, /crossdomain.xml
Uploads & File Handling
- /upload, /uploads, /files, /media, /assets
- /download, /export, /import, /attachment
- /static, /public, /storage, /s3
HackFast Enumeration Wordlist
HackFast includes a curated wordlist covering these categories in every AI chat request. When you attach a web target and ask for enumeration advice, the assistant already knows to suggest api, auth, admin, sensitive, uploads, and common page paths — aligned with what gobuster and ffuf should be running.
Run enumeration through a fusion agent and hits auto-log to your API tracker with status codes and source tool labels.
Check the Paths That Matter
Print this checklist, add paths to your custom wordlists, and let HackFast AI and auto-discovery handle the rest. The difference between a good web test and a great one is often a single hidden /admin or /.env.
Run enumeration: Start a HackFast project and ask Chats to deploy ffuf against your target.