Bug Bounty Hunting requires the use of various security tools to find vulnerabilities in software, web, and mobile applications. Key tools include BurpSuite, ZAP, and Caido for application security testing, as well as a range of tools for subdomain enumeration like Sublist3r and Amass. The post also highlights tools for port
Table of contents
Bug Bounty Tools & Scripts: Your Arsenal for Successful HuntingBurp Suite - Application Security Testing SoftwareThe ZAP HomepageCaido - A lightweight web security auditing toolkitGitHub - vavkamil/awesome-bugbounty-tools: A curated list of various bug bounty toolsReconSubdomain EnumerationGitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub - owasp-amass/amass: In-depth attack surface mapping and asset discoveryGitHub - blechschmidt/massdns: A high-performance DNS stub resolver for bulk lookups and…GitHub - Findomain/Findomain: The fastest and complete solution for domain recognition. Supports…GitHub - screetsec/Sudomy: Sudomy is a subdomain enumeration tool to collect subdomains and…GitHub - projectdiscovery/chaos-client: Go client to communicate with Chaos DB API.GitHub - TypeError/domained: Multi Tool Subdomain EnumerationGitHub - appsecco/bugcrowd-levelup-subdomain-enumeration: This repository contains all the material…GitHub - projectdiscovery/shuffledns: MassDNS wrapper written in go to enumerate valid subdomains…GitHub - christophetd/censys-subdomain-finder: ⚡ Perform subdomain enumeration using the…GitHub - fleetcaptain/Turbolist3r: Subdomain enumeration tool with analysis features for discovered…GitHub - 0xbharath/censys-enumeration: A script to extract subdomains/emails for a given domain…GitHub - skynet0x01/tugarecon: Pentest: Subdomains enumeration tool for penetration testers.GitHub - cinerieus/as3nt: Another Subdomain ENumeration ToolGitHub - si9int/Subra: A Web-UI for subdomain enumeration (subfinder)GitHub - nexxai/Substr3am: Passive reconnaissance/enumeration of interesting targets by watching…GitHub - jhaddix/domain: Setup script for Regon-ngGitHub - infosec-au/altdns: Generates permutations, alterations and mutations of subdomains and…GitHub - anshumanbh/brutesubs: An automation framework for running multiple open sourced subdomain…GitHub - lorenzog/dns-parallel-prober: PoC for an adaptive parallelised DNS proberGitHub - rbsec/dnscanGitHub - guelfoweb/knock: Knock Subdomain ScanGitHub - hakluke/hakrevdns: Small, fast tool for performing reverse DNS lookups en masse.GitHub - projectdiscovery/dnsx: dnsx is a fast and multi-purpose DNS toolkit allow to run multiple…GitHub - projectdiscovery/subfinder: Fast passive subdomain enumeration tool.GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub - codingo/VHostScan: A virtual host scanner that performs reverse lookups, can be used with…GitHub - edoardottt/scilla: Information Gathering tool - DNS / Subdomains / Ports / Directories…GitHub - 3nock/OTE: OSINT Template EngineGitHub - glebarez/cero: Scrape domain names from SSL certificates of arbitrary hostsPort ScanningGitHub - robertdavidgraham/masscan: TCP port scanner, spews SYN packets asynchronously, scanning…GitHub - RustScan/RustScan: 🤖 The Modern Port Scanner 🤖GitHub - projectdiscovery/naabu: A fast port scanner written in go with a focus on reliability and…GitHub - nmap/nmap: Nmap - the Network Mapper. Github mirror of official SVN repository.GitHub - trimstray/sandmap: Nmap on steroids. Simple CLI with the ability to run pure Nmap engine…GitHub - johnnyxmas/ScanCannon: External attack surface discovery, enumeration and reconnaissance…ScreenshotsGitHub - RedSiege/EyeWitness: EyeWitness is designed to take screenshots of websites, provide some…GitHub - vladocar/screenshoteer: Make website screenshots and mobile emulations from the command…GitHub - sensepost/gowitness: 🔍 gowitness - a golang, web screenshot utility using Chrome HeadlessGitHub - byt3bl33d3r/WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer…GitHub - BishopFox/eyeballer: Convolutional neural network for analyzing pentest screenshotsGitHub - nccgroup/scrying: A tool for collecting RDP, web and VNC screenshots all in one placeGitHub - spipm/Depix: Recovers passwords from pixelized screenshotsGitHub - breenmachine/httpscreenshotTechnologiesGitHub - juliopontes/Wappalyzer: Wappalyzer add-on for FirefoxGitHub - rverton/webanalyze: Port of Wappalyzer (uncovers technologies used on websites) to…GitHub - claymation/python-builtwith: BuiltWith API clientGitHub - urbanadventurer/WhatWeb: Next generation web scannerGitHub - RetireJS/retire.js: scanner detecting the use of JavaScript libraries with known…GitHub - projectdiscovery/httpx: httpx is a fast and multi-purpose HTTP toolkit that allows running…GitHub - praetorian-inc/fingerprintx: Standalone utility for service discovery on open ports!Content DiscoveryGitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub - C-Sto/recursebuster: rapid content discovery tool for recursively querying webservers…GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.GitHub - maurosoria/dirsearch: Web path scannerGitHub - evilsocket/dirsearch: A Go implementation of dirsearch.GitHub - henshin/filebuster: An extremely fast and flexible web fuzzerGitHub - stefanoj3/dirstalk: Modern alternative to dirbuster/dirbGitHub - digination/dirbuster-ng: dirbuster-ng is C CLI implementation of the Java dirbuster toolGitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of…GitHub - s0rg/crawley: The unix-way web crawlerLinksGitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub - zseano/JS-Scan: a .js scanner, built in php. designed to scrape urls and other infoGitHub - arbazkiraak/LinksDumper: Extract (links/possible endpoints) from responses & filter them…GitHub - 0xsha/GoLinkFinder: A fast and minimal JS endpoint extractorGitHub - InitRoot/BurpJSLinkFinder: Burp Extension for a passive scanning JS files for endpoint…GitHub - IAmStoxe/urlgrab: A golang utility to spider through a website searching for additional…GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a…GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and…GitHub - riza/linx: Reveals invisible links within JavaScript filesParametersGitHub - maK-/parameth: This tool can be used to brute discover GET and POST parametersGitHub - PortSwigger/param-minerGitHub - Bo0oM/ParamPamPamGitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub - devanshbatham/ParamSpider: Mining URLs from dark corners of Web Archives for bug…GitHub - Sh1Yo/x8: Hidden parameters discovery suiteFuzzingGitHub - xmendez/wfuzz: Web application fuzzerGitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box…GitHub - 1N3/IntruderPayloads: A collection of Burpsuite Intruder payloads, BurpBounty payloads…GitHub - Bo0oM/fuzz.txt: Potentially dangerous filesGitHub - googleprojectzero/fuzzilli: A JavaScript Engine FuzzerGitHub - Fuzzapi/fuzzapi: Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gemGitHub - ameenmaali/qsfuzz: qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz…GitHub - d4rckh/vaf: Vaf is a cross-platform very advanced and fast web fuzzer written in nimCloud Security ToolsGitHub - cyberark/SkyArk: SkyArk helps to discover, assess and secure the most privileged entities…GitHub - RhinoSecurityLabs/pacu: The AWS exploitation framework, designed for testing the security…GitHub - RhinoSecurityLabs/pacu: The AWS exploitation framework, designed for testing the security…ExploitationCommand InjectionGitHub - commixproject/commix: Automated All-in-One OS Command Injection Exploitation Tool.CORS MisconfigurationGitHub - s0md3v/Corsy: CORS Misconfiguration ScannerGitHub - RUB-NDS/CORStest: A simple CORS misconfiguration scannerGitHub - laconicwolf/cors-scanner: A multi-threaded scanner that helps identify CORS…GitHub - Shivangx01b/CorsMe: Cross Origin Resource Sharing MisConfiguration ScannerCRLF InjectionGitHub - Raghavd3v/CRLFsuite: The most powerful CRLF injection (HTTP Response Splitting) scanner.GitHub - dwisiswant0/crlfuzz: A fast tool to scan CRLF vulnerability written in GoGitHub - MichaelStott/CRLF-Injection-Scanner: Command line tool for testing CRLF injection on a…GitHub - dubs3c/Injectus: CRLF and open redirect fuzzerCSRF InjectionGitHub - 0xInfection/XSRFProbe: The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation…Directory TraversalGitHub - wireghoul/dotdotpwn: DotDotPwn - The Directory Traversal FuzzerGitHub - chrispetrou/FDsploit: File Inclusion & Directory Traversal fuzzing, enumeration &…GitHub - bayotop/off-by-slash: Burp extension to detect alias traversal via NGINX misconfiguration…GitHub - momenbasel/liffier: tired of manually add dot-dot-slash to your possible