Bug Bounty Arsenals

Published by

Jay

on

October 25, 2021

Opensource Tools

1. 403bypasser.

403bypasser automates the techniques used to circumvent access control restrictions on target pages.

Source: https://github.com/yunemse48/403bypasser

Usage: python 403bypasser.py -u https://example.com -d /secret\n

2. byp4xx

Python script for 40X responses bypassing. Methods from #bugbountytips, headers, verb tampering and user agents.

Source : https://github.com/lobuhi/byp4xx

Usage: : python3 byp4xx.py https://www.google.es/test

3. 4-ZERO-3

Tool to bypass 403/401. This script contain all the possible techniques to do the same.

Source : https://github.com/Dheerajmadhukar/4-ZERO-3

Usage: bash 403-bypass.sh https://target.com/secret

4. GrapX

GrapX will iterate through the URLs and grep the endpoints with all possible extensions.

Source https://github.com/kabilan1290/grapX

Usage: cat domains.txt | waybackurls > urls | grapX urls output_filename

5. Subjs

Subjs fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more.

It’s recommended to pair this with gau and then https://github.com/GerbenJavado/LinkFinder

Source : https://github.com/lc/subjs

Usage: $ cat urls.txt | subjs

$ subjs -i urls.txt

$ cat hosts.txt | gau | subjs

6. JSA

Javascript security analysis (JSA) is a program for javascript analysis during web application security assessment.

Source : https://github.com/w9w/JSA

Usage: echo “https://host.com/file.js”  | python3 jsa.py

echo “https://subdomain.host.com”  | subjs | python3 jsa.py

7. ParamSpider

It mines the parameters from web archives (without interacting with the target host)

Source : https://github.com/devanshbatham/ParamSpider

Usage: python3 paramspider.py –domain hackerone.com –exclude php,jpg –output hackerone.txt

8. Relative-url-extractor

A small tool that extracts relative URLs (endpoints) from a file

Source: https://github.com/jobertabma/relative-url-extractor

Usage: cat demo-file.js | ./extract.rb

curl -s https://hackerone.com/hacktivity | ./extract.rb

9. Subdomain Takeover Scanner

ItsOver is a simple programm written on **python3** to quick check if the subdoamin is vulnerable to takeover

Source: https://github.com/SaadAhmedx/Subdomain-Takeover

Usage: python ItsOver.py -l Takeover.txt

10. DumpsterDiver

DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions.

Source: https://github.com/securing/DumpsterDiver

Usage: python3 DumpsterDiver.py -p [PATH_TO_FOLDER] –min-key 40 –max-key 40 –entropy 4.3

11. LinkFinder

LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files.

Source : https://github.com/GerbenJavado/LinkFinder

Usage: python3 linkfinder.py -i https://example.com -d -o cli

12. Takeover

Sub-Domain TakeOver Vulnerability Scanner

Source https://github.com/m4ll0k/takeover

Usage: python ItsOver.py -l all.txt

13. EarlyBird

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more. It can be used to scan remote git repositories, local files or directories or as a pre-commit step.

Source: https://github.com/americanexpress/earlybird

Usage go-earlybird –path=/path/to/directory

14. GF Paterns

GF Paterns For (SSRF, RCE, LFI, SQLi, SSTI, IDOR, url redirection, debug_logic, interesting Subs) parameters grep.

Source : https://github.com/1ndianl33t/Gf-Patterns

Usage : cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.tx

cat waybackdata | gf redirect | tee -a redirect.txt

15. Massdns

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

Source : https://github.com/blechschmidt/massdns

Usage: bin/massdns -r ~/tools/massdns/lists/resolvers.txt -q -t A -o S -w massdns.raw subdomain.txt

16. Masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes

Source : https://github.com/robertdavidgraham/masscan

Usage masscan 0.0.0.0/4 -p80 –rate 100000000 –offline

for i in $(cat Ips.txt); do masscan $i -p80,8080

17. SecretFinder

SecretFinder – A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files

Source: https://github.com/m4ll0k/SecretFinder

Usage: python3 SecretFinder.py -i https://example.com/1.js -o results.html

18. Corsy

Corsy is a lightweight python program that scans for all known misconfigurations in CORS implementations

Source: https://github.com/s0md3v/Corsy/

Usage: python3 corsy.py -u https://example.com

19. Gmapsapiscanner

Google Maps API Scanner Used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.

Source: https://github.com/ozguralp/gmapsapiscanner

Usage : python maps_api_scanner.py –api-key API_KEY

20. JSFinder

JSFinder is a tool for quickly extracting URLs and subdomains from JS files on a website.

Source: https://github.com/Threezh1/JSFinder

Usage : python3 JSFinder.py -u https://www.jd.com/

python JSFinder.py -u http://www.mi.com -os mi_subdomain.txt

21. Smuggler

Smuggler – An HTTP Request Smuggling / Desync testing tool written in Python 3

Source : https://github.com/defparam/smuggler

Usage python3 smuggler.py -u <URL>

cat list_of_hosts.txt | python3 smuggler.py

22. Arjun

HTTP parameter discovery suite. Arjun can find query parameters for URL endpoints.

Source : https://github.com/s0md3v/Arjun

Usage arjun -u https://api.example.com/endpoint

23. Interlace

Easily turn single threaded command line applications into a fast, multi-threaded application with CIDR and glob support.

