2026-06-30 –, Amphitheater 122
URL fuzzing is a critical step in penetration testing, yet its effectiveness often hinges on the quality of wordlists. Publicly available lists frequently suffer from missing critical entries, poor sorting, lack of modularity, and irrelevant content, leading to inefficient scans and missed vulnerabilities.
This talk introduces a methodology for building better wordlists, along with a tool, Dicozorus, designed to support this process by providing a robust system for generating, managing, and curating high-quality fuzzing wordlists.
Dicozorus relies on a database that stores entries with rich metadata (severity, type, category, tags, references), enabling the creation of tailored wordlists based on context such as scope, network performance, or stealth requirements. Used internally for over five years, it has significantly improved wordlist quality and revealed numerous critical vulnerabilities absent from popular lists.
Dicozorus provides both a curated compilation of entries for immediate use as well as the ability for professionals to maintain custom, effective datasets.
The tool will be made publicly available on Synacktiv’s GitHub repository ahead of the conference.
The presentation is structured in several parts:
- Introduction / The fuzzing challenge : Penetration testing relies heavily on URL fuzzing to find vulnerabilities. Common fuzzing tools and wordlists, pros and cons.
- Motivations: Why Existing Wordlists Fall Short : Lessons learned from many penetration tests and thousands of scans. Identified Issues: Missing Entries /Unsorted Wordlists / Lack of Modularity / Improper Sizing / Irrelevant Entries (Junk). Examples based on well known wordlists will be presented
- Objectives: What Dicozorus Aims to Achieve : The solution we provide: not just an enhanced wordlist but a tool to generate, merge, filter, sort, tag, categorize, and track entries.
- Dicozorus in Action: How It Works: Core architecture / Key commands overview
- How the builtin database was created: A Multi-Source Aggregation Strategy based on:
- Existing public Wordlists
- Public Bug Bounty Reports
- Public vulnerability databases
- Past Fuzzing Traces
- External contributions from auditors
- Manual Review & Curation: While automated parsing provides volume, manual review is critical for assigning accurate metadata (severity, category) and filtering out noise, ensuring high-quality data for the built-in wordlists
- Tangible Results: Proving dicozorus's value by presenting feedback from internal usages, statistics on the entries of the builtin wordlist and comparison with publicly known wordlists.
Vincent is a Security Researcher at Synacktiv, where he performs vulnerability research and penetration testing across diverse environments. With over a decade of experience, he has conducted a wide range of security assessments, placing a primary focus on web application security. Vincent is dedicated to sharing his expertise and has led multiple training sessions, helping security professionals enhance their skills in this critical area.
X: @us3r777
LinkedIn: https://www.linkedin.com/in/vincent-herbulot/