awesome-bugbounty-tools
A curated list of various bug bounty tools
4k stars
90 watching
646 forks
last commit: 13 days ago
Linked from 1 awesome list
awesomeawesome-listbugbountysecurity-toolstoolsweb-security
Awesome Bug Bounty Tools / Recon / Subdomain Enumeration | |||
| Sublist3r | 9,683 | about 2 months ago | Fast subdomains enumeration tool for penetration testers |
| Amass | 11,840 | 4 days ago | In-depth Attack Surface Mapping and Asset Discovery |
| massdns | 3,111 | 7 months ago | A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) |
| Findomain | 3,270 | 7 months ago | The fastest and cross-platform subdomain enumerator, do not waste your time |
| Sudomy | 1,964 | 3 months ago | Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting |
| chaos-client | 622 | 12 days ago | Go client to communicate with Chaos DNS API |
| domained | 722 | over 3 years ago | Multi Tool Subdomain Enumeration |
| bugcrowd-levelup-subdomain-enumeration | 631 | over 5 years ago | This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference |
| shuffledns | 1,295 | 12 days ago | shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output… |
| puredns | 1,667 | 25 days ago | Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering with wilcard(*) |
| censys-subdomain-finder | 727 | over 1 year ago | Perform subdomain enumeration using the certificate transparency logs from Censys |
| Turbolist3r | 367 | 7 months ago | Subdomain enumeration tool with analysis features for discovered domains |
| censys-enumeration | 152 | almost 2 years ago | A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys |
| tugarecon | 150 | 5 months ago | Fast subdomains enumeration tool for penetration testers |
| as3nt | 10 | almost 2 years ago | Another Subdomain ENumeration Tool |
| Subra | 53 | over 4 years ago | A Web-UI for subdomain enumeration (subfinder) |
| Substr3am | 66 | almost 2 years ago | Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued |
| domain | 915 | almost 4 years ago | enumall.py Setup script for Regon-ng |
| altdns | 2,301 | 5 months ago | Generates permutations, alterations and mutations of subdomains and then resolves them |
| brutesubs | 257 | about 3 years ago | An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose |
| dns-parallel-prober | 107 | almost 2 years ago | his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible |
| dnscan | 1,114 | about 2 years ago | dnscan is a python wordlist-based DNS subdomain scanner |
| knock | 3,840 | about 2 months ago | Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist |
| hakrevdns | 1,419 | about 2 months ago | Small, fast tool for performing reverse DNS lookups en masse |
| dnsx | 2,146 | 12 days ago | Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers |
| subfinder | 10,000 | 5 days ago | Subfinder is a subdomain discovery tool that discovers valid subdomains for websites |
| assetfinder | 2,974 | 4 months ago | Find domains and subdomains related to a given domain |
| crtndstry | 196 | over 4 years ago | Yet another subdomain finder |
| VHostScan | 1,188 | 10 months ago | A virtual host scanner that performs reverse lookups |
| scilla | 917 | 16 days ago | Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration |
| sub3suite | 514 | about 1 year ago | A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping |
| cero | 596 | 6 months ago | Scrape domain names from SSL certificates of arbitrary hosts |
| shosubgo | 337 | 3 months ago | Small tool to Grab subdomains using Shodan api |
| haktrails | 529 | about 1 year ago | Golang client for querying SecurityTrails API data |
| bbot | 4,463 | 11 days ago | A recursive internet scanner for hackers |
| Merklemap | Subdomain enumeration through CT logs | ||
Awesome Bug Bounty Tools / Recon / Port Scanning | |||
| masscan | 23,325 | about 2 months ago | TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes |
| RustScan | 14,235 | 7 days ago | The Modern Port Scanner |
| naabu | 4,620 | 12 days ago | A fast port scanner written in go with focus on reliability and simplicity |
| nmap | 9,924 | 15 days ago | Nmap - the Network Mapper. Github mirror of official SVN repository |
| sandmap | 1,565 | over 1 year ago | Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles |
| ScanCannon | 429 | 5 months ago | Combines the speed of masscan with the reliability and detailed enumeration of nmap |
Awesome Bug Bounty Tools / Recon / Screenshots | |||
| EyeWitness | 4,912 | about 2 months ago | EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible |
| aquatone | 5,605 | over 2 years ago | Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface |
| screenshoteer | 1,673 | about 3 years ago | Make website screenshots and mobile emulations from the command line |
| gowitness | 2,894 | 10 days ago | gowitness - a golang, web screenshot utility using Chrome Headless |
| WitnessMe | 729 | 5 days ago | Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier |
| eyeballer | 1,022 | 7 months ago | Convolutional neural network for analyzing pentest screenshots |
| scrying | 447 | over 1 year ago | A tool for collecting RDP, web and VNC screenshots all in one place |
| Depix | 25,845 | about 1 month ago | Recovers passwords from pixelized screenshots |
| httpscreenshot | 630 | over 2 years ago | HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites |
Awesome Bug Bounty Tools / Recon / Technologies | |||
| wappalyzer | Identify technology on websites | ||
| webanalyze | 949 | 10 months ago | Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning |
| python-builtwith | 35 | over 4 years ago | BuiltWith API client |
| whatweb | 5,450 | 2 months ago | Next generation web scanner |
| retire.js | 3,663 | 1 day ago | scanner detecting the use of JavaScript libraries with known vulnerabilities |
| httpx | 7,485 | 11 days ago | httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads |
| fingerprintx | 559 | about 2 months ago | fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools |
Awesome Bug Bounty Tools / Recon / Content Discovery | |||
| gobuster | 9,605 | 5 days ago | Directory/File, DNS and VHost busting tool written in Go |
| recursebuster | 242 | almost 5 years ago | rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments |
| feroxbuster | 5,799 | 13 days ago | A fast, simple, recursive content discovery tool written in Rust |
| dirsearch | 11,900 | 10 days ago | Web path scanner |
| dirsearch | 266 | about 3 years ago | A Go implementation of dirsearch |
| filebuster | 212 | over 1 year ago | An extremely fast and flexible web fuzzer |
| dirstalk | 371 | 9 months ago | Modern alternative to dirbuster/dirb |
| dirbuster-ng | 340 | about 4 years ago | dirbuster-ng is C CLI implementation of the Java dirbuster tool |
| gospider | 2,531 | 5 months ago | Gospider - Fast web spider written in Go |
| hakrawler | 4,428 | 8 months ago | Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application |
| crawley | 252 | 20 days ago | fast, feature-rich unix-way web scraper/crawler written in Golang |
| katana | 10,860 | 10 days ago | A next-generation crawling and spidering framework |
Awesome Bug Bounty Tools / Recon / Links | |||
| LinkFinder | 3,647 | 6 months ago | A python script that finds endpoints in JavaScript files |
| JS-Scan | 203 | about 7 years ago | a .js scanner, built in php. designed to scrape urls and other info |
| LinksDumper | 84 | about 5 years ago | Extract (links/possible endpoints) from responses & filter them via decoding/sorting |
| GoLinkFinder | 303 | 9 months ago | A fast and minimal JS endpoint extractor |
| BurpJSLinkFinder | 728 | 6 months ago | Burp Extension for a passive scanning JS files for endpoint links |
| urlgrab | 327 | almost 4 years ago | A golang utility to spider through a website searching for additional links |
| waybackurls | 3,440 | 5 months ago | Fetch all the URLs that the Wayback Machine knows about for a domain |
| gau | 3,877 | about 1 month ago | Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl |
| getJS | 677 | about 2 months ago | A tool to fastly get all javascript sources/files |
| linx | 202 | over 2 years ago | Reveals invisible links within JavaScript files |
| waymore | 1,650 | 3 months ago | Find way more from the Wayback Machine! |
| xnLinkFinder | 1,180 | 3 months ago | A python tool used to discover endpoints, potential parameters, and a target specific wordlist for a given target |
Awesome Bug Bounty Tools / Recon / Parameters | |||
| parameth | 1,339 | about 5 years ago | This tool can be used to brute discover GET and POST parameters |
| param-miner | 1,204 | 10 days ago | This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities |
| ParamPamPam | 268 | over 2 years ago | This tool for brute discover GET and POST parameters |
| Arjun | 5,126 | 2 months ago | HTTP parameter discovery suite |
| ParamSpider | 2,461 | 3 months ago | Mining parameters from dark corners of Web Archives |
| x8 | 1,648 | 20 days ago | Hidden parameters discovery suite written in Rust |
Awesome Bug Bounty Tools / Recon / Fuzzing | |||
| wfuzz | 5,879 | about 1 month ago | Web application fuzzer |
| ffuf | 12,278 | 3 months ago | Fast web fuzzer written in Go |
| fuzzdb | 8,160 | 11 months ago | Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery |
| IntruderPayloads | 3,636 | about 3 years ago | A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists |
| fuzz.txt | 2,853 | about 1 month ago | Potentially dangerous files |
| fuzzilli | 1,859 | 17 days ago | A JavaScript Engine Fuzzer |
| fuzzapi | 630 | over 3 years ago | Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem |
| qsfuzz | 295 | over 1 year ago | qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities |
| vaf | 312 | over 2 years ago | very advanced (web) fuzzer written in Nim |
Awesome Bug Bounty Tools / Exploitation / Command Injection | |||
| commix | 4,515 | 11 days ago | Automated All-in-One OS command injection and exploitation tool |
Awesome Bug Bounty Tools / Exploitation / CORS Misconfiguration | |||
| Corsy | 1,342 | about 2 years ago | CORS Misconfiguration Scanner |
| CORStest | 399 | about 4 years ago | A simple CORS misconfiguration scanner |
| cors-scanner | 18 | almost 5 years ago | A multi-threaded scanner that helps identify CORS flaws/misconfigurations |
| CorsMe | 168 | almost 3 years ago | Cross Origin Resource Sharing MisConfiguration Scanner |
Awesome Bug Bounty Tools / Exploitation / CRLF Injection | |||
| CRLFsuite | 543 | 12 months ago | A fast tool specially designed to scan CRLF injection |
| crlfuzz | 1,307 | 12 days ago | A fast tool to scan CRLF vulnerability written in Go |
| CRLF-Injection-Scanner | 150 | 6 months ago | Command line tool for testing CRLF injection on a list of domains |
| Injectus | 108 | about 3 years ago | CRLF and open redirect fuzzer |
Awesome Bug Bounty Tools / Exploitation / CSRF Injection | |||
| XSRFProbe | 1,089 | 5 months ago | -The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit |
Awesome Bug Bounty Tools / Exploitation / Directory Traversal | |||
| dotdotpwn | 973 | about 2 years ago | DotDotPwn - The Directory Traversal Fuzzer |
| FDsploit | 264 | over 3 years ago | File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool |
| off-by-slash | 251 | almost 3 years ago | Burp extension to detect alias traversal via NGINX misconfiguration at scale |
| liffier | 8 | about 5 years ago | tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL |
Awesome Bug Bounty Tools / Exploitation / File Inclusion | |||
| liffy | 767 | about 1 year ago | Local file inclusion exploitation tool |
| Burp-LFI-tests | 58 | almost 8 years ago | Fuzzing for LFI using Burpsuite |
| LFI-Enum | 87 | over 5 years ago | Scripts to execute enumeration via LFI |
| LFISuite | 1,667 | over 2 years ago | Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner |
| LFI-files | 118 | almost 5 years ago | Wordlist to bruteforce for LFI |
Awesome Bug Bounty Tools / Exploitation / GraphQL Injection | |||
| inql | 1,522 | 3 months ago | InQL - A Burp Extension for GraphQL Security Testing |
| GraphQLmap | 1,364 | 7 months ago | GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes |
| shapeshifter | 115 | over 2 years ago | GraphQL security testing tool |
| graphql_beautifier | 29 | almost 7 years ago | Burp Suite extension to help make Graphql request more readable |
| clairvoyance | 1,009 | 18 days ago | Obtain GraphQL API schema despite disabled introspection! |
Awesome Bug Bounty Tools / Exploitation / Header Injection | |||
| headi | 225 | 3 months ago | Customisable and automated HTTP header injection |
Awesome Bug Bounty Tools / Exploitation / Insecure Deserialization | |||
| ysoserial | 7,648 | 6 months ago | A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization |
| GadgetProbe | 581 | over 3 years ago | Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths |
| ysoserial.net | 3,167 | 3 months ago | Deserialization payload generator for a variety of .NET formatters |
| phpggc | 3,192 | about 1 month ago | PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically |
Awesome Bug Bounty Tools / Exploitation / Insecure Direct Object References | |||
| Autorize | 926 | 15 days ago | Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily |
Awesome Bug Bounty Tools / Exploitation / Open Redirect | |||
| Oralyzer | 733 | over 1 year ago | Open Redirection Analyzer |
| Injectus | 108 | about 3 years ago | CRLF and open redirect fuzzer |
| dom-red | 22 | over 2 years ago | Small script to check a list of domains against open redirect vulnerability |
| OpenRedireX | 694 | 3 months ago | A Fuzzer for OpenRedirect issues |
Awesome Bug Bounty Tools / Exploitation / Race Condition | |||
| razzer | 356 | about 5 years ago | A Kernel fuzzer focusing on race bugs |
| racepwn | 262 | almost 2 years ago | Race Condition framework |
| requests-racer | 151 | over 1 year ago | Small Python library that makes it easy to exploit race conditions in web apps with Requests |
| turbo-intruder | 1,460 | 12 days ago | Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results |