Source : https://github.com/codingo/Interlace

Usage: interlace -tL ./targets.txt -threads 5 -c “nikto –host _target_ > ./_target_-nikto.txt” -v

24. Anew

A tool for adding new lines to files, skipping duplicates.

Source : https://github.com/tomnomnom/anew

Usage: cat newthings.txt | anew things.txt > added-lines.txt

25. Assetfinder

Find domains and subdomains related to a given domain

Source: https://github.com/tomnomnom/assetfinder

Usage: assetfinder [–subs-only] <domain>

26. Chaos

Go client to communicate with Chaos DNS API.

Source : https://github.com/projectdiscovery/chaos-client

Usage: chaos -d uber.com -silent

27. Concurl

Make concurrent requests with the curl command-line tool

Source: https://github.com/tomnomnom/concurl

Usage: cat all.txt | concur -c 5

28. DalFox

DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser.

Source: https://github.com/hahwul/dalfox

Usage: dalfox url https://google.com/search?q=demo

cat subdoamintxt| Gxss -p FUZZ | dalfox pipw –mining-dict /home/kali/Arjun/arjun/db/params.txt –skip-bav

29. FFUF

Fast web fuzzer written in Go

Source: https://github.com/ffuf/ffuf

Usage: ffuf -w /path/to/wordlist -u https://target/FUZZ

30. GAU

Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.

Source: https://github.com/lc/gau

Usage: cat domains.txt | gau -t 5 -b png,jpg,gif -o urls.txt

31. GF

A wrapper around grep, to help you grep for things.

Source : https://github.com/tomnomnom/gf

Usage : cat testphp.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss1.txt

32 Gron

Make JSON greppable!. Gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute ‘path’ to it.

Source : https://github.com/tomnomnom/gron

Usage : gron “https://api.github.com/repos/tomnomnom/gron/commits?per_page=1” | fgrep “commit.author”

33 Gxss

A tool to check a bunch of URLs that contain reflecting params.

Source :https://github.com/KathanP19/Gxss

Usage :echo “https://target.com/some.php?first=hello&last=world | Gxss -c 100

34. Gospider

Gospider is fast web spider written in Go

Source : https://github.com/jaeles-project/gospider

Usage : gospider -q -s “https://google.com/”

35. Hakcheckurl

Takes a list of URLs and returns their HTTP response codes. This tool was written to be chained with hakrawler to easily check the response codes of discovered URLs.

Source : https://github.com/hakluke/hakcheckurl

Use Case : assetfinder google.com | hakrawler -plain | hakcheckurl | grep -v 404

36. Hakrawler

Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.

Source : https://github.com/hakluke/hakrawler

Usage : echo https://google.com | hakrawler

Use Case: echo google.com | haktrails subdomains | httpx | hakrawler

Get all subdomains of google, find the ones that respond to http(s), crawl them all.

37. Haktrails

Haktrails is a Golang client for querying SecurityTrails API data.

Source : https://github.com/hakluke/haktrails

Usage: cat domains.txt | haktrails subdomains

38. Hakrevdns

Small, fast, simple tool for performing reverse DNS lookups. You feed it IP addresses, it returns hostnames. This can be a useful way of finding domains and subdomains belonging to a company from their IP addresses.

Source : https://github.com/hakluke/hakrevdns

Usage: echo “173.0.84.110” | hakrevdns -d

39. Httprobe

Take a list of domains and probe for working HTTP and HTTPS servers

Source : https://github.com/tomnomnom/httprobe

Usage: cat recon/example/domains.txt | httprobe

40. Httpx

Httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Source : https://github.com/projectdiscovery/httpx

Usage : httpx -list hosts.txt -silent -probe

Usage Case: subfinder -d hackerone.com -silent| httpx -title -tech-detect -status-code

41. Kxss

This a adaption of tomnomnom’s kxss tool with a different output format. I didn’t want to fork his whole Hacks-Repository so created my Own 😉

Source : https://github.com/Emoe/kxss

Usage: echo “https://www.**********.***/event_register.php?event=177” | kxss

42. Meg

Meg is a tool for fetching lots of URLs but still being ‘nice’ to servers. It can be used to fetch many paths for many hosts; fetching one path for all hosts before moving on to the next path and repeating.

You get lots of results quickly, but none of the individual hosts get flooded with traffic.

Source : https://github.com/tomnomnom/meg

Usage: meg –verbose paths hosts

43. Naabu

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Source : https://github.com/projectdiscovery/naabu

Usage : naabu -host hackerone.com

44. Nuclei

Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts. Nuclei offers scanning for a variety of protocols including TCP, DNS, HTTP, File, etc. With powerful and flexible templating, all kinds of security checks can be modelled with Nuclei.

Source : https://github.com/projectdiscovery/nuclei

Usage : nuclei -u https://example.com

45. Puredns

Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

Source : https://github.com/d3mondev/puredns

Usage : puredns resolve domains.txt

Use Case : cat domains.txt | puredns resolve -q | httprobe

46. Qsreplace

Qsreplace is accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.

Source : https://github.com/tomnomnom/qsreplace

Usage : cat urls.txt | qsreplace newval

47. Subjack

Subdomain Takeover tool written in Go

Source : https://github.com/haccer/subjack

Usage : subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

48. Subjs

Subjs fetches JavaScript files from a list of URLS or subdomains. Analyzing JavaScript files can help you find undocumented endpoints, secrets, and more.