Table Of Content :
- Wordlists
- Google Cloud Storage
- Digital Ocean
- Command Injection
- XSS
- ΑΡΙ
- AWS 53 Bucket
- Inspecting JS Files
- Code Audit
- Frameworks
- Subdomain Enumeration
- Port Scanning
- Screenshots
- Technologies
- Content Discovery
- Links
- Parameters
- Fuzzing
- CORS Misconfiguration
- CRLF Injection
- CSRF Injection
- Directory Traversal
- File Inclusion
- GraphQL Injection
- Header Injection
- Insecure Deserialization
- Insecure Direct Object References
- Open Redirect
- Race Condition
- Request Smuggling
- Server Side Request Forgery
- SQL Injection
- XSS Injection
- XXE Injection
- Password List
- Secrets
- Git
- Buckets
- CMS
- JSON Web Token
- PostMessage
- Subdomain Takeover
- Vulnerability Scanners
Introduction
In the world of cybersecurity, bug bounty programs have become an increasingly popular way for organizations to identify and address vulnerabilities in their software and systems. These programs incentivize ethical hackers to identify and report potential security flaws in exchange for rewards such as cash or recognition. However, finding and exploiting vulnerabilities can be a challenging and time-consuming process, which is where bug bounty tools come in. In this collection of articles, we explore the top bug bounty tools available to ethical hackers, their features and capabilities, and how they can help you improve your bug hunting skills and ultimately secure your organization’s digital assets.
Vulnerability Scanners
Nuclei
Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
Link :- https://github.com/projectdiscovery/nuclei
It also offers nuclei templates
Link :- https://github.com/projectdiscovery/nuclei-templates
Sn1per
Automated pentest framework for offensive security experts
Link :- https://github.com/1N3/Sn1per
Metasploit-framework
The world’s most used penetration testing framework
Link :- https://www.metasploit.com/
Nikto
Nikto web server scanner
Link :- https://github.com/sullo/nikto
Arachni
Web Application Security Scanner Framework
Link :- https://github.com/Arachni/arachni
Jaeles
The Swiss Army knife for automated Web Application Testing
Link :- https://github.com/jaeles-project/jaeles
Retire.js
Scanner detecting the use of JavaScript libraries with known vulnerabilities.
Link :- https://github.com/retirejs/retire.js/
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning.
Link :- https://github.com/uranassystems/Osmedeus
Getsploit
Command line utility for searching and downloading exploits
Link :- https://github.com/vulnersCom/getsploit
Flan
A pretty sweet vulnerability scanner
Link :- https://github.com/cloudflare/flan
Findsploit
Find exploits in local and online databases instantly
Link :- https://github.com/1N3/Findsploit
BlackWidow
A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
Link :- https://github.com/1N3/BlackWidow
Backslash-powered-scanner
Inds unknown classes of injection vulnerabilities.
Link :- https://github.com/PortSwigger/backslash-powered-scanner
Eagle
Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities.
Link :- https://github.com/BitTheByte/Eagle
OWASP ZAP
World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers.
Wordlists
Cewl
CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper.
Link :- https://github.com/digininja/CeWL
CUPP
CUPP tool is an automated script written in the python language that interacts with the user and answers some fundamental questions about the victim like Name, Company Name, Partner’s Name, etc
Link :- https://github.com/Mebus/cupp
Crunch
Crunch is a wordlist generator where you can specify a standard character set or any set of characters to be used in generating the wordlists.
Link :- https://github.com/jim3ma/crunch
Pydictor
A powerful and useful hacker dictionary builder for a brute-force attack.
Link :- https://github.com/LandGrey/pydictor
Rsmangler
RSMangler will take a wordlist and perform various manipulations on it similar to those done by John the Ripper the main difference being that it will first take the input words and generate all permutations and the acronym of the words (in order they appear in the file) before it applies the rest of the mangles.
Link :- https://github.com/digininja/RSMangler
Rockyou.txt
Kali Linux provides this dictionary file as part of its standard installation.
Seclists
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
Link :-https://github.com/danielmiessler/SecLists
Assetnote Wordlists
Link :- https://wordlists.assetnote.io
Digital Ocean
Spaces-finder
A tool to hunt for publicly accessible DigitalOcean Spaces.
