Top Bug Bounty Tools

The Top Bug Bounty Tools for Finding Vulnerabilities

Table Of Content :

  1. Wordlists
  2. Google Cloud Storage
  3. Digital Ocean
  4. Command Injection
  5. XSS
  6. ΑΡΙ
  7. AWS 53 Bucket
  8. Inspecting JS Files
  9. Code Audit
  10. Frameworks
  11. Subdomain Enumeration
  12. Port Scanning
  13. Screenshots
  14. Technologies
  15. Content Discovery
  16. Links
  17. Parameters
  18. Fuzzing
  19. CORS Misconfiguration
  20. CRLF Injection
  21. CSRF Injection
  22. Directory Traversal
  23. File Inclusion
  24. GraphQL Injection
  25. Header Injection
  26. Insecure Deserialization
  27. Insecure Direct Object References
  28. Open Redirect
  29. Race Condition
  30. Request Smuggling
  31. Server Side Request Forgery
  32. SQL Injection
  33. XSS Injection
  34. XXE Injection
  35. Password List
  36. Secrets
  37. Git
  38. Buckets
  39. CMS
  40. JSON Web Token
  41. PostMessage
  42. Subdomain Takeover
  43. Vulnerability Scanners

Introduction

In the world of cybersecurity, bug bounty programs have become an increasingly popular way for organizations to identify and address vulnerabilities in their software and systems. These programs incentivize ethical hackers to identify and report potential security flaws in exchange for rewards such as cash or recognition. However, finding and exploiting vulnerabilities can be a challenging and time-consuming process, which is where bug bounty tools come in. In this collection of articles, we explore the top bug bounty tools available to ethical hackers, their features and capabilities, and how they can help you improve your bug hunting skills and ultimately secure your organization’s digital assets.

Vulnerability Scanners

Nuclei

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

Link :- https://github.com/projectdiscovery/nuclei

It also offers nuclei templates

Link :- https://github.com/projectdiscovery/nuclei-templates

Sn1per

Automated pentest framework for offensive security experts

Link :- https://github.com/1N3/Sn1per

Metasploit-framework

The world’s most used penetration testing framework

Link :- https://www.metasploit.com/

Nikto

Nikto web server scanner

Link :- https://github.com/sullo/nikto

Arachni

Web Application Security Scanner Framework

Link :- https://github.com/Arachni/arachni

Jaeles

The Swiss Army knife for automated Web Application Testing

Link :- https://github.com/jaeles-project/jaeles

Retire.js

Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Link :- https://github.com/retirejs/retire.js/

Osmedeus

Fully automated offensive security framework for reconnaissance and vulnerability scanning.

Link :- https://github.com/uranassystems/Osmedeus

Getsploit

Command line utility for searching and downloading exploits

Link :- https://github.com/vulnersCom/getsploit

Flan

A pretty sweet vulnerability scanner

Link :- https://github.com/cloudflare/flan

Findsploit

Find exploits in local and online databases instantly

Link :- https://github.com/1N3/Findsploit

BlackWidow

A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.

Link :- https://github.com/1N3/BlackWidow

Backslash-powered-scanner

Inds unknown classes of injection vulnerabilities.

Link :- https://github.com/PortSwigger/backslash-powered-scanner

Eagle

Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities.

Link :- https://github.com/BitTheByte/Eagle

OWASP ZAP

World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers.

Link :- https://owasp.org/www-project-zap/

Wordlists

Cewl

CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper.

Link :- https://github.com/digininja/CeWL

CUPP

CUPP tool is an automated script written in the python language that interacts with the user and answers some fundamental questions about the victim like Name, Company Name, Partner’s Name, etc

Link :- https://github.com/Mebus/cupp

Crunch

Crunch is a wordlist generator where you can specify a standard character set or any set of characters to be used in generating the wordlists.

Link :- https://github.com/jim3ma/crunch

Pydictor

A powerful and useful hacker dictionary builder for a brute-force attack.

Link :- https://github.com/LandGrey/pydictor

Rsmangler

RSMangler will take a wordlist and perform various manipulations on it similar to those done by John the Ripper the main difference being that it will first take the input words and generate all permutations and the acronym of the words (in order they appear in the file) before it applies the rest of the mangles.

Link :- https://github.com/digininja/RSMangler

Rockyou.txt

Kali Linux provides this dictionary file as part of its standard installation.

Seclists

SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

Link :-https://github.com/danielmiessler/SecLists

Assetnote Wordlists

Link :- https://wordlists.assetnote.io

Digital Ocean

Spaces-finder

A tool to hunt for publicly accessible DigitalOcean Spaces.

Link :- https://github.com/appsecco/spaces-finder

Command Injection

Commix

Automated All-in-One OS command injection and exploitation tool.

Link :- https://github.com/commixproject/commix

SQLi sqlmap

Automatic SQL injection and database takeover tool http://sqlmap.org

Link :- https://github.com/sqlmapproject/sqlmap

Sqliv

Massive SQL injection vulnerability scanner.

Link :- https://github.com/the-robot/sqliv

Sqlmate

A friend of SQLmap which will do what you always expected from SQLmap.

Link :- https://github.com/s0md3v/sqlmate

XSS

XSStrike

Most advanced XSS scanner.

Link :- https://github.com/s0md3v/XSStrike

XSS-keylogger

A keystroke logger to exploit XSS vulnerabilities in a site.

Link :- https://github.com/chentetran/xss-keylogger

ΑΡΙ

Secretx

Extracting apt keys and secrets by requesting each url in your list.

Link :- https://github.com/harry1080/secretx

AWS 53 Bucket

s3brute

s3 brute force tool

Link :- https://github.com/ghostlulzhacks/s3brute

S3-bucket-finder

Find aws 53 buckets and extract datas

Link :- https://github.com/gwen001/s3-buckets-finder

Bucket-stream

Find interesting Amazon 53 Buckets by watching certificate

Link :- https://github.com/eth0izzle/bucket-stream

Slurp

Enumerate $3 buckets via certstream, domain, or keywords.

Link :- https://github.com/0xbharath/slurp

lazys3

A Ruby script to bruteforce for AWS s3 buckets using different permutations.

Link :- https://github.com/nahamsec/lazys3

Cred scanner

A simple file-based scanner to look for potential AWS access and secret keys in files.

Link :- https://github.com/disruptops/cred_scanner

DumpsterDiver

A tool used to analyze big volumes of various file types in search of harcoded secrets like keys (AWS Access Key, Azure Share Key or SSH keys) or passwords

Link :- https://github.com/securing/DumpsterDiver

S3Scanner

Scan for open AWS S3 buckets and dump the contents.

Link :- https://github.com/sa7mon/S3Scanner

Inspecting JS Files

JSParser

A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files.

Link :- https://github.com/nahamsec/JSParser

Relative-url-extractor

A small tool that extracts relative URLS from a file.

Link :- https://github.com/jobertabma/relative-url-extractor

Sub.js

A tool to get javascript files from a list of URLS or subdomains

Link :- https://github.com/lc/subjs

LinkFinder

A python script that finds endpoints in JavaScript files

Link :- https://github.com/GerbenJavado/LinkFinder

URL Finders

Crawler

Crawl website extract links

Link :- https://github.com/spatie/crawler

WaybackMachine

Use wayback Machine data to pull a list of paths

Link :- https://github.com/tomnomnom/waybackurls

Meg

Fetch many paths for many hosts – without killing the hosts

Link :- https://github.com/tomnomnom/meg

Hakrawler

Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.

Link :- https://github.com/hakluke/hakrawler

Igoturls

WaybackURLS + OtxURLS + CommonCrawl

Link :- https://github.com/shahid1996/igoturls

Frameworks

Sniper

Automated pentest framework for offensive security experts.

Link :- https://github.com/1N3/Sn1per

XRay

XRay is a tool for recon, mapping and OSINT gathering from public networks.

Link :- https://github.com/XTLS/Xray-core

Datasploit

An OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.

Link :- https://github.com/DataSploit/datasploit

Osmedeus

Fully automated offensive security framework for reconnaissance and vulnerability scanning.

Link :- https://github.com/j3ssie/osmedeus

TIDoS-Framework

The Offensive Manual Web Application Penetration Testing Framework.

Link :- https://github.com/0xInfection/TIDoS-Framework

Discover

Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.

Link :- https://github.com/leebaird/discover

Lazyrecon

This script is intended to automate your reconnaissance process in an organized fashion.

Link :- https://github.com/nahamsec/lazyrecon

003Recon

Some tools to automate recon – 003random

Link :- https://github.com/003random/003Recon

Vulmap

Vulmap is a web vulnerability scanning and verification tool that can scan webapps for vulnerabilities and has a vulnerability verification function.

Link :- https://github.com/vulmon/Vulmap

Subdomain Enumeration

Findomain

The fastest and cross-platform subdomain enumerator, do not waste your time.

Link :- https://github.com/Findomain/Findomain

Chaos-client

Go client to communicate with Chaos DNS API.

Link :- https://chaos.projectdiscovery.io/

Domained

Multi Tool Subdomain Enumeration.

Link :- https://github.com/TypeError/domained

Bugcrowd-levelup-subdomain-enumeration

This repository contains all the material from the talk “Esoteric sub- domain enumeration techniques” given at Bugcrowd LevelUp 2017 virtual conference.

Link :- https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration

Shuffledns

ShuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output.

Link :- https://github.com/projectdiscovery/shuffledns

Censys-subdomain-finder

Perform subdomain enumeration using the certificate transparency logs from Censys.

Link :- https://github.com/christophetd/censys-subdomain-finder

Turbolist3r

Subdomain enumeration tool with analysis features for discovered domains.

Link :- https://github.com/fleetcaptain/Turbolist3r

Censys-enumeration

A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys.

Link :- https://github.com/0xbharath/censys-enumeration

Tugarecon

Fast subdomains enumeration tool for penetration testers.

Link :- https://github.com/skynet0x01/tugarecon

As3nt

Another Subdomain Enumeration Tool.

Link :- https://github.com/cinerieus/as3nt

Subra

A Web-UI for subdomain enumeration (subfinder).

Link :- https://github.com/si9int/Subra

Substr3am

Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued.

Link :- https://github.com/nexxai/Substr3am

Altdns

Generates permutations, alterations and mutations of subdomains and then resolves them.

Link :- https://github.com/infosec-au/altdns

Brutesubs

An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose.

Link :- https://github.com/anshumanbh/brutesubs

Dns-parallel-prober

Perform subdomain enumeration using the certificate transparency logs from Censys.

Link :- https://github.com/lorenzog/dns-parallel-prober

Dnscan

Dnscan is a python wordlist-based DNS subdomain scanner.

Link :- https://github.com/rbsec/dnscan

Hakrevdns

Small, fast tool for performing reverse DNS lookups.

Link :- https://github.com/hakluke/hakrevdns

Dnsx

Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Link :- https://github.com/projectdiscovery/dnsx

Crtndstry

Yet another subdomain finder.

Link :- https://github.com/nahamsec/crtndstry

VHostScan

A virtual host scanner that performs reverse lookups.

Link :- https://github.com/codingo/VHostScan

Scilla

Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration.

Link :- https://github.com/edoardottt/scilla

Sub3suite

A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.

Link :- https://github.com/3nock/sub3suite

Aquatone

A Tool for Domain Flyovers.

Link :- https://github.com/michenriksen/aquatone

Knockpy

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.

Link :- https://github.com/guelfoweb/knock

Subbrute

A DNS meta-query spider that enumerates DNS records, and subdomains.

Link :- https://github.com/TheRook/subbrute

Assetfinder

Find domains and subdomains related to a given domain.

Link :- https://github.com/tomnomnom/assetfinder

Rsdl

Subdomain Scan with the Ping Method.

Link :- https://github.com/tismayil/rsdl

Massdns

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration).

Link :- https://github.com/blechschmidt/massdns

Subfinder

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration).

Link :- https://github.com/projectdiscovery/subfinder

Amass

A virtual host scanner that performs reverse lookups.

Link :- https://github.com/owasp-amass/amass

Sub.sh

Online Subdomain Detect Script.

Link :- https://github.com/cihanmehmet/sub.sh

Sublist3r

Fast subdomains enumeration tool for penetration testers.

Link :- https://github.com/aboul3la/Sublist3r

Sudomy

Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting.

Link :- https://github.com/screetsec/Sudomy

Dnsenum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Link :- https://github.com/fwaeytens/dnsenum

Port Scanning

Masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Link :- https://github.com/robertdavidgraham/masscan

RustScan

The Modern Port Scanner

Link :- https://github.com/RustScan/RustScan

Naabu

A fast port scanner written in go with focus on reliability and simplicity.

Link :- https://github.com/projectdiscovery/naabu

Nmap

Nmap – The Network Mapper. Github mirror of official SVN repository

Link :- https://github.com/nmap/nmap

Sandmap

Combines the speed of masscan with the reliability and detailed enumeration of nmap.

Link :- https://github.com/trimstray/sandmap

 

Screenshots

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Link :- https://github.com/FortyNorthSecurity/EyeWitness

Aquatone

Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

Link :- https://github.com/michenriksen/aquatone

Screenshoteer

Make website screenshots and mobile emulations from the command line.

Link :- https://github.com/vladocar/screenshoteer

Gowitness

A golang, web screenshot utility using Chrome Headless.

Link :- https://github.com/sensepost/gowitness

WitnessMe

Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.

Link :- https://github.com/byt3bl33d3r/WitnessMe

Eyeballer

Convolutional neural network for analyzing pentest screenshots.

Link :- https://github.com/BishopFox/eyeballer

Scrying

A tool for collecting RDP, web and VNC screenshots all in one place.

Link :- https://github.com/nccgroup/scrying

Depix

Recovers passwords from pixelized screenshots.

Link :- https://github.com/beurtschipper/Depix

Httpscreenshot

HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.

Link :- https://github.com/breenmachine/httpscreenshot

Technologies

Wappalyzer

Identify technology on websites.

Link :- https://www.wappalyzer.com/

Webanalyze

Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.

Link :- https://github.com/rverton/webanalyze

Python-builtwith

BuiltWith API client

Link :- https://github.com/claymation/python-builtwith

Whatweb

Next generation web scanner.

Link :- https://github.com/urbanadventurer/WhatWeb

Retire.js

Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Link :- https://chrome.google.com/webstore/detail/retirejs/moibopkbhjceeedibkbkbchbjnkadmom?hl=en

Httpx

httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Link :- https://github.com/projectdiscovery/httpx

Fingerprintx

Fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.

Link :- https://github.com/fingerprintjs/fingerprintjs

 

 

 

Content Discovery

Gobuster

Directory/File, DNS and VHost busting tool written in Go.

Link :- https://github.com/OJ/gobuster

Feroxbuster

A fast, simple, recursive content discovery tool written in Rust.

Link :- https://github.com/epi052/feroxbuster

Ffuf

Fast web fuzzer written in Go.

Link :- https://github.com/ffuf/ffuf

Dirsearch

Web path scanner

Link :- https://github.com/maurosoria/dirsearch

Recursebuster

Web path scanner.

Link :- https://github.com/C-Sto/recursebuster

Filebuster

An extremely fast and flexible web fuzzer.

Link :- https://github.com/henshin/filebuster

Dirstalk

An extremely fast and flexible web fuzzer.

Link :- https://github.com/maurosoria/dirsearch

Dirbuster-ng

An extremely fast and flexible web fuzzer.

Link :- https://github.com/digination/dirbuster-ng

Gospider

Gospider – Fast web spider written in Go.

Link :- https://github.com/jaeles-project/gospider

Hakrawler

Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.

Link :- https://github.com/hakluke/hakrawler

Crawley

Fast, feature-rich unix-way web scraper/crawler written in Golang.

Link :-  https://github.com/jmg/crawley

Links

LinkFinder

A python script that finds endpoints in JavaScript files.

Link :- https://github.com/GerbenJavado/LinkFinder

JS-Scan

A .js scanner, built in php. designed to scrape urls and other info.

Link :- https://github.com/zseano/JS-Scan

LinksDumper

Extract (links/possible endpoints) from responses & filter them via decoding/sorting.

Link :- https://github.com/arbazkiraak/LinksDumper

GoLinkFinder

A fast and minimal JS endpoint extractor.

Link :- https://github.com/0xsha/GoLinkFinder

BurpJSLinkFinder

Burp Extension for a passive scanning JS files for endpoint links.

Link :- https://github.com/InitRoot/BurpJSLinkFinder

Urlgrab

A golang utility to spider through a website searching for additional links.

Link :- https://github.com/IAmStoxe/urlgrab

Waybackurls

Fetch all the URLs that the Wayback Machine knows about for a domain.

Link :- https://github.com/tomnomnom/waybackurls

GetJS

A tool to fastly get all javascript sources/files.

Link :- https://github.com/003random/getJS

 

Parameters

Parameth

This tool can be used to brute discover GET and POST parameters.

Link :- https://github.com/maK-/parameth

Param-miner

This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.

Link :- https://github.com/PortSwigger/param-miner

ParamPamPam

This tool for brute discover GET and POST parameters.

Link :- https://github.com/Bo0oM/ParamPamPam

Arjun

HTTP parameter discovery suite.

Link :- https://github.com/s0md3v/Arjun

ParamSpider

Mining parameters from dark corners of Web Archives.

Link :- https://github.com/devanshbatham/ParamSpider

 

Fuzzing

Wfuzz

Web application fuzzer.

Link :- https://github.com/xmendez/wfuzz

ffuf

Fast web fuzzer written in Go

Link :- https://github.com/ffuf/ffuf

Fuzzdb

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

Link :- https://github.com/1N3/IntruderPayloads

IntruderPayloads

A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.

Link :- https://github.com/1N3/IntruderPayloads

fuzz.txt

Potentially dangerous files

Link :- https://github.com/Bo0oM/fuzz.txt

Fuzzilli

A JavaScript Engine Fuzzer

Link :- https://github.com/googleprojectzero/fuzzilli/blob/main/Docs/HowFuzzilliWorks.md

Fuzzapi

Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem.

Link :- https://github.com/Fuzzapi/fuzzapi

Vaf

Very advanced (web) fuzzer written in Nim.

Link :- https://github.com/d4rckh/vaf

 

 

CORS Misconfiguration

Corsy

CORS Misconfiguration Scanner.

Link :- https://github.com/s0md3v/Corsy

CORStest

A simple CORS misconfiguration scanner.

Link :- https://github.com/RUB-NDS/CORStest

Cors-scanner

A multi-threaded scanner that helps identify CORS flaws/misconfigurations.

Link :- https://github.com/chenjj/CORScanner

CorsMe

Cross Origin Resource Sharing MisConfiguration Scanner.

Link :- https://github.com/Shivangx01b/CorsMe

CRLF Injection

CRLFsuite

A fast tool specially designed to scan CRLF injection.

Link :- https://github.com/Nefcore/CRLFsuite

Crlfuzz

A fast tool to scan CRLF vulnerability written in Go.

Link :- https://github.com/dwisiswant0/crlfuzz

CRLF-Injection-Scanner

Command line tool for testing CRLF injection on a list of domains.

Link :- https://github.com/MichaelStott/CRLF-Injection-Scanner

Injectus

CRLF and open redirect fuzzer.

Link :- https://github.com/dubs3c/Injectus

CSRF Injection

XSRFProbe

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Link :- https://github.com/0xInfection/XSRFProbe

Directory Traversal

Dotdotpwn

The Directory Traversal Fuzzer

Link :- https://github.com/wireghoul/dotdotpwn

FDsploit

File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.

Link :- https://github.com/chrispetrou/FDsploit

Off-by-slash

Burp extension to detect alias traversal via NGINX misconfiguration at scale.

Link :- https://github.com/bayotop/off-by-slash

Liffier

Tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.

Link :- https://github.com/momenbasel/liffier

 

File Inclusion

Liffy

Local file inclusion exploitation tool

Link :- https://github.com/mzfr/liffy

Burp-LFI-tests

Fuzzing for LFI using Burpsuite

Link :- https://github.com/Team-Firebugs/Burp-LFI-tests

LFI-Enum

Scripts to execute enumeration via LFI

Link :- https://github.com/mthbernardes/LFI-Enum

LFISuite

Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner

Link :- https://github.com/D35m0nd142/LFISuite

LFI-files

Wordlist to bruteforce for LFI

Link :- https://github.com/hussein98d/LFI-files/blob/master/list.txt

 

 

GraphQL Injection

Inql

A Burp Extension for GraphQL Security Testing

Link :- https://github.com/doyensec/inql

GraphQLmap

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Link :- https://github.com/swisskyrepo/GraphQLmap

Shapeshifter

GraphQL security testing tool

Link :- https://github.com/alexjlockwood/ShapeShifter

Graphql_beautifier

Burp Suite extension to help make Graphql request more readable

Link :- https://github.com/wyattjoh/graphql-formatter

Clairvoyance

Obtain GraphQL API schema despite disabled introspection!

Link :- https://github.com/nikitastupin/clairvoyance

 

 

Header Injection

Headi

Customizable and automated HTTP header injection.

Link :- https://github.com/mlcsec/headi

Insecure Deserialization

Vsoserial

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

Link :- https://github.com/frohoff/ysoserial

GadgetProbe

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Link :- https://github.com/BishopFox/GadgetProbe

Vsoserial.net

Deserialization payload generator for a variety of .NET formatters

Link :- https://github.com/pwntester/ysoserial.net

Phpggc

PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Link :- https://github.com/ambionics/phpggc

 

 

Insecure Direct Object References

Autorize

Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily.

Link :- https://github.com/Quitten/Autorize

Open Redirect

Oralyzer

Open Redirection Analyzer

Link :- https://github.com/r0075h3ll/Oralyzer

Injectus

CRLF and open redirect fuzzer.

Link :- https://github.com/dubs3c/Injectus

Dom-red

Small script to check a list of domains against open redirect vulnerability.

Link :- https://github.com/Naategh/dom-red

OpenRedireX

A Fuzzer for OpenRedirect issues.

Link :- https://github.com/devanshbatham/OpenRedireX

 

 

Race Condition

Razzer

A Kernel fuzzer focusing on race bugs.

Link :- https://github.com/compsec-snu/razzer

Racepwn

Race Condition framework.

Link :- https://github.com/racepwn/racepwn

Requests-racer

Small Python library that makes it easy to exploit race conditions in web apps with Requests.

Link :- https://github.com/nccgroup/requests-racer

Turbo-intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.

Link :- https://github.com/PortSwigger/turbo-intruder

Race-the-web

Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Link :- https://github.com/TheHackerDev/race-the-web

 

 

 

Request Smuggling

http-request-smuggling

HTTP Request Smuggling Detection Tool.

Link :- https://github.com/anshumanpattnaik/http-request-smuggling

Smuggler

An HTTP Request Smuggling / Desync testing tool written in Python 3.

Link :- https://github.com/defparam/smuggler

H2csmuggler

HTTP Request Smuggling over HTTP/2 Cleartext (h2c).

Link :- https://github.com/BishopFox/h2csmuggler

 

Server Side Request Forgery

SSRFmap

Automatic SSRF fuzzer and exploitation tool.

Link :- https://github.com/swisskyrepo/SSRFmap

Gopherus

This tool generates gopher link for exploiting SSRF and gaining RCE in various servers.

Link :- https://github.com/tarunkant/Gopherus

Ground-control

A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.

Link :- https://github.com/jobertabma/ground-control

SSRFire

An automated SSRF finder. Just give the domain name and your server and chill! 😉 Also has options to find XSS and open redirects.

Link :- https://github.com/ksharinarayanan/SSRFire

httprebind

Automatic tool for DNS rebinding-based SSRF attacks.

Link :- https://github.com/daeken/httprebind

Ssrf-sheriff

A simple SSRF-testing sheriff written in Go.

Link :- https://github.com/teknogeek/ssrf-sheriff

B-XSSRF

Toolkit to detect and keep track on Blind XSS, XXE & SSRF.

Link :- https://github.com/SpiderMate/B-XSSRF

Extended-ssrf-search

Smart ssrf scanner using different methods like parameter brute forcing in post and get..

Link :- https://github.com/Damian89/extended-ssrf-search

Gaussrf

Smart ssrf scanner using different methods like parameter brute forcing in post and get..

Link :- https://github.com/KathanP19/gaussrf

SsrfDetector

Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.

Link :- https://github.com/R0X4R/ssrf-tool

Grafana-ssrf

Server-side request forgery detector.

Link :- https://github.com/RandomRobbieBF/grafana-ssrf

SentrySSRF

Tool to searching sentry config on page or in javascript files and check blind SSRF

Link :- https://github.com/xawdxawdx/sentrySSRF

Lorsrf

Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods

Link :- https://github.com/knassar702/lorsrf

Singularity

A DNS rebinding attack framework.

Link :- https://github.com/sylabs/singularity

Whonow

A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

Link :- https://github.com/brannondorsey/whonow

SQL Injection

Sqlmap

Automatic SQL injection and database takeover tool.

Link :- https://github.com/sqlmapproject/sqlmap

NoSQLMap

Automated NoSQL database enumeration and web application exploitation tool.

Link :- https://github.com/codingo/NoSQLMap

SQLiScanner

Automatic SQL injection with Charles and sqlmap api.

Link :- https://github.com/0xbug/SQLiScanner

SleuthQL

Automatic SQL injection with Charles and sqlmap api.

Link :- https://github.com/RhinoSecurityLabs/SleuthQL

Mssqlproxy

Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap

Link :- https://github.com/blackarrowsec/mssqlproxy

Sqli-hunter

SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.

Link :-https://github.com/zt2/sqli-hunter

WaybackSqliScanner

Gather urls from wayback machine then test each GET parameter for sql injection.

Link :- https://github.com/ghostlulzhacks/waybackSqliScanner

ESC

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.

Link :- https://github.com/NetSPI/ESC

Mssqli-duet

SQL injection script for MSSQL that extracts domain users

Link :- https://github.com/Keramas/mssqli-duet

Burp-to-sqlmap

Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap

Link :- https://github.com/Miladkhoshdel/burp-to-sqlmap

 

 

 

XSS Injection

XSStrike

Most advanced XSS scanner.

Link :- https://github.com/s0md3v/XSStrike

Xssor2

Hack with JavaScript.

Link :- https://github.com/evilcos/xssor2

Xsscrapy

66/66 wavsep XSS detected

Link :- https://github.com/DanMcInerney/xsscrapy

Sleepy-puppy

Sleepy Puppy XSS Payload Management Framework

Link :- https://github.com/Netflix-Skunkworks/sleepy-puppy

EzXSS

The XSS Hunter service – a portable version of XSSHunter.com

Link :- https://github.com/ssl/ezXSS

Xsshunter

The XSS Hunter service – a portable version of XSSHunter.com

Link :- https://github.com/mandatoryprogrammer/xsshunter

Dalfox

DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang.

Link :- https://github.com/hahwul/dalfox

Xsser

Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

Link :- https://github.com/epsylon/xsser

XSpear

Powerfull XSS Scanning and Parameter analysis tool&gem

Link :- https://github.com/hahwul/XSpear

Weaponised-XSS-payloads

XSS payloads designed to turn alert(1) into P1

Link :- https://github.com/hakluke/weaponised-XSS-payloads

 

XXE Injection

Ground-control

A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.

Link :- https://github.com/jobertabma/ground-control

Dtd-finder

List DTDs and generate XXE payloads using those local DTDs.

Link :- https://github.com/GoSecure/dtd-finder

Docem

Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)

Link :- https://github.com/whitel1st/docem

Xxeserv

A mini webserver with FTP support for XXE payloads

Link :- https://github.com/staaldraad/xxeserv

Xxexploiter

Tool to help exploit XXE vulnerabilities

Link :- https://github.com/luisfontes19/xxexploiter

B-XSSRF

Toolkit to detect and keep track on Blind XSS, XXE & SSRF

Link :- https://github.com/SpiderMate/B-XSSRF

XXEinjector

Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

Link :- https://github.com/enjoiz/XXEinjector

Oxml_xxe

A tool for embedding XXE/XML exploits into different filetypes

Link :- https://github.com/BuffaloWill/oxml_xxe

 

 

 

Passwords

Thc-hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack.

Link :- https://github.com/vanhauser-thc/thc-hydra

DefaultCreds-cheat-sheet

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password.

Link :- https://github.com/ihebski/DefaultCreds-cheat-sheet

Changeme

A default credential scanner.

Link :- https://github.com/ztgrace/changeme

BruteX

Automatically brute force all services running on a target.

Link :- https://github.com/1N3/BruteX

Patator

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Link :- https://github.com/lanjelot/patator

Secrets

Git-secrets

Prevents you from committing secrets and credentials into git repositories.

Link :- https://github.com/awslabs/git-secrets

Gitleaks

Scan git repos (or files) for secrets using regex and entropy.

Link :- https://github.com/gitleaks/gitleaks

TruffleHog

Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

Link :- https://github.com/trufflesecurity/trufflehog

GitGraber

gitGraber: monitor GitHub to search and find sensitive data in real time for different online services.

Link :- https://github.com/hisxo/gitGraber

Talisman

By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious – such as authorization tokens and private keys.

Link :- https://github.com/thoughtworks/talisman

GitGot

Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.

Link :- https://github.com/BishopFox/GitGot

Git-all-secrets

A tool to capture all the git secrets by leveraging multiple open source git searching tools.

Link :- https://github.com/anshumanbh/git-all-secrets

Github-search

Tools to perform basic search on GitHub.

Link :- https://github.com/gwen001/github-search

Git-vuln-finder

Finding potential software vulnerabilities from git commit messages.

Link :- https://github.com/cve-search/git-vuln-finder

Commit-stream

#OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API.

Link :- https://github.com/x1sec/commit-stream

 

Git

GitTools

A repository with 3 tools for pwn’ing websites with .git repositories available.

Link :- https://github.com/internetwache/GitTools

Gitjacker

Leak git repositories from misconfigured websites.

Link :- https://github.com/liamg/gitjacker

Git-dumper

A tool to dump a git repository from a website.

Link :- https://github.com/arthaud/git-dumper

GitHunter

A tool for searching a Git repository for interesting content.

Link :- https://github.com/digininja/GitHunter

Dvcs-ripper

Rip web accessible (distributed) version control systems: SVN/GIT/HG…

Link :- https://github.com/kost/dvcs-ripper

 

 

Buckets

S3Scanner

Scan for open AWS S3 buckets and dump the contents.

Link :- https://github.com/sa7mon/S3Scanner

AWSBucketDump

Security Tool to Look For Interesting Files in S3 Buckets.

Link :- https://github.com/jordanpotti/AWSBucketDump

CloudScraper

CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.

Link :- https://github.com/VeNoMouS/cloudscraper

S3viewer

Publicly Open Amazon AWS S3 Bucket Viewer.

Link :- https://github.com/SharonBrizinov/s3viewer

Festin

The format of various s3 buckets is convert in one format  for bugbounty and security testing.

Link :- https://github.com/cr0hn/festin

S3reverse

This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable.

Link :- https://github.com/hahwul/s3reverse

Mass-s3-bucket-tester

Firefox plugin that lists Amazon S3 Buckets found in requests.

Link :- https://github.com/random-robbie/mass-s3-bucket-tester

S3BucketList

Finds Directory Listings or open S3 buckets from a list of URLs.

Link :- https://github.com/michenriksen/bucketlist

Burp-AnonymousCloud

Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.

Link :- https://github.com/codewatchorg/Burp-AnonymousCloud

 

 

CMS

Wpscan

WPScan is a free, for non-commercial use, black box WordPress security scanner

Link :- https://github.com/wpscanteam/wpscan

CMSeek

CMS Detection and Exploitation suite – Scan WordPress, Joomla, Drupal and over 170 other CMSs.

Link :- https://github.com/Tuhinshubhra/CMSeeK

Droopescan

A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.

Link :- https://github.com/SamJoan/droopescan

Drupwn

Drupal enumeration & exploitation tool.

Link :- https://github.com/immunIT/drupwn

WPSpider

A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.

Link :- https://github.com/cyc10n3/WPSpider

Wprecon

WordPress Recon.

Link :- https://github.com/blackcrw/wpreconx

CMSmap

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

Link :- https://github.com/dionach/CMSmap

Joomscan

OWASP Joomla Vulnerability Scanner Project.

Link :- https://github.com/drego85/JoomlaScan

Pyfiscan

Free web-application vulnerability and version scanner.

Link :- https://github.com/fgeek/pyfiscan

 

JSON Web Token

Jwt_tool

A toolkit for testing, tweaking and cracking JSON Web Tokens.

Link :- https://github.com/ticarpi/jwt_tool

C-jwt-cracker

JWT brute force cracker written in C.

Link :- https://github.com/brendan-rius/c-jwt-cracker

Jwt-heartbreaker

The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources.

Link :- https://github.com/wallarm/jwt-heartbreaker

Jwtear

Modular command-line tool to parse, create and manipulate JWT tokens for hackers

Link :- https://github.com/KINGSABRI/jwtear

Jwt-key-id-injector

Simple python script to check against hypothetical JWT vulnerability.

Link :- https://github.com/ticarpi/jwt_tool

Jwt-hack

jwt-hack is tool for hacking / security testing to JWT.

Link :-  https://github.com/hahwul/jwt-hack

Jwt-cracker

Simple HS256 JWT token brute force cracker

Link :-https://github.com/brendan-rius/c-jwt-cracker

 

 

postMessage

PostMessage-tracker

A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon.

Link :- https://github.com/fransr/postMessage-tracker

PostMessage_Fuzz_Tool

WebDeveloper Tool.

Link :- https://github.com/rbhitchcock/postmessagefuzzer

Subdomain Takeover

Subjack

Subdomain Takeover tool written in Go.

Link :- https://github.com/haccer/subjack

Sub0ver

A Powerful Subdomain Takeover Tool.

Link :- https://github.com/Ice3man543/SubOver

AutoSubTakeover

A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.

Link :- https://github.com/JordyZomer/autoSubTakeover

NSBrute

Python utility to takeover domains vulnerable to AWS NS Takeover.

Link :- https://github.com/shivsahni/NSBrute

Can-i-take-over-xyz

A list of services and how to claim (sub)domains with dangling DNS records.

Link :- https://github.com/EdOverflow/can-i-take-over-xyz

SubHijack

Hijacking forgotten & misconfigured subdomains.

Link :- https://github.com/johnjohnsp1/subHijack

Tko-subs

A tool that can help detect and takeover subdomains with dead DNS records.

Link :- https://github.com/anshumanbh/tko-subs

HostileSubBruteforcer

This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.

Link :- https://github.com/nahamsec/HostileSubBruteforcer

 

Some of best courses recommended by us to boost your career ...

Mastering Recon With Our Course

Shell Scripting With Our Course

Spread the love
Scroll to Top
www.thecyberblogs.com