path traversal…File InclusionGitHub - mzfr/liffy: Local file inclusion exploitation toolGitHub - Team-Firebugs/Burp-LFI-tests: Fuzzing for LFI using BurpsuiteGitHub - mthbernardes/LFI-Enum: Scripts to execute enumeration via LFIGitHub - D35m0nd142/LFISuite: Totally Automatic LFI Exploiter (+ Reverse Shell) and ScannerGitHub - hussein98d/LFI-files: Wordlist to bruteforce for LFIGraphQL InjectionGitHub - doyensec/inql: InQL is a robust, open-source Burp Suite extension for advanced GraphQL…GitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql…GitHub - szski/shapeshifter: GraphQL security testing toolGitHub - zidekmat/graphql_beautifier: Burp Suite extension to help make Graphql request more…GitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema even if the introspection is disabledHeader InjectionGitHub - mlcsec/headi: Customisable and automated HTTP header injectionInsecure DeserializationGitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe…GitHub - BishopFox/GadgetProbe: Probe endpoints consuming Java serialized objects to identify…GitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET…GitHub - ambionics/phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to…Insecure Direct Object ReferencesGitHub - Quitten/Autorize: Automatic authorization enforcement detection extension for burp suite…Open RedirectGitHub - r0075h3ll/Oralyzer: Open Redirection AnalyzerGitHub - dubs3c/Injectus: CRLF and open redirect fuzzerGitHub - Naategh/dom-red: Small script to check a list of domains against open redirect…GitHub - devanshbatham/OpenRedireX: A fuzzer for detecting open redirect vulnerabilitiesRace ConditionGitHub - compsec-snu/razzer: A Kernel fuzzer focusing on race bugsGitHub - racepwn/racepwn: Race Condition frameworkGitHub - nccgroup/requests-racer: Small Python library that makes it easy to exploit race…GitHub - PortSwigger/turbo-intruder: Turbo Intruder is a Burp Suite extension for sending large…GitHub - TheHackerDev/race-the-web: Tests for race conditions in web applications. Includes a…Request SmugglingGitHub - anshumanpattnaik/http-request-smuggling: HTTP Request Smuggling Detection ToolGitHub - defparam/smuggler: Smuggler - An HTTP Request Smuggling / Desync testing tool written in…GitHub - BishopFox/h2csmuggler: HTTP Request Smuggling over HTTP/2 Cleartext (h2c)GitHub - defparam/tiscripts: Turbo Intruder ScriptsServer Side Request ForgeryGitHub - swisskyrepo/SSRFmap: Automatic SSRF fuzzer and exploitation toolGitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in…GitHub - jobertabma/ground-control: A collection of scripts that run on my web server. Mainly for…GitHub - ksharinarayanan/SSRFire: An automated SSRF finder. Just give the domain name and your…GitHub - daeken/httprebind: Automatic tool for DNS rebinding-based SSRF attacksGitHub - teknogeek/ssrf-sheriff: A simple SSRF-testing sheriff written in GoGitHub - SpiderMate/B-XSSRF: Toolkit to detect and keep track on Blind XSS, XXE & SSRFGitHub - Damian89/extended-ssrf-search: Smart ssrf scanner using different methods like parameter…GitHub - KathanP19/gaussrf: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback…GitHub - JacobReynolds/ssrfDetector: Server-side request forgery detectorGitHub - RandomRobbieBF/grafana-ssrf: Authenticated SSRF in GrafanaGitHub - xawdxawdx/sentrySSRF: Tool to searching sentry config on page or in javascript files and…GitHub - knassar702/lorsrf: Fast CLI tool to find the parameters that can be used to find SSRF or…GitHub - nccgroup/singularity: A DNS rebinding attack framework.GitHub - brannondorsey/whonow: A "malicious" DNS server for executing DNS Rebinding attacks on the…GitHub - brannondorsey/dns-rebind-toolkit: A front-end JavaScript toolkit for creating DNS…GitHub - FSecureLABS/dref: DNS Rebinding Exploitation FrameworkGitHub - taviso/rbndr: Simple DNS Rebinding ServiceGitHub - daeken/httprebind: Automatic tool for DNS rebinding-based SSRF attacksGitHub - makuga01/dnsFookup: DNS rebinding toolkitSQL InjectionGitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHub - codingo/NoSQLMap: Automated NoSQL database enumeration and web application exploitation…GitHub - 0xbug/SQLiScanner: Automatic SQL injection with Charles and sqlmap apiGitHub - RhinoSecurityLabs/SleuthQL: Python3 Burp History parsing tool to discover potential SQL…GitHub - blackarrowsec/mssqlproxy: mssqlproxy is a toolkit aimed to perform lateral movement in…GitHub - zt2/sqli-hunter: SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API…GitHub - ghostlulzhacks/waybackSqliScannerGitHub - NetSPI/ESC: Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced…GitHub - Keramas/mssqli-duet: SQL injection script for MSSQL that extracts domain users from an…GitHub - InitRoot/BurpSQLTruncSanner: Messy BurpSuite plugin for SQL Truncation vulnerabilities.GitHub - sadicann/andor: Blind SQL Injection Tool with GolangGitHub - mhaskar/Blinder: A python library to automate time-based blind SQL injectionGitHub - the-robot/sqliv: massive SQL injection vulnerability scannerGitHub - Charlie-belmer/nosqli: NoSql Injection CLI tool, for finding vulnerable websites using…XSS InjectionGitHub - s0md3v/XSStrike: Most advanced XSS scanner.GitHub - evilcos/xssor2: XSS'OR - Hack with JavaScript.GitHub - DanMcInerney/xsscrapy: XSS spider - 66/66 wavsep XSS detectedGitHub - Netflix-Skunkworks/sleepy-puppy: Sleepy Puppy XSS Payload Management FrameworkGitHub - ssl/ezXSS: ezXSS is an easy way for penetration testers and bug bounty hunters to test…GitHub - mandatoryprogrammer/xsshunter: The XSS Hunter service - a portable version of…GitHub - hahwul/dalfox: 🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on…GitHub - epsylon/xsser: Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect…GitHub - hahwul/XSpear: 🔱 Powerfull XSS Scanning and Parameter analysis tool&gemGitHub - hakluke/weaponised-XSS-payloads: XSS payloads designed to turn alert(1) into P1GitHub - nccgroup/tracy: A tool designed to assist with finding all sinks and sources of a web…GitHub - jobertabma/ground-control: A collection of scripts that run on my web server. Mainly for…GitHub - NetSPI/xssValidator: This is a burp intruder extender that is designed for automation and…GitHub - Den1al/JSShell: An interactive multi-user web JS shellGitHub - LewisArdern/bXSS: bXSS is a utility which can be used by bug hunters and organizations to…GitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files…GitHub - bugbountyforum/XSS-RadarGitHub - rajeshmajumdar/BruteXSS: BruteXSS is a tool written in python simply to find XSS…GitHub - dwisiswant0/findom-xss: A fast DOM based XSS vulnerability scanner with simplicity.GitHub - fcavallarin/domdig: DOM XSS scanner for Single Page ApplicationsGitHub - wish-i-was/femida: Automated blind-xss search for Burp SuiteGitHub - SpiderMate/B-XSSRF: Toolkit to detect and keep track on Blind XSS, XXE & SSRFGitHub - yaph/domxssscanner: DOMXSS Scanner is an online tool to scan source code for DOM based XSS…GitHub - mandatoryprogrammer/xsshunter_client: Correlated injection proxy tool for XSS HunterGitHub - Damian89/extended-xss-search: A better version of my xssfinder tool - scans for different…GitHub - menkrep1337/XSSCon: XSSCon: Simple XSS Scanner toolGitHub - dxa4481/XSSOauthPersistence: Maintaining account persistence via XSS and OauthGitHub - shadow-workers/shadow-workers: Shadow Workers is a free and open source C2 and proxy…GitHub - profmoriarity/rexsser: This is a burp plugin that extracts keywords from response using…GitHub - hipotermia/vaya-ciego-nen: Detect, manage and exploit Blind Cross-site scripting (XSS)…GitHub - AsaiKen/dom-based-xss-finder: Chrome extension that finds DOM based XSS vulnerabilitiesGitHub - vavkamil/xss2png: PNG IDAT chunks XSS payload generatorGitHub - vavkamil/XSSwagger: A simple Swagger-ui scanner that can detect old versions vulnerable to…XXE InjectionGitHub - jobertabma/ground-control: A collection of scripts that run on my web server. Mainly for…GitHub - GoSecure/dtd-finder: List DTDs and generate XXE payloads using those local DTDs.GitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files…GitHub - staaldraad/xxeserv: A mini webserver with FTP support for XXE payloadsGitHub - luisfontes19/xxexploiter: Tool to help exploit XXE vulnerabilitiesGitHub - SpiderMate/B-XSSRF: Toolkit to detect and keep track on Blind XSS, XXE & SSRFGitHub - enjoiz/XXEinjector: Tool for automatic exploitation of XXE vulnerability using direct and…GitHub - BuffaloWill/oxml_xxe: A tool for embedding XXE/XML exploits into different filetypesGitHub - vp777/metahttp: A bash script that automates the scanning of a target network for HTTP…Sort: