• Turns out there’s an RFC standard web directory that I didn’t know about
  • It could be useful for OSINT
  • It’s not in most wordlists, so dirb/wfuzz/etc probably wont find it or it’s contents
  • You can use this gist to dirbust /.well-known

Short post. I was browsing YouTube, as one does during the apocalypse, and I came across @LiveOverflow talking about his invention, the security.txt file within the RFC /.well-known directory on web servers. What is the /.well-known directory? According to Wikipedia: “It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host (“site-wide metadata”) before making a request.”

The files placed in the /.well-known directory are standardized and used to provide such information to the clients.

Why do we care, as researchers?

Because some of the information yielded these meta-data files can be useful for OSINT. The first example that comes to mind is within the /.well-known/security.txt file itself.

Contained with in it are the email addresses to contact in the event of identifying a vulnerability; If we’re lucky, the email address(es) provided will give us a sense of their email naming scheme and aid in future OSINT to build out potentially valid email addresses for phishing.

Wait, this isn’t already in dirb, wfuzz, or Kali?

When I first learned of /.well-known, I checked out dirbuster-ng and wfuzz to see if this was already covered in their wordlists – Nope. I also tried to find signs of it in the default Kali wordlists


It’s this fact that was most surprising to me. So I went out to find all the valid /.well-known/ URIs that I could and created a gist for them.

Link to list of .well-known URIs here

Add it to dirb and knock yourself out

— @Quickbreach