Command Injection
Commix
Automated All-in-One OS command injection and exploitation tool.
Link :- https://github.com/commixproject/commix
SQLi sqlmap
Automatic SQL injection and database takeover tool http://sqlmap.org
Link :- https://github.com/sqlmapproject/sqlmap
Sqliv
Massive SQL injection vulnerability scanner.
Link :- https://github.com/the-robot/sqliv
Sqlmate
A friend of SQLmap which will do what you always expected from SQLmap.
XSS
XSStrike
Most advanced XSS scanner.
Link :- https://github.com/s0md3v/XSStrike
XSS-keylogger
A keystroke logger to exploit XSS vulnerabilities in a site.
ΑΡΙ
Secretx
Extracting apt keys and secrets by requesting each url in your list.
AWS 53 Bucket
s3brute
s3 brute force tool
Link :- https://github.com/ghostlulzhacks/s3brute
S3-bucket-finder
Find aws 53 buckets and extract datas
Link :- https://github.com/gwen001/s3-buckets-finder
Bucket-stream
Find interesting Amazon 53 Buckets by watching certificate
Link :- https://github.com/eth0izzle/bucket-stream
Slurp
Enumerate $3 buckets via certstream, domain, or keywords.
Link :- https://github.com/0xbharath/slurp
lazys3
A Ruby script to bruteforce for AWS s3 buckets using different permutations.
Link :- https://github.com/nahamsec/lazys3
Cred scanner
A simple file-based scanner to look for potential AWS access and secret keys in files.
Link :- https://github.com/disruptops/cred_scanner
DumpsterDiver
A tool used to analyze big volumes of various file types in search of harcoded secrets like keys (AWS Access Key, Azure Share Key or SSH keys) or passwords
Link :- https://github.com/securing/DumpsterDiver
S3Scanner
Scan for open AWS S3 buckets and dump the contents.
Inspecting JS Files
JSParser
A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files.
Link :- https://github.com/nahamsec/JSParser
Relative-url-extractor
A small tool that extracts relative URLS from a file.
Link :- https://github.com/jobertabma/relative-url-extractor
Sub.js
A tool to get javascript files from a list of URLS or subdomains
Link :- https://github.com/lc/subjs
LinkFinder
A python script that finds endpoints in JavaScript files
URL Finders
Crawler
Crawl website extract links
Link :- https://github.com/spatie/crawler
WaybackMachine
Use wayback Machine data to pull a list of paths
Link :- https://github.com/tomnomnom/waybackurls
Meg
Fetch many paths for many hosts – without killing the hosts
Link :- https://github.com/tomnomnom/meg
Hakrawler
Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
Link :- https://github.com/hakluke/hakrawler
Igoturls
WaybackURLS + OtxURLS + CommonCrawl
Frameworks
Sniper
Automated pentest framework for offensive security experts.
Link :- https://github.com/1N3/Sn1per
XRay
XRay is a tool for recon, mapping and OSINT gathering from public networks.
Link :- https://github.com/XTLS/Xray-core
Datasploit
An OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
Link :- https://github.com/DataSploit/datasploit
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning.
Link :- https://github.com/j3ssie/osmedeus
TIDoS-Framework
The Offensive Manual Web Application Penetration Testing Framework.
Link :- https://github.com/0xInfection/TIDoS-Framework
Discover
Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.
Link :- https://github.com/leebaird/discover
Lazyrecon
This script is intended to automate your reconnaissance process in an organized fashion.
Link :- https://github.com/nahamsec/lazyrecon
003Recon
Some tools to automate recon – 003random
Link :- https://github.com/003random/003Recon
Vulmap
Vulmap is a web vulnerability scanning and verification tool that can scan webapps for vulnerabilities and has a vulnerability verification function.
Link :- https://github.com/vulmon/Vulmap
Subdomain Enumeration
Findomain
The fastest and cross-platform subdomain enumerator, do not waste your time.
Link :- https://github.com/Findomain/Findomain
Chaos-client
Go client to communicate with Chaos DNS API.
Link :- https://chaos.projectdiscovery.io/
Domained
Multi Tool Subdomain Enumeration.
Link :- https://github.com/TypeError/domained
Bugcrowd-levelup-subdomain-enumeration
This repository contains all the material from the talk “Esoteric sub- domain enumeration techniques” given at Bugcrowd LevelUp 2017 virtual conference.
Link :- https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
Shuffledns
ShuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output.
Link :- https://github.com/projectdiscovery/shuffledns
Censys-subdomain-finder
Perform subdomain enumeration using the certificate transparency logs from Censys.
Link :- https://github.com/christophetd/censys-subdomain-finder
Turbolist3r
Subdomain enumeration tool with analysis features for discovered domains.
Link :- https://github.com/fleetcaptain/Turbolist3r
Censys-enumeration
A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys.
Link :- https://github.com/0xbharath/censys-enumeration
Tugarecon
Fast subdomains enumeration tool for penetration testers.
Link :- https://github.com/skynet0x01/tugarecon
As3nt
Another Subdomain Enumeration Tool.
Link :- https://github.com/cinerieus/as3nt
Subra
A Web-UI for subdomain enumeration (subfinder).
Link :- https://github.com/si9int/Subra
Substr3am
Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued.
Link :- https://github.com/nexxai/Substr3am
Altdns
Generates permutations, alterations and mutations of subdomains and then resolves them.
Link :- https://github.com/infosec-au/altdns
Brutesubs
An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose.
Link :- https://github.com/anshumanbh/brutesubs
Dns-parallel-prober
Perform subdomain enumeration using the certificate transparency logs from Censys.
Link :- https://github.com/lorenzog/dns-parallel-prober
Dnscan
Dnscan is a python wordlist-based DNS subdomain scanner.
Link :- https://github.com/rbsec/dnscan
Hakrevdns
Small, fast tool for performing reverse DNS lookups.
Link :- https://github.com/hakluke/hakrevdns
Dnsx
Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
Link :- https://github.com/projectdiscovery/dnsx
Crtndstry
Yet another subdomain finder.
Link :- https://github.com/nahamsec/crtndstry
VHostScan
A virtual host scanner that performs reverse lookups.
Link :- https://github.com/codingo/VHostScan
Scilla
Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration.
Link :- https://github.com/edoardottt/scilla
Sub3suite
A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.
Link :- https://github.com/3nock/sub3suite
Aquatone
A Tool for Domain Flyovers.
Link :- https://github.com/michenriksen/aquatone
Knockpy
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
Link :- https://github.com/guelfoweb/knock
Subbrute
A DNS meta-query spider that enumerates DNS records, and subdomains.
Link :- https://github.com/TheRook/subbrute
Assetfinder
Find domains and subdomains related to a given domain.
Link :- https://github.com/tomnomnom/assetfinder
Rsdl
Subdomain Scan with the Ping Method.
Link :- https://github.com/tismayil/rsdl
Massdns
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration).
Link :- https://github.com/blechschmidt/massdns
Subfinder
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration).
Link :- https://github.com/projectdiscovery/subfinder
Amass
A virtual host scanner that performs reverse lookups.
Link :- https://github.com/owasp-amass/amass
Sub.sh
Online Subdomain Detect Script.
Link :- https://github.com/cihanmehmet/sub.sh
Sublist3r
Fast subdomains enumeration tool for penetration testers.
Link :- https://github.com/aboul3la/Sublist3r
Sudomy
Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting.
Link :- https://github.com/screetsec/Sudomy
Dnsenum
Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
Port Scanning
Masscan
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
Link :- https://github.com/robertdavidgraham/masscan
RustScan
The Modern Port Scanner
Link :- https://github.com/RustScan/RustScan
Naabu
A fast port scanner written in go with focus on reliability and simplicity.
Link :- https://github.com/projectdiscovery/naabu
Nmap
Nmap – The Network Mapper. Github mirror of official SVN repository
Link :- https://github.com/nmap/nmap
Sandmap
Combines the speed of masscan with the reliability and detailed enumeration of nmap.
Link :- https://github.com/trimstray/sandmap
Screenshots
EyeWitness
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Link :- https://github.com/FortyNorthSecurity/EyeWitness
Aquatone
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
Link :- https://github.com/michenriksen/aquatone
Screenshoteer
Make website screenshots and mobile emulations from the command line.
Link :- https://github.com/vladocar/screenshoteer
Gowitness
A golang, web screenshot utility using Chrome Headless.
Link :- https://github.com/sensepost/gowitness
WitnessMe
Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
Link :- https://github.com/byt3bl33d3r/WitnessMe
Eyeballer
Convolutional neural network for analyzing pentest screenshots.
Link :- https://github.com/BishopFox/eyeballer
Scrying
A tool for collecting RDP, web and VNC screenshots all in one place.
Link :- https://github.com/nccgroup/scrying
Depix
Recovers passwords from pixelized screenshots.
Link :- https://github.com/beurtschipper/Depix
Httpscreenshot
HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.
Technologies
Wappalyzer
Identify technology on websites.
Link :- https://www.wappalyzer.com/
Webanalyze
Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
Link :- https://github.com/rverton/webanalyze
Python-builtwith
BuiltWith API client
Link :- https://github.com/claymation/python-builtwith
Whatweb
Next generation web scanner.
Link :- https://github.com/urbanadventurer/WhatWeb
Retire.js
Scanner detecting the use of JavaScript libraries with known vulnerabilities.
Link :- https://chrome.google.com/webstore/detail/retirejs/moibopkbhjceeedibkbkbchbjnkadmom?hl=en
Httpx
httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
Link :- https://github.com/projectdiscovery/httpx
Fingerprintx
Fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.
Link :- https://github.com/fingerprintjs/fingerprintjs
Content Discovery
Gobuster
Directory/File, DNS and VHost busting tool written in Go.
Link :- https://github.com/OJ/gobuster
Feroxbuster
A fast, simple, recursive content discovery tool written in Rust.
Link :- https://github.com/epi052/feroxbuster
Ffuf
Fast web fuzzer written in Go.
Link :- https://github.com/ffuf/ffuf
Dirsearch
Web path scanner
Link :- https://github.com/maurosoria/dirsearch
Recursebuster
Web path scanner.
Link :- https://github.com/C-Sto/recursebuster
Filebuster
An extremely fast and flexible web fuzzer.
Link :- https://github.com/henshin/filebuster
Dirstalk
An extremely fast and flexible web fuzzer.
Link :- https://github.com/maurosoria/dirsearch
Dirbuster-ng
An extremely fast and flexible web fuzzer.
Link :- https://github.com/digination/dirbuster-ng
Gospider
Gospider – Fast web spider written in Go.
Link :- https://github.com/jaeles-project/gospider
Hakrawler
Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
Link :- https://github.com/hakluke/hakrawler
Crawley
Fast, feature-rich unix-way web scraper/crawler written in Golang.
Link :- https://github.com/jmg/crawley
Links
LinkFinder
A python script that finds endpoints in JavaScript files.
Link :- https://github.com/GerbenJavado/LinkFinder
JS-Scan
A .js scanner, built in php. designed to scrape urls and other info.
Link :- https://github.com/zseano/JS-Scan
LinksDumper
Extract (links/possible endpoints) from responses & filter them via decoding/sorting.
Link :- https://github.com/arbazkiraak/LinksDumper
GoLinkFinder
A fast and minimal JS endpoint extractor.
Link :- https://github.com/0xsha/GoLinkFinder
BurpJSLinkFinder
Burp Extension for a passive scanning JS files for endpoint links.
Link :- https://github.com/InitRoot/BurpJSLinkFinder
Urlgrab
A golang utility to spider through a website searching for additional links.
Link :- https://github.com/IAmStoxe/urlgrab
Waybackurls
Fetch all the URLs that the Wayback Machine knows about for a domain.
Link :- https://github.com/tomnomnom/waybackurls
GetJS
A tool to fastly get all javascript sources/files.
Link :- https://github.com/003random/getJS
Parameters
Parameth
This tool can be used to brute discover GET and POST parameters.
Link :- https://github.com/maK-/parameth
Param-miner
This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.
Link :- https://github.com/PortSwigger/param-miner
ParamPamPam
This tool for brute discover GET and POST parameters.
Link :- https://github.com/Bo0oM/ParamPamPam
Arjun
HTTP parameter discovery suite.
Link :- https://github.com/s0md3v/Arjun
ParamSpider
Mining parameters from dark corners of Web Archives.
Link :- https://github.com/devanshbatham/ParamSpider
Fuzzing
Wfuzz
Web application fuzzer.
Link :- https://github.com/xmendez/wfuzz
ffuf
Fast web fuzzer written in Go
Link :- https://github.com/ffuf/ffuf
Fuzzdb
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
Link :- https://github.com/1N3/IntruderPayloads
IntruderPayloads
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
Link :- https://github.com/1N3/IntruderPayloads
fuzz.txt
Potentially dangerous files
Link :- https://github.com/Bo0oM/fuzz.txt
Fuzzilli
A JavaScript Engine Fuzzer
Link :- https://github.com/googleprojectzero/fuzzilli/blob/main/Docs/HowFuzzilliWorks.md
Fuzzapi
Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem.
Link :- https://github.com/Fuzzapi/fuzzapi
Vaf
Very advanced (web) fuzzer written in Nim.
Link :- https://github.com/d4rckh/vaf
CORS Misconfiguration
Corsy
CORS Misconfiguration Scanner.
Link :- https://github.com/s0md3v/Corsy
CORStest
A simple CORS misconfiguration scanner.
Link :- https://github.com/RUB-NDS/CORStest
Cors-scanner
A multi-threaded scanner that helps identify CORS flaws/misconfigurations.
Link :- https://github.com/chenjj/CORScanner
CorsMe
Cross Origin Resource Sharing MisConfiguration Scanner.
CRLF Injection
CRLFsuite
A fast tool specially designed to scan CRLF injection.
Link :- https://github.com/Nefcore/CRLFsuite
Crlfuzz
A fast tool to scan CRLF vulnerability written in Go.
Link :- https://github.com/dwisiswant0/crlfuzz
CRLF-Injection-Scanner
Command line tool for testing CRLF injection on a list of domains.
Link :- https://github.com/MichaelStott/CRLF-Injection-Scanner
Injectus
CRLF and open redirect fuzzer.
CSRF Injection
XSRFProbe
The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
Directory Traversal
Dotdotpwn
The Directory Traversal Fuzzer
Link :- https://github.com/wireghoul/dotdotpwn
FDsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Link :- https://github.com/chrispetrou/FDsploit
Off-by-slash
Burp extension to detect alias traversal via NGINX misconfiguration at scale.
Link :- https://github.com/bayotop/off-by-slash
Liffier
Tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.
Link :- https://github.com/momenbasel/liffier
File Inclusion
Liffy
Local file inclusion exploitation tool
Link :- https://github.com/mzfr/liffy
Burp-LFI-tests
Fuzzing for LFI using Burpsuite
Link :- https://github.com/Team-Firebugs/Burp-LFI-tests
LFI-Enum
Scripts to execute enumeration via LFI
Link :- https://github.com/mthbernardes/LFI-Enum
LFISuite
Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
Link :- https://github.com/D35m0nd142/LFISuite
LFI-files
Wordlist to bruteforce for LFI
Link :- https://github.com/hussein98d/LFI-files/blob/master/list.txt
GraphQL Injection
Inql
A Burp Extension for GraphQL Security Testing
Link :- https://github.com/doyensec/inql
GraphQLmap
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
Link :- https://github.com/swisskyrepo/GraphQLmap
Shapeshifter
GraphQL security testing tool
Link :- https://github.com/alexjlockwood/ShapeShifter
Graphql_beautifier
Burp Suite extension to help make Graphql request more readable
Link :- https://github.com/wyattjoh/graphql-formatter
Clairvoyance
Obtain GraphQL API schema despite disabled introspection!
Link :- https://github.com/nikitastupin/clairvoyance
Header Injection
Insecure Deserialization
Vsoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Link :- https://github.com/frohoff/ysoserial
GadgetProbe
Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Link :- https://github.com/BishopFox/GadgetProbe
Vsoserial.net
Deserialization payload generator for a variety of .NET formatters
Link :- https://github.com/pwntester/ysoserial.net
Phpggc
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
Link :- https://github.com/ambionics/phpggc
Insecure Direct Object References
Autorize
Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily.
Open Redirect
Oralyzer
Open Redirection Analyzer
Link :- https://github.com/r0075h3ll/Oralyzer
Injectus
CRLF and open redirect fuzzer.
Link :- https://github.com/dubs3c/Injectus
Dom-red
Small script to check a list of domains against open redirect vulnerability.
Link :- https://github.com/Naategh/dom-red
OpenRedireX
A Fuzzer for OpenRedirect issues.
Link :- https://github.com/devanshbatham/OpenRedireX
Race Condition
Razzer
A Kernel fuzzer focusing on race bugs.
Link :- https://github.com/compsec-snu/razzer
Racepwn
Race Condition framework.
Link :- https://github.com/racepwn/racepwn
Requests-racer
Small Python library that makes it easy to exploit race conditions in web apps with Requests.
Link :- https://github.com/nccgroup/requests-racer
Turbo-intruder
Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Link :- https://github.com/PortSwigger/turbo-intruder
Race-the-web
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
Link :- https://github.com/TheHackerDev/race-the-web
Request Smuggling
http-request-smuggling
HTTP Request Smuggling Detection Tool.
Link :- https://github.com/anshumanpattnaik/http-request-smuggling
Smuggler
An HTTP Request Smuggling / Desync testing tool written in Python 3.
Link :- https://github.com/defparam/smuggler
H2csmuggler
HTTP Request Smuggling over HTTP/2 Cleartext (h2c).
Link :- https://github.com/BishopFox/h2csmuggler
Server Side Request Forgery
SSRFmap
Automatic SSRF fuzzer and exploitation tool.
Link :- https://github.com/swisskyrepo/SSRFmap
Gopherus
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers.
Link :- https://github.com/tarunkant/Gopherus
Ground-control
A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
Link :- https://github.com/jobertabma/ground-control
SSRFire
An automated SSRF finder. Just give the domain name and your server and chill! 😉 Also has options to find XSS and open redirects.
Link :- https://github.com/ksharinarayanan/SSRFire
httprebind
Automatic tool for DNS rebinding-based SSRF attacks.
Link :- https://github.com/daeken/httprebind
Ssrf-sheriff
A simple SSRF-testing sheriff written in Go.
Link :- https://github.com/teknogeek/ssrf-sheriff
B-XSSRF
Toolkit to detect and keep track on Blind XSS, XXE & SSRF.
Link :- https://github.com/SpiderMate/B-XSSRF
Extended-ssrf-search
Smart ssrf scanner using different methods like parameter brute forcing in post and get..
Link :- https://github.com/Damian89/extended-ssrf-search
Gaussrf
Smart ssrf scanner using different methods like parameter brute forcing in post and get..
Link :- https://github.com/KathanP19/gaussrf
SsrfDetector
Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
Link :- https://github.com/R0X4R/ssrf-tool
Grafana-ssrf
Server-side request forgery detector.
Link :- https://github.com/RandomRobbieBF/grafana-ssrf
SentrySSRF
Tool to searching sentry config on page or in javascript files and check blind SSRF
Link :- https://github.com/xawdxawdx/sentrySSRF
Lorsrf
Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
Link :- https://github.com/knassar702/lorsrf
Singularity
A DNS rebinding attack framework.
Link :- https://github.com/sylabs/singularity
Whonow
A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
SQL Injection
Sqlmap
Automatic SQL injection and database takeover tool.
Link :- https://github.com/sqlmapproject/sqlmap
NoSQLMap
Automated NoSQL database enumeration and web application exploitation tool.
Link :- https://github.com/codingo/NoSQLMap
SQLiScanner
Automatic SQL injection with Charles and sqlmap api.
Link :- https://github.com/0xbug/SQLiScanner
SleuthQL
Automatic SQL injection with Charles and sqlmap api.
Link :- https://github.com/RhinoSecurityLabs/SleuthQL
Mssqlproxy
Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap
Link :- https://github.com/blackarrowsec/mssqlproxy
Sqli-hunter
SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
Link :-https://github.com/zt2/sqli-hunter
WaybackSqliScanner
Gather urls from wayback machine then test each GET parameter for sql injection.
Link :- https://github.com/ghostlulzhacks/waybackSqliScanner
ESC
Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
Link :- https://github.com/NetSPI/ESC
Mssqli-duet
SQL injection script for MSSQL that extracts domain users
Link :- https://github.com/Keramas/mssqli-duet
Burp-to-sqlmap
Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
Link :- https://github.com/Miladkhoshdel/burp-to-sqlmap
XSS Injection
XSStrike
Most advanced XSS scanner.
Link :- https://github.com/s0md3v/XSStrike
Xssor2
Hack with JavaScript.
Link :- https://github.com/evilcos/xssor2
Xsscrapy
66/66 wavsep XSS detected
Link :- https://github.com/DanMcInerney/xsscrapy
Sleepy-puppy
Sleepy Puppy XSS Payload Management Framework
Link :- https://github.com/Netflix-Skunkworks/sleepy-puppy
EzXSS
The XSS Hunter service – a portable version of XSSHunter.com
Link :- https://github.com/ssl/ezXSS
Xsshunter
The XSS Hunter service – a portable version of XSSHunter.com
Link :- https://github.com/mandatoryprogrammer/xsshunter
Dalfox
DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang.
Link :- https://github.com/hahwul/dalfox
Xsser
Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
Link :- https://github.com/epsylon/xsser
XSpear
Powerfull XSS Scanning and Parameter analysis tool&gem
Link :- https://github.com/hahwul/XSpear
Weaponised-XSS-payloads
XSS payloads designed to turn alert(1) into P1
Link :- https://github.com/hakluke/weaponised-XSS-payloads
XXE Injection
Ground-control
A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
Link :- https://github.com/jobertabma/ground-control
Dtd-finder
List DTDs and generate XXE payloads using those local DTDs.
Link :- https://github.com/GoSecure/dtd-finder
Docem
Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
Link :- https://github.com/whitel1st/docem
Xxeserv
A mini webserver with FTP support for XXE payloads
Link :- https://github.com/staaldraad/xxeserv
Xxexploiter
Tool to help exploit XXE vulnerabilities
Link :- https://github.com/luisfontes19/xxexploiter
B-XSSRF
Toolkit to detect and keep track on Blind XSS, XXE & SSRF
Link :- https://github.com/SpiderMate/B-XSSRF
XXEinjector
Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
Link :- https://github.com/enjoiz/XXEinjector
Oxml_xxe
A tool for embedding XXE/XML exploits into different filetypes
Link :- https://github.com/BuffaloWill/oxml_xxe
Passwords
Thc-hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack.
Link :- https://github.com/vanhauser-thc/thc-hydra
DefaultCreds-cheat-sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password.
Link :- https://github.com/ihebski/DefaultCreds-cheat-sheet
Changeme
A default credential scanner.
Link :- https://github.com/ztgrace/changeme
BruteX
Automatically brute force all services running on a target.
Link :- https://github.com/1N3/BruteX
Patator
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Secrets
Git-secrets
Prevents you from committing secrets and credentials into git repositories.
Link :- https://github.com/awslabs/git-secrets
Gitleaks
Scan git repos (or files) for secrets using regex and entropy.
Link :- https://github.com/gitleaks/gitleaks
TruffleHog
Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
Link :- https://github.com/trufflesecurity/trufflehog
GitGraber
gitGraber: monitor GitHub to search and find sensitive data in real time for different online services.
Link :- https://github.com/hisxo/gitGraber
Talisman
By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious – such as authorization tokens and private keys.
Link :- https://github.com/thoughtworks/talisman
GitGot
Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Link :- https://github.com/BishopFox/GitGot
Git-all-secrets
A tool to capture all the git secrets by leveraging multiple open source git searching tools.
Link :- https://github.com/anshumanbh/git-all-secrets
Github-search
Tools to perform basic search on GitHub.
Link :- https://github.com/gwen001/github-search
Git-vuln-finder
Finding potential software vulnerabilities from git commit messages.
Link :- https://github.com/cve-search/git-vuln-finder
Commit-stream
#OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API.
Link :- https://github.com/x1sec/commit-stream
Git
GitTools
A repository with 3 tools for pwn’ing websites with .git repositories available.
Link :- https://github.com/internetwache/GitTools
Gitjacker
Leak git repositories from misconfigured websites.
Link :- https://github.com/liamg/gitjacker
Git-dumper
A tool to dump a git repository from a website.
Link :- https://github.com/arthaud/git-dumper
GitHunter
A tool for searching a Git repository for interesting content.
Link :- https://github.com/digininja/GitHunter
Dvcs-ripper
Rip web accessible (distributed) version control systems: SVN/GIT/HG…
Link :- https://github.com/kost/dvcs-ripper
Buckets
S3Scanner
Scan for open AWS S3 buckets and dump the contents.
Link :- https://github.com/sa7mon/S3Scanner
AWSBucketDump
Security Tool to Look For Interesting Files in S3 Buckets.
Link :- https://github.com/jordanpotti/AWSBucketDump
CloudScraper
CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
Link :- https://github.com/VeNoMouS/cloudscraper
S3viewer
Publicly Open Amazon AWS S3 Bucket Viewer.
Link :- https://github.com/SharonBrizinov/s3viewer
Festin
The format of various s3 buckets is convert in one format for bugbounty and security testing.
Link :- https://github.com/cr0hn/festin
S3reverse
This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable.
Link :- https://github.com/hahwul/s3reverse
Mass-s3-bucket-tester
Firefox plugin that lists Amazon S3 Buckets found in requests.
Link :- https://github.com/random-robbie/mass-s3-bucket-tester
S3BucketList
Finds Directory Listings or open S3 buckets from a list of URLs.
Link :- https://github.com/michenriksen/bucketlist
Burp-AnonymousCloud
Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.
Link :- https://github.com/codewatchorg/Burp-AnonymousCloud
CMS
Wpscan
WPScan is a free, for non-commercial use, black box WordPress security scanner
Link :- https://github.com/wpscanteam/wpscan
CMSeek
CMS Detection and Exploitation suite – Scan WordPress, Joomla, Drupal and over 170 other CMSs.
Link :- https://github.com/Tuhinshubhra/CMSeeK
Droopescan
A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
Link :- https://github.com/SamJoan/droopescan
Drupwn
Drupal enumeration & exploitation tool.
Link :- https://github.com/immunIT/drupwn
WPSpider
A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
Link :- https://github.com/cyc10n3/WPSpider
Wprecon
WordPress Recon.
Link :- https://github.com/blackcrw/wpreconx
CMSmap
CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
Link :- https://github.com/dionach/CMSmap
Joomscan
OWASP Joomla Vulnerability Scanner Project.
Link :- https://github.com/drego85/JoomlaScan
Pyfiscan
Free web-application vulnerability and version scanner.
Link :- https://github.com/fgeek/pyfiscan
JSON Web Token
Jwt_tool
A toolkit for testing, tweaking and cracking JSON Web Tokens.
Link :- https://github.com/ticarpi/jwt_tool
C-jwt-cracker
JWT brute force cracker written in C.
Link :- https://github.com/brendan-rius/c-jwt-cracker
Jwt-heartbreaker
The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources.
Link :- https://github.com/wallarm/jwt-heartbreaker
Jwtear
Modular command-line tool to parse, create and manipulate JWT tokens for hackers
Link :- https://github.com/KINGSABRI/jwtear
Jwt-key-id-injector
Simple python script to check against hypothetical JWT vulnerability.
Link :- https://github.com/ticarpi/jwt_tool
Jwt-hack
jwt-hack is tool for hacking / security testing to JWT.
Link :- https://github.com/hahwul/jwt-hack
Jwt-cracker
Simple HS256 JWT token brute force cracker
Link :-https://github.com/brendan-rius/c-jwt-cracker
postMessage
PostMessage-tracker
A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon.
Link :- https://github.com/fransr/postMessage-tracker
PostMessage_Fuzz_Tool
WebDeveloper Tool.
Subdomain Takeover
Subjack
Subdomain Takeover tool written in Go.
Link :- https://github.com/haccer/subjack
Sub0ver
A Powerful Subdomain Takeover Tool.
Link :- https://github.com/Ice3man543/SubOver
AutoSubTakeover
A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
Link :- https://github.com/JordyZomer/autoSubTakeover
NSBrute
Python utility to takeover domains vulnerable to AWS NS Takeover.
Link :- https://github.com/shivsahni/NSBrute
Can-i-take-over-xyz
A list of services and how to claim (sub)domains with dangling DNS records.
Link :- https://github.com/EdOverflow/can-i-take-over-xyz
SubHijack
Hijacking forgotten & misconfigured subdomains.
Link :- https://github.com/johnjohnsp1/subHijack
Tko-subs
A tool that can help detect and takeover subdomains with dead DNS records.
Link :- https://github.com/anshumanbh/tko-subs
HostileSubBruteforcer
This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.
Link :- https://github.com/nahamsec/HostileSubBruteforcer
Some of best courses recommended by us to boost your career ...
Mastering Recon With Our Course
