Skip to main content
These wordlists are exclusively for educational lab environments. Using these tools or techniques against systems without explicit authorization is illegal and unethical.

Official notice

The following statement is reproduced verbatim from the project README:
Estos diccionarios son exclusivamente para entornos de laboratorio educativos. No utilices estas herramientas ni técnicas contra sistemas sin autorización explícita.
English translation: These wordlists are exclusively for educational lab environments. Do not use these tools or techniques against systems without explicit authorization.

Authorized use

The following contexts constitute authorized use of these wordlists:

CTF competitions

Capture The Flag competitions hosted on dedicated platforms (e.g., Hack The Box, TryHackMe, PicoCTF) where the target systems are explicitly provided for attack as part of the challenge rules.

Private lab environments

Virtual machines, containers, or isolated networks that you own and fully control, with no connection to external or production infrastructure.

Instructor-authorized exercises

Classroom or training exercises where an instructor or organization has granted explicit written permission to perform security testing on designated systems.

Contracted penetration testing

Professional engagements with a signed scope-of-work document that explicitly names the target systems and authorizes brute-force and credential-testing techniques.
The following actions are unauthorized regardless of intent:
  • Testing systems you do not own or have not been explicitly authorized to test
  • Conducting attacks without written permission from the system owner
  • Using these wordlists or techniques on any production, staging, or shared system
  • Accessing accounts or data on systems where you have not been granted scope
Unauthorized access to computer systems is a criminal offense in most jurisdictions. Applicable laws include — but are not limited to — the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, and equivalent national legislation in the European Union and elsewhere. Penalties can include substantial fines and imprisonment.This notice is informational only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your jurisdiction.

Responsible disclosure

If you discover a genuine vulnerability while performing authorized testing in a lab environment, follow these practices before taking any further action:
1

Document your findings

Record the exact steps to reproduce the issue, screenshots, affected endpoints, and any credentials you discovered. Never exfiltrate real data.
2

Confirm the scope

Verify that the system is within the agreed-upon scope of your engagement or CTF challenge. Do not expand testing beyond what was authorized.
3

Report through the correct channel

For CTF platforms, submit through the platform’s built-in flag or report mechanism. For contracted engagements, deliver findings to the designated contact using the agreed-upon reporting format.
4

Respect embargo periods

If a real vulnerability is inadvertently discovered in production software (e.g., a WordPress plugin), follow the vendor’s responsible disclosure policy and allow a reasonable remediation window before public disclosure.
5

Reset and clean up

After completing your exercise, remove any accounts, files, or configurations you created during testing to leave the environment in its original state.

Disclaimer

The authors and contributors of CTF Wordlists for XML-RPC provide this project as-is, without warranty of any kind, express or implied. The authors are not responsible for any misuse of this material, any damage caused by improper use, or any legal consequences arising from use outside the authorized contexts described above.
By downloading or using these wordlists, you accept full responsibility for ensuring your use is lawful and authorized.

Build docs developers (and LLMs) love

Get started for freeTalk to us