From 1c6d7ce00d47670930b0d3b7d55a8adde3de040a Mon Sep 17 00:00:00 2001
From: Ayoub FATHI <17505972+ayoubfathi@users.noreply.github.com>
Date: Fri, 3 Apr 2026 13:42:25 +0400
Subject: [PATCH] Create leaky-paths-dense.txt

---
 leaky-paths-dense.txt | 736 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 736 insertions(+)
 create mode 100644 leaky-paths-dense.txt

diff --git a/leaky-paths-dense.txt b/leaky-paths-dense.txt
new file mode 100644
index 0000000..e12f65d
--- /dev/null
+++ b/leaky-paths-dense.txt
@@ -0,0 +1,736 @@
+/___graphql
+/__/firebase/init.json
+/_/
+/_apis/build/builds
+/_apis/connectionData
+/_apis/git/repositories
+/_apis/pipelines
+/_apis/projects
+/_buildManifest.js
+/_cat/health
+/_cat/indices
+/_cluster/health
+/_cluster/stats
+/_dashboards/api/status
+/_debugbar/open
+/_ignition/health-check
+/_next/data/
+/_nitro/openapi.json
+/_nodes
+/_nodes/stats
+/_payload.json
+/_search
+/_security/
+/_worker.js
+/..;/manager/html
+/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
+/.auth/me
+/.aws/config
+/.aws/credentials
+/.azure/accessTokens.json
+/.config/gcloud/access_tokens.db
+/.config/gcloud/application_default_credentials.json
+/.config/gcloud/credentials.db
+/.devcontainer/devcontainer.json
+/.docker/config.json
+/.DS_Store
+/.dvc/config
+/.editorconfig
+/.env
+/.env.backup
+/.env.bak
+/.env.dev
+/.env.local
+/.env.old
+/.env.production
+/.env.save
+/.env.staging
+/.envrc
+/.git-credentials
+/.git/
+/.git/config
+/.git/HEAD
+/.git/index
+/.git/logs/HEAD
+/.gitconfig
+/.github/workflows/
+/.github/workflows/build.yml
+/.github/workflows/ci.yml
+/.github/workflows/deploy.yml
+/.github/workflows/docker.yml
+/.github/workflows/main.yml
+/.github/workflows/publish.yml
+/.github/workflows/release.yml
+/.gitignore
+/.gitlab-ci.yml
+/.hg/
+/.hg/hgrc
+/.htaccess
+/.htpasswd
+/.kube/config
+/.netrc
+/.next/routes-manifest.json
+/.npmrc
+/.pgpass
+/.pulumi/stacks/
+/.semgrep.yml
+/.sops.yaml
+/.ssh/authorized_keys
+/.ssh/config
+/.ssh/id_rsa
+/.ssh/known_hosts
+/.svn/
+/.svn/entries
+/.svn/wc.db
+/.tool-versions
+/.well-known/ai-plugin.json
+/.well-known/apple-app-site-association
+/.well-known/assetlinks.json
+/.well-known/jwks.json
+/.well-known/mcp.json
+/.well-known/nodeinfo
+/.well-known/oauth-authorization-server
+/.well-known/okta-organization
+/.well-known/openai-plugin.json
+/.well-known/openid-configuration
+/.well-known/pomerium
+/.well-known/security.txt
+/a/config/server/info
+/access.log
+/accountz
+/accstatz
+/actuator
+/actuator/beans
+/actuator/configprops
+/actuator/env
+/actuator/gateway/routes
+/actuator/health
+/actuator/heapdump
+/actuator/httptrace
+/actuator/jolokia
+/actuator/logfile
+/actuator/mappings
+/actuator/prometheus
+/admin-console/
+/admin/
+/admin/api-tokens
+/admin/content-api/routes
+/admin/information
+/admin/init
+/admin/login
+/admin/queues
+/admin/v2/brokers
+/admin/v2/clusters
+/admin/v2/tenants
+/adminer.php
+/adminer/
+/agents/summary/status
+/airflow/api/v1/config
+/airflow/api/v1/connections
+/airflow/api/v1/dags
+/airflow/api/v1/variables
+/akhq/api/
+/alertmanager/api/v2/alerts
+/alertmanager/api/v2/status
+/api_jsonrpc.php
+/api-docs
+/api/
+/api/14/storage/keys/
+/api/14/system/info
+/api/14/tokens
+/api/access
+/api/admin/settings
+/api/admins
+/api/admins/auth-with-password
+/api/alert
+/api/analyzer
+/api/apiKeys.list
+/api/auth.config
+/api/auth/csrf
+/api/auth/providers
+/api/auth/session
+/api/authentication/validate
+/api/backups
+/api/case
+/api/catalog/entities
+/api/cluster_conf
+/api/collections
+/api/collections.list
+/api/connections
+/api/data_sources
+/api/database
+/api/datasources
+/api/dcim/devices/
+/api/definitions
+/api/documents.search
+/api/entrypoints
+/api/exchanges
+/api/get-organizations
+/api/get-users
+/api/globals
+/api/graphql
+/api/health/checks/alarms
+/api/health/full
+/api/http/routers
+/api/http/services
+/api/ipam/ip-addresses/
+/api/jsonws
+/api/jsonws/invoke
+/api/logs
+/api/logs/audit
+/api/method/frappe.auth.get_logged_user
+/api/method/version
+/api/monitor
+/api/organizations/current
+/api/osd
+/api/overview
+/api/plugins/installed
+/api/pool
+/api/projects/search
+/api/ps
+/api/queries
+/api/queues
+/api/rawdata
+/api/resource/User
+/api/responder
+/api/rgw/user
+/api/rpc/command/get-profile
+/api/secrets/secrets/
+/api/server/version
+/api/session/properties
+/api/settings
+/api/settings/values
+/api/status/
+/api/swagger-ui.html
+/api/swagger.json
+/api/system/cluster/stats
+/api/system/health
+/api/system/info
+/api/system/sessions
+/api/system/status
+/api/tags
+/api/team.info
+/api/trpc/
+/api/user/current
+/api/users
+/api/users/first-register
+/api/users/me
+/api/users/search
+/api/users/tokens/
+/api/v0/devices
+/api/v0/logs/eventlog
+/api/v0/system
+/api/v1/admin/repos
+/api/v1/admin/users
+/api/v1/applications
+/api/v1/buckets
+/api/v1/channels.list
+/api/v1/configmaps
+/api/v1/configs
+/api/v1/info
+/api/v1/integrations.list
+/api/v1/meta/tables
+/api/v1/namespaces/default/pods/exec
+/api/v1/namespaces/kube-system/secrets
+/api/v1/peers
+/api/v1/permissions.listAll
+/api/v1/pods
+/api/v1/policies
+/api/v1/repos/search
+/api/v1/secrets
+/api/v1/security/login
+/api/v1/service-accounts
+/api/v1/settings
+/api/v1/settings.public
+/api/v1/settings/api
+/api/v1/setup-keys
+/api/v1/statistics
+/api/v1/users.list
+/api/v1/users/me
+/api/v1/users/search
+/api/v1/version
+/api/v2.0/audit-logs
+/api/v2.0/configurations
+/api/v2.0/health
+/api/v2.0/projects
+/api/v2.0/repositories
+/api/v2.0/systeminfo
+/api/v2.0/users
+/api/v2/buildinfo
+/api/v2/config/
+/api/v2/credentials/
+/api/v2/job_templates/
+/api/v2/login
+/api/v2/me/
+/api/v2/settings/all/
+/api/v2/templates
+/api/v2/user/apps/appDefinitions
+/api/v2/user/system/info
+/api/v2/users/
+/api/v2/workspaces
+/api/v3/admin/system/
+/api/v3/core/tokens/
+/api/v3/core/users/
+/api/v4/config
+/api/v4/plugins/installed
+/api/v4/saml/metadata
+/api/v4/system/ping
+/api/v4/users
+/api/v4/webhooks/incoming
+/api/vhosts
+/api2/json/access/ticket
+/api2/json/access/users
+/api2/json/cluster/resources
+/api2/json/cluster/status
+/api2/json/nodes
+/api2/json/version
+/apis/apps/v1/deployments
+/apis/batch/v1/jobs
+/apis/networking.k8s.io/v1/ingresses
+/apis/rbac.authorization.k8s.io/v1/clusterroles
+/apis/tekton.dev/v1/pipelineruns
+/apisix/admin/consumers
+/apisix/admin/routes
+/apisix/admin/services
+/apisix/admin/ssl
+/apisix/prometheus/metrics
+/app/setup-wizard
+/argocd/api/v1/applications
+/argocd/api/v1/clusters
+/argocd/api/v1/repositories
+/argocd/api/v1/settings
+/argocd/api/version
+/asynqmon/api/queues
+/asynqmon/api/redis-info
+/auth_keys/index
+/auth/admin/master/console/
+/auth/login
+/auth/realms/master/protocol/openid-connect/certs
+/auth/v1/admin/users
+/auth/v1/settings
+/authentik/api/v3/
+/backstage/api/catalog/entities
+/backup.sql
+/bamboo/rest/api/latest/currentUser
+/bamboo/rest/api/latest/plan
+/bamboo/rest/api/latest/server
+/bin/querybuilder.json
+/blazer/queries
+/cachet/api/v1/components
+/camunda/api/engine/engine/default/process-definition
+/certificates
+/CFIDE/administrator/
+/Chart.yaml
+/chroma/api/v1/collections
+/chroma/api/v1/heartbeat
+/clockwork/app
+/cluster/healthcheck
+/cluster/nodes
+/clustering/data-planes
+/clustering/status
+/composer.json
+/composer.lock
+/concourse/api/v1/info
+/concourse/api/v1/pipelines
+/concourse/api/v1/teams
+/conduit/user.whoami
+/config_dump
+/config_dump?include_eds
+/console
+/console/api/api-keys
+/console/api/apps
+/console/api/models/model-provider
+/console/api/setup
+/consul/
+/consumers
+/content.json
+/crossdomain.xml
+/crowd/console/
+/crx/de/index.jsp
+/crx/packmgr/index.jsp
+/dagster/graphql
+/dapr/config
+/dashboard/
+/data.sql
+/database.sql
+/db.sql
+/debug
+/debug/authorizationz
+/debug/configz
+/debug/endpointz
+/debug/meshconfig
+/DesktopModules/
+/dex/.well-known/openid-configuration
+/directus/collections
+/directus/server/info
+/directus/users
+/distributor/ring
+/djdt/
+/docker-compose.override.yml
+/docker-compose.yml
+/Dockerfile
+/domcfg.nsf
+/drone/api/repos
+/drone/api/user
+/dump.sql
+/elmah.axd
+/emqx/api/v5/
+/engine-rest/engine/default/process-definition
+/env
+/error.log
+/eureka/apps
+/events/restSearch
+/explore/repos
+/explore/users
+/feeds/index
+/flagsmith/api/v1/flags/
+/flink/v1/config
+/flink/v1/jobs
+/flink/v1/overview
+/flipper/features
+/flower/api/tasks
+/flower/api/workers
+/flowise/api/v1/apikey
+/flowise/api/v1/chatflows
+/flowise/api/v1/credentials
+/fly.toml
+/gate/applications
+/gate/auth/user
+/gate/credentials
+/gate/pipelines
+/gatus/api/v1/endpoints/statuses
+/Gemfile
+/gerrit/config/server/info
+/ghost/#/setup
+/ghost/api/admin/config/
+/ghost/api/admin/integrations/
+/ghost/api/admin/settings/
+/ghost/api/admin/site/
+/ghost/api/content/settings/
+/go/api/agents
+/go/api/pipelines
+/go/api/server_health_messages
+/go/api/support
+/good_job/jobs
+/grafana/api/admin/settings
+/grafana/api/admin/stats
+/grafana/api/datasources
+/grafana/api/search
+/grafana/api/users
+/graphiql
+/graphql
+/graphql-console
+/graphql-devtools
+/graphql-explorer
+/graphql-playground
+/graphql/schema.json
+/hangfire
+/hazelcast/rest/cluster
+/heapdump
+/helmfile.yaml
+/host-manager/html
+/hot_restart_version
+/hub/api/users
+/hub/signup
+/hubble/v1/flows
+/hydra/.well-known/openid-configuration
+/hydra/clients
+/if/flow/default-authentication-flow/
+/info.php
+/ingester/ring
+/invoker/JMXInvokerServlet
+/jaeger/api/services
+/jaeger/api/traces
+/jenkins/credentials/store/system/domain/_/
+/jmx-console/
+/jolokia
+/jsz
+/jupyter/api/contents
+/jupyter/api/kernels
+/jupyter/api/sessions
+/jupyterhub/hub/api
+/kafdrop/
+/kafka-ui/api/clusters
+/kibana/api/saved_objects
+/kibana/api/status
+/kratos/admin/identities
+/kubeflow/pipeline/apis/v1beta1/pipelines
+/kustomization.yaml
+/label-studio/api/projects
+/label-studio/user/signup
+/langflow/api/v1/
+/langgraph/assistants
+/langserve/invoke
+/langserve/playground/
+/letter_opener
+/libs/granite/core/content/login.html
+/listeners?format=json
+/litellm/key/info
+/litellm/models
+/litellm/spend/logs
+/litellm/team/list
+/live_dashboard
+/localapi/v0/status
+/log-viewer
+/logging
+/loki/api/v1/labels
+/loki/api/v1/query
+/loki/config
+/manager/configuration
+/manager/html
+/manager/info
+/manager/logs
+/mappings
+/memberlist
+/memory
+/mgmt/shared/appsvcs/declare
+/mgmt/shared/authn/login
+/mgmt/shared/authz/tokens
+/mgmt/tm/auth/user
+/mgmt/tm/cm/device
+/mgmt/tm/ltm/pool
+/mgmt/tm/ltm/virtual
+/mgmt/tm/sys/version
+/mimir/config
+/mini-profiler-resources/results
+/minio/health/cluster
+/minio/health/live
+/minio/metrics/v3/cluster/health
+/mint.json
+/mlflow/api/2.0/mlflow/experiments/list
+/mlflow/api/2.0/mlflow/registered-models/list
+/mongo-express/
+/nacos/v1/auth/users?pageNo=1&pageSize=9
+/nacos/v1/console/server/state
+/nacos/v1/cs/configs?search=blur&dataId=&group=&tenant=
+/nacos/v1/ns/operator/servers
+/nacos/v1/ns/service/list?pageNo=1&pageSize=100
+/names.nsf
+/netdata/api/v1/alarms
+/netdata/api/v1/info
+/netlify.toml
+/nextcloud/ocs/v2.php/cloud/capabilities
+/nextcloud/status.php
+/nginx_status
+/nifi-api/controller/config
+/nifi-api/flow/about
+/nifi-api/flow/process-groups/root
+/nifi-api/system-diagnostics
+/nifi-api/tenants/users
+/nitro/v1/config
+/nitro/v1/config/lbvserver
+/nitro/v1/config/systemuser
+/nitro/v1/stat/system
+/oauth2/sign_in
+/oauth2/userinfo
+/ollama/api/show
+/ollama/api/tags
+/openapi.json
+/openapi.yaml
+/opensearch-dashboards/api/status
+/package-lock.json
+/package.json
+/pgadmin/login
+/pghero/queries
+/phpinfo.php
+/phpmyadmin/
+/phpMyAdmin/
+/pma/
+/portainer/api/endpoints
+/portainer/api/stacks
+/portainer/api/users
+/prefect/api/admin/settings
+/prefect/api/deployments
+/prefect/api/flows
+/Procfile
+/prometheus/api/v1/label/__name__/values
+/prometheus/api/v1/status/config
+/prometheus/api/v1/targets
+/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
+/pulse
+/puppetdb/pdb/query/v4/nodes
+/pyroscope/api/apps
+/q/dev-ui
+/qdrant/collections
+/qdrant/dashboard/
+/qdrant/telemetry
+/rails/db
+/rails/mailers
+/ray/api/cluster_status
+/ray/api/jobs/
+/ray/dashboard/
+/realms/master/.well-known/openid-configuration
+/redis-commander/
+/redisinsight/
+/redoc
+/requirements.txt
+/rest/active-workflows
+/rest/api/1.0/admin/users
+/rest/api/1.0/projects
+/rest/api/1.0/repos
+/rest/api/2/dashboard
+/rest/api/2/project
+/rest/api/2/serverInfo
+/rest/api/content
+/rest/api/latest/serverInfo
+/rest/api/space
+/rest/api/user/current
+/rest/credentials
+/rest/settings
+/rest/users
+/rest/v1/
+/rest/V1/integration/admin/token
+/rest/V1/store/storeConfigs
+/rest/workflows
+/robots.txt
+/routes
+/runtime
+/sanctum/csrf-cookie
+/secure/Dashboard.jspa
+/secure/popups/UserPickerBrowser.jspa
+/secure/QueryComponent!Default.jspa
+/secure/ViewUserHover.jspa
+/security/config
+/security/user/authenticate
+/security/users
+/sentry/api/0/organizations/
+/server_info
+/server-info
+/server-status
+/serverless.yml
+/servers/getVersion
+/servers/serverSettings
+/services
+/silk/
+/sitecore/login
+/sitemap.xml
+/sky/login
+/solr/admin/cores
+/spark/api/v1/applications
+/status.json
+/storage/v1/bucket
+/storybook-static/stories.json
+/storybook/stories.json
+/superset/api/v1/database/
+/swagger-resources
+/swagger-ui.html
+/swagger-ui/
+/swagger-ui/index.html
+/swagger.json
+/swagger.yaml
+/system/console
+/system/console/bundles
+/system/console/configMgr
+/system/functions
+/teamcity/app/rest/debug/database/tables
+/teamcity/app/rest/debug/values/internal/environmentVariables
+/teamcity/guestAuth/app/rest/builds
+/teamcity/guestAuth/app/rest/projects
+/teamcity/guestAuth/app/rest/server
+/teamcity/guestAuth/app/rest/users
+/tekton-dashboard/
+/Telerik.Web.UI.DialogHandler.aspx
+/Telerik.Web.UI.WebResource.axd?type=rau
+/tempo/api/search
+/tempo/config
+/temporal/api/v1/namespaces
+/terraform.tfstate
+/terraform.tfstate.backup
+/terraform.tfvars
+/thanos/api/v1/stores
+/trace
+/tyk/apis
+/tyk/keys
+/tyk/policies
+/umbraco
+/unleash/api/admin/features
+/unleash/api/admin/state/export
+/upstreams
+/user/sign_up
+/users/index
+/v1.0/metadata
+/v1.0/secrets
+/v1/account
+/v1/acl/tokens
+/v1/agent/members
+/v1/agent/self
+/v1/agent/services
+/v1/allocations
+/v1/auth-methods
+/v1/auth/token/lookup-self
+/v1/catalog/nodes
+/v1/catalog/services
+/v1/chat/completions
+/v1/completions
+/v1/connect/ca/roots
+/v1/databases
+/v1/embeddings
+/v1/functions
+/v1/graphql
+/v1/health/db
+/v1/health/version
+/v1/identity/entity/id
+/v1/internal/ui/services
+/v1/jobs
+/v1/kv/
+/v1/meta
+/v1/metadata
+/v1/models
+/v1/nodes
+/v1/query
+/v1/schema
+/v1/scopes
+/v1/secret/data/
+/v1/status/leader
+/v1/storage/buckets
+/v1/sys/auth
+/v1/sys/config/state/sanitized
+/v1/sys/health
+/v1/sys/host-info
+/v1/sys/internal/ui/mounts
+/v1/sys/mounts
+/v1/sys/policies/acl
+/v1/sys/seal-status
+/v1/targets
+/v1/users
+/v1/webapi/ping
+/v1alpha1/config
+/v2/
+/v2/_catalog
+/v2/api-docs
+/v2/models
+/v2/repository/index
+/v3/api-docs
+/v3/auth/user/list
+/v3/cluster/member/list
+/v3/clusters
+/v3/kv/range
+/v3/settings
+/v3/tokens
+/v3/users
+/values-prod.yaml
+/values.yaml
+/vercel.json
+/version
+/vmalert/api/v1/rules
+/vmui
+/web-console/Invoker
+/web/database/list
+/web/database/manager
+/web/webclient/version_info
+/webhook-test/
+/webhook/
+/wp-admin/install.php
+/wp-admin/setup-config.php
+/wp-config.php
+/wp-content/debug.log
+/wp-content/uploads/
+/wp-json/
+/wp-json/wc/v3/system_status
+/wp-json/wp/v2/users
+/xmlrpc.php
+/zabbix.php?action=user.list
+/zeppelin/api/configurations/all
+/zeppelin/api/notebook
+/zipkin/api/v2/services
+/zipkin/api/v2/traces