Awesome Bug Bounty Tools

A curated list of various bug bounty tools

Recon
Exploitation
Miscellaneous
- Passwords
- Secrets
- Git
- Buckets
- CMS
- JSON Web Token
- postMessage
- Subdomain Takeover
- Useful
- Uncategorized

Recon

Subdomain Enumeration

Sublist3r - Fast subdomains enumeration tool for penetration testers
Amass - In-depth Attack Surface Mapping and Asset Discovery
massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
chaos-client - Go client to communicate with Chaos DNS API.
domained - Multi Tool Subdomain Enumeration
bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
shuffledns - shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
puredns - Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering with wilcard(*)
censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
tugarecon - Fast subdomains enumeration tool for penetration testers.
as3nt - Another Subdomain ENumeration Tool
Subra - A Web-UI for subdomain enumeration (subfinder)
Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
domain - enumall.py Setup script for Regon-ng
altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
dns-parallel-prober - his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.
dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
dnsx - Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
assetfinder - Find domains and subdomains related to a given domain
crtndstry - Yet another subdomain finder
VHostScan - A virtual host scanner that performs reverse lookups
scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.
cero - Scrape domain names from SSL certificates of arbitrary hosts
shosubgo - Small tool to Grab subdomains using Shodan api
haktrails - Golang client for querying SecurityTrails API data
bbot - A recursive internet scanner for hackers

Port Scanning

masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
RustScan - The Modern Port Scanner
naabu - A fast port scanner written in go with focus on reliability and simplicity.
nmap - Nmap - the Network Mapper. Github mirror of official SVN repository.
sandmap - Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
ScanCannon - Combines the speed of masscan with the reliability and detailed enumeration of nmap

Screenshots

EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
screenshoteer - Make website screenshots and mobile emulations from the command line.
gowitness - gowitness - a golang, web screenshot utility using Chrome Headless
WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
eyeballer - Convolutional neural network for analyzing pentest screenshots
scrying - A tool for collecting RDP, web and VNC screenshots all in one place
Depix - Recovers passwords from pixelized screenshots
httpscreenshot - HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.

Technologies

wappalyzer - Identify technology on websites.
webanalyze - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
python-builtwith - BuiltWith API client
whatweb - Next generation web scanner
retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities
httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
fingerprintx - fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.

Content Discovery

gobuster - Directory/File, DNS and VHost busting tool written in Go
recursebuster - rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
dirsearch - Web path scanner
dirsearch - A Go implementation of dirsearch.
filebuster - An extremely fast and flexible web fuzzer
dirstalk - Modern alternative to dirbuster/dirb
dirbuster-ng - dirbuster-ng is C CLI implementation of the Java dirbuster tool
gospider - Gospider - Fast web spider written in Go
hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
crawley - fast, feature-rich unix-way web scraper/crawler written in Golang.
katana - A next-generation crawling and spidering framework

Parameters

parameth - This tool can be used to brute discover GET and POST parameters
param-miner - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
ParamPamPam - This tool for brute discover GET and POST parameters.
Arjun - HTTP parameter discovery suite.
ParamSpider - Mining parameters from dark corners of Web Archives.
x8 - Hidden parameters discovery suite written in Rust.

Fuzzing

wfuzz - Web application fuzzer
ffuf - Fast web fuzzer written in Go
fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
IntruderPayloads - A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
fuzz.txt - Potentially dangerous files
fuzzilli - A JavaScript Engine Fuzzer
fuzzapi - Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
qsfuzz - qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
vaf - very advanced (web) fuzzer written in Nim.

Exploitation

Lorem ipsum dolor sit amet

Command Injection

commix - Automated All-in-One OS command injection and exploitation tool.

CORS Misconfiguration

Corsy - CORS Misconfiguration Scanner
CORStest - A simple CORS misconfiguration scanner
cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations
CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner