Awesome Bug Bounty Tools

A curated list of various bug bounty tools

Contents

• Recon

  • Subdomain Enumeration
  • Port Scanning
  • Screenshots
  • Technologies
  • Content Discovery
  • Links
  • Parameters
  • Fuzzing

• Exploitation

  • Command Injection
  • CORS Misconfiguration
  • CRLF Injection
  • CSRF Injection
  • Directory Traversal
  • File Inclusion
  • GraphQL Injection
  • Header Injection
  • Insecure Deserialization
  • Insecure Direct Object References
  • Open Redirect
  • Race Condition
  • Request Smuggling
  • Server Side Request Forgery
  • SQL Injection
  • XSS Injection
  • XXE Injection

• Miscellaneous

  • Passwords
  • Secrets
  • Git
  • Buckets
  • CMS
  • JSON Web Token
  • postMessage
  • Subdomain Takeover
  • Useful
  • Uncategorized

Recon

Subdomain Enumeration

• Sublist3r - Fast subdomains enumeration tool for penetration testers
• Amass - In-depth Attack Surface Mapping and Asset Discovery
• massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
• Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
• Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
• chaos-client - Go client to communicate with Chaos DNS API.
• domained - Multi Tool Subdomain Enumeration
• bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
• shuffledns - shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
• puredns - Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering with wilcard(*)
• censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
• Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
• censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
• tugarecon - Fast subdomains enumeration tool for penetration testers.
• as3nt - Another Subdomain ENumeration Tool
• Subra - A Web-UI for subdomain enumeration (subfinder)
• Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
• domain - enumall.py Setup script for Regon-ng
• altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
• brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
• dns-parallel-prober - his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.
• dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
• knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
• hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
• dnsx - Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
• subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
• assetfinder - Find domains and subdomains related to a given domain
• crtndstry - Yet another subdomain finder
• VHostScan - A virtual host scanner that performs reverse lookups
• scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
• sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.
• cero - Scrape domain names from SSL certificates of arbitrary hosts
• shosubgo - Small tool to Grab subdomains using Shodan api
• haktrails - Golang client for querying SecurityTrails API data
• bbot - A recursive internet scanner for hackers

Port Scanning

• masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
• RustScan - The Modern Port Scanner
• naabu - A fast port scanner written in go with focus on reliability and simplicity.
• nmap - Nmap - the Network Mapper. Github mirror of official SVN repository.
• sandmap - Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
• ScanCannon - Combines the speed of masscan with the reliability and detailed enumeration of nmap

Screenshots

• EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
• aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
• screenshoteer - Make website screenshots and mobile emulations from the command line.
• gowitness - gowitness - a golang, web screenshot utility using Chrome Headless
• WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
• eyeballer - Convolutional neural network for analyzing pentest screenshots
• scrying - A tool for collecting RDP, web and VNC screenshots all in one place
• Depix - Recovers passwords from pixelized screenshots
• httpscreenshot - HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.

Technologies

• wappalyzer - Identify technology on websites.
• webanalyze - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
• python-builtwith - BuiltWith API client
• whatweb - Next generation web scanner
• retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities
• httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
• fingerprintx - fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.

Content Discovery

• gobuster - Directory/File, DNS and VHost busting tool written in Go
• recursebuster - rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
• feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
• dirsearch - Web path scanner
• dirsearch - A Go implementation of dirsearch.
• filebuster - An extremely fast and flexible web fuzzer
• dirstalk - Modern alternative to dirbuster/dirb
• dirbuster-ng - dirbuster-ng is C CLI implementation of the Java dirbuster tool
• gospider - Gospider - Fast web spider written in Go
• hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
• crawley - fast, feature-rich unix-way web scraper/crawler written in Golang.
• katana - A next-generation crawling and spidering framework

Links

• LinkFinder - A python script that finds endpoints in JavaScript files
• JS-Scan - a .js scanner, built in php. designed to scrape urls and other info
• LinksDumper - Extract (links/possible endpoints) from responses & filter them via decoding/sorting
• GoLinkFinder - A fast and minimal JS endpoint extractor
• BurpJSLinkFinder - Burp Extension for a passive scanning JS files for endpoint links.
• urlgrab - A golang utility to spider through a website searching for additional links.
• waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain
• gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
• getJS - A tool to fastly get all javascript sources/files
• linx - Reveals invisible links within JavaScript files
• waymore - Find way more from the Wayback Machine!
• xnLinkFinder - A python tool used to discover endpoints, potential parameters, and a target specific wordlist for a given target

Parameters

• parameth - This tool can be used to brute discover GET and POST parameters
• param-miner - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
• ParamPamPam - This tool for brute discover GET and POST parameters.
• Arjun - HTTP parameter discovery suite.
• ParamSpider - Mining parameters from dark corners of Web Archives.
• x8 - Hidden parameters discovery suite written in Rust.

Fuzzing

• wfuzz - Web application fuzzer
• ffuf - Fast web fuzzer written in Go
• fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• IntruderPayloads - A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
• fuzz.txt - Potentially dangerous files
• fuzzilli - A JavaScript Engine Fuzzer
• fuzzapi - Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
• qsfuzz - qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
• vaf - very advanced (web) fuzzer written in Nim.

Exploitation

Lorem ipsum dolor sit amet

Command Injection

• commix - Automated All-in-One OS command injection and exploitation tool.

CORS Misconfiguration

• Corsy - CORS Misconfiguration Scanner
• CORStest - A simple CORS misconfiguration scanner
• cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations
• CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner

CRLF Injection

• CRLFsuite - A fast tool specially designed to scan CRLF injection
• crlfuzz - A fast tool to scan CRLF vulnerability written in Go