Awesome Bug Bounty Tools

Curated list of various bug bounty tools

Contents

• Recon

  • Subdomains
  • Ports
  • Screenshots
  • Technologies
  • Files/directories
  • Secrets
  • Buckets
  • Git

• Exploitation

  • Command Injection
  • CORS Misconfiguration
  • CRLF Injection
  • CSRF Injection
  • Directory Traversal
  • File Inclusion
  • GraphQL Injection
  • Header Injection
  • Insecure Deserialization
  • Insecure Direct Object References
  • Open Redirect
  • Race Condition
  • Request Smuggling
  • Server Side Request Forgery
  • SQL Injection
  • XSS Injection
  • XXE Injection

• Miscellaneous

  • CMS
  • JSON Web Token
  • postMessage
  • Subdomain takeover

---

Exploitation

Lorem ipsum dolor sit amet

Command Injection

• commix - Automated All-in-One OS command injection and exploitation tool.

CORS Misconfiguration

• Corsy - CORS Misconfiguration Scanner
• CORStest - A simple CORS misconfiguration scanner
• cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations
• CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner

CRLF Injection

• crlfuzz - A fast tool to scan CRLF vulnerability written in Go
• CRLF-Injection-Scanner - Command line tool for testing CRLF injection on a list of domains.
• Injectus - CRLF and open redirect fuzzer

CSRF Injection

• XSRFProbe -The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Directory Traversal

• dotdotpwn - DotDotPwn - The Directory Traversal Fuzzer
• FDsploit - File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
• off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
• liffier - tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.

File Inclusion

• liffy - Local file inclusion exploitation tool
• Burp-LFI-tests - Fuzzing for LFI using Burpsuite
• LFI-Enum - Scripts to execute enumeration via LFI
• LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
• LFI-files - Wordlist to bruteforce for LFI

GraphQL Injection

• inql - InQL - A Burp Extension for GraphQL Security Testing
• GraphQLmap - GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
• shapeshifter - GraphQL security testing tool
• graphql_beautifier - Burp Suite extension to help make Graphql request more readable
• clairvoyance - Obtain GraphQL API schema despite disabled introspection!

Header Injection

• headi - Customisable and automated HTTP header injection.

Insecure Deserialization

• ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
• ysoserial.net - Deserialization payload generator for a variety of .NET formatters
• phpggc - PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Insecure Direct Object References

• Autorize - Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily

Open Redirect

• Oralyzer - Open Redirection Analyzer
• Injectus - CRLF and open redirect fuzzer
• dom-red - Small script to check a list of domains against open redirect vulnerability

Race Condition

• razzer - A Kernel fuzzer focusing on race bugs
• racepwn - Race Condition framework
• requests-racer - Small Python library that makes it easy to exploit race conditions in web apps with Requests.
• turbo-intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
• race-the-web - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Request Smuggling

• http-request-smuggling - HTTP Request Smuggling Detection Tool
• smuggler - Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
• h2csmuggler - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
• tiscripts - These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.

Server Side Request Forgery

• SSRFmap - Automatic SSRF fuzzer and exploitation tool
• Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• Gf-Patterns - GF Paterns For (ssrf,RCE,Lfi,sqli,ssti,idor,url redirection,debug_logic, interesting Subs) parameters grep
• SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
• httprebind - Automatic tool for DNS rebinding-based SSRF attacks
• ssrf-sheriff - A simple SSRF-testing sheriff written in Go
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• extended-ssrf-search - Smart ssrf scanner using different methods like parameter brute forcing in post and get...
• gaussrf - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
• ssrfDetector - Server-side request forgery detector
• grafana-ssrf - Authenticated SSRF in Grafana
• sentrySSRF - Tool to searching sentry config on page or in javascript files and check blind SSRF
• lorsrf - Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods

SQL Injection

• sqlmap - Automatic SQL injection and database takeover tool
• NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
• SQLiScanner - Automatic SQL injection with Charles and sqlmap api
• SleuthQL - Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
• mssqlproxy - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
• sqli-hunter - SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
• waybackSqliScanner - Gather urls from wayback machine then test each GET parameter for sql injection.
• ESC - Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
• mssqli-duet - SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
• burp-to-sqlmap - Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
• BurpSQLTruncSanner - Messy BurpSuite plugin for SQL Truncation vulnerabilities.
• andor - Blind SQL Injection Tool with Golang
• Blinder - A python library to automate time-based blind SQL injection
• sqliv - massive SQL injection vulnerability scanner
• nosqli - NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.

XSS Injection

• XSStrike - Most advanced XSS scanner.
• xssor2 - XSS'OR - Hack with JavaScript.
• xsscrapy - XSS spider - 66/66 wavsep XSS detected
• sleepy-puppy - Sleepy Puppy XSS Payload Management Framework
• ezXSS - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
• xsshunter - The XSS Hunter service - a portable version of XSSHunter.com
• dalfox - DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
• xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
• XSpear - Powerfull XSS Scanning and Parameter analysis tool&gem
• weaponised-XSS-payloads - XSS payloads designed to turn alert(1) into P1
• tracy - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• xssValidator - This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
• JSShell - An interactive multi-user web JS shell
• bXSS - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
• docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• XSS-Radar - XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
• BruteXSS - BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
• findom-xss - A fast DOM based XSS vulnerability scanner with simplicity.
• domdig - DOM XSS scanner for Single Page Applications
• femida - Automated blind-xss search for Burp Suite
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• domxssscanner - DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
• xsshunter_client - Correlated injection proxy tool for XSS Hunter
• extended-xss-search - A better version of my xssfinder tool - scans for different types of xss on a list of urls.
• xssmap - XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具
• XSSCon - XSSCon: Simple XSS Scanner tool
• BitBlinder - BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities
• XSSOauthPersistence - Maintaining account persistence via XSS and Oauth
• shadow-workers - Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
• rexsser - This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
• xss-flare - XSS hunter on cloudflare serverless workers.
• Xss-Sql-Fuzz - burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
• vaya-ciego-nen - Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
• dom-based-xss-finder - Chrome extension that finds DOM based XSS vulnerabilities
• XSSTerminal - Develop your own XSS Payload using interactive typing

XXE Injection

• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• dtd-finder - List DTDs and generate XXE payloads using those local DTDs.
• docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• xxeserv - A mini webserver with FTP support for XXE payloads
• xxexploiter - Tool to help exploit XXE vulnerabilities
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
• oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes
• metahttp - A bash script that automates the scanning of a target network for HTTP resources through XXE

Miscellaneous

Lorem ipsum dolor sit amet

CMS

• wpscan - WPScan is a free, for non-commercial use, black box WordPress security scanner
• WPSpider - A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
• wprecon - Wordpress Recon
• CMSmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
• joomscan - OWASP Joomla Vulnerability Scanner Project

JSON Web Token

• jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
• c-jwt-cracker - JWT brute force cracker written in C
• jwt-heartbreaker - The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
• jwtear - Modular command-line tool to parse, create and manipulate JWT tokens for hackers
• jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability.
• jwt-hack - jwt-hack is tool for hacking / security testing to JWT.
• jwt-cracker - Simple HS256 JWT token brute force cracker

postMessage

• postMessage-tracker - A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon
• PostMessage_Fuzz_Tool - #BugBounty #BugBounty Tools #WebDeveloper Tool

Contribute

Contributions welcome! Read the contribution guidelines first.

License

To the extent possible under law, vavkamil has waived all copyright and related or neighboring rights to this work.