A list of URLs that might be vulnerability probes

This site gets requests for files which don’t exist. I consider them all to be someone poking around for attack surfaces. 

For fun, here’s a list of them from the last couple of months, broadly classified based on my own hunches.

Looking for credentials

.env
/.aws
/aws
/config (config.json, config.js, etc)
/.git
META-INF

Developer clutter

/main
/.vscode
/admin
/debug
/_profiler
/app_dev
/server
/sever-status
/metrics
/backup
/bk
/bc
/v2
/app-dev
.DS_Store
/sites
/web
/dev
/tmp
/temp
/demo
/site
/newsite
/new
/test
/testing

App-specific or console-like access

wp-include
/wp
/wordpress
generator.conf
/ecp
/phpinfo
/telescope
/aspera
/RDWed
/tshirtecommerce
/_all_dbs
/uploads
/files
/library
/vendor
/react-app
/nextjs-app
/portal
/cms

I assume if some gets a hit off these, then there’s a subsequent step to try passwords.