| race-the-web | 585 | over 2 years ago | Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline |
Awesome Bug Bounty Tools / Exploitation / Request Smuggling | |||
| http-request-smuggling | 465 | 9 months ago | HTTP Request Smuggling Detection Tool |
| smuggler | 1,787 | 9 months ago | Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3 |
| h2csmuggler | 637 | over 2 years ago | HTTP Request Smuggling over HTTP/2 Cleartext (h2c) |
| tiscripts | 214 | over 4 years ago | These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks |
Awesome Bug Bounty Tools / Exploitation / Server Side Request Forgery | |||
| SSRFmap | 2,942 | 4 months ago | Automatic SSRF fuzzer and exploitation tool |
| Gopherus | 2,811 | over 1 year ago | This tool generates gopher link for exploiting SSRF and gaining RCE in various servers |
| ground-control | 528 | over 7 years ago | A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities |
| SSRFire | 937 | almost 3 years ago | An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects |
| httprebind | 292 | about 4 years ago | Automatic tool for DNS rebinding-based SSRF attacks |
| ssrf-sheriff | 310 | 6 months ago | A simple SSRF-testing sheriff written in Go |
| B-XSSRF | 294 | about 5 years ago | Toolkit to detect and keep track on Blind XSS, XXE & SSRF |
| extended-ssrf-search | 275 | over 3 years ago | Smart ssrf scanner using different methods like parameter brute forcing in post and get |
| gaussrf | 166 | almost 4 years ago | Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters |
| ssrfDetector | 146 | over 7 years ago | Server-side request forgery detector |
| grafana-ssrf | 76 | 3 months ago | Authenticated SSRF in Grafana |
| sentrySSRF | 67 | 4 months ago | Tool to searching sentry config on page or in javascript files and check blind SSRF |
| lorsrf | 287 | over 1 year ago | Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods |
| singularity | 1,025 | 3 months ago | A DNS rebinding attack framework |
| whonow | 620 | almost 3 years ago | A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53) |
| dns-rebind-toolkit | 482 | almost 3 years ago | A front-end JavaScript toolkit for creating DNS rebinding attacks |
| dref | 479 | over 3 years ago | DNS Rebinding Exploitation Framework |
| rbndr | 613 | over 4 years ago | Simple DNS Rebinding Service |
| httprebind | 292 | about 4 years ago | Automatic tool for DNS rebinding-based SSRF attacks |
| dnsFookup | 250 | over 1 year ago | DNS rebinding toolkit |
| surf | 524 | 9 months ago | Escalate your SSRF vulnerabilities on Modern Cloud Environments. allows you to filter a list of hosts, returning a list of viable SSRF candidates |
Awesome Bug Bounty Tools / Exploitation / SQL Injection | |||
| sqlmap | 31,961 | 18 days ago | Automatic SQL injection and database takeover tool |
| NoSQLMap | 2,868 | 2 months ago | Automated NoSQL database enumeration and web application exploitation tool |
| SQLiScanner | 794 | over 6 years ago | Automatic SQL injection with Charles and sqlmap api |
| SleuthQL | 464 | almost 5 years ago | Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap |
| mssqlproxy | 718 | over 3 years ago | mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse |
| sqli-hunter | 424 | 5 months ago | SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy |
| waybackSqliScanner | 184 | over 5 years ago | Gather urls from wayback machine then test each GET parameter for sql injection |
| ESC | 277 | over 1 year ago | Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features |
| mssqli-duet | 91 | over 4 years ago | SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing |
| burp-to-sqlmap | Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap | ||
| BurpSQLTruncSanner | 61 | over 4 years ago | Messy BurpSuite plugin for SQL Truncation vulnerabilities |
| andor | 74 | over 2 years ago | Blind SQL Injection Tool with Golang |
| Blinder | 49 | about 5 years ago | A python library to automate time-based blind SQL injection |
| sqliv | 1,152 | about 6 years ago | massive SQL injection vulnerability scanner |
| nosqli | 351 | almost 3 years ago | NoSql Injection CLI tool, for finding vulnerable websites using MongoDB |
| ghauri | 2,949 | about 1 month ago | An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws |
Awesome Bug Bounty Tools / Exploitation / XSS Injection | |||
| XSStrike | 13,162 | about 2 months ago | Most advanced XSS scanner |
| xssor2 | 2,122 | almost 3 years ago | XSS'OR - Hack with JavaScript |
| xsscrapy | 1,642 | 4 months ago | XSS spider - 66/66 wavsep XSS detected |
| sleepy-puppy | 1,029 | about 6 years ago | Sleepy Puppy XSS Payload Management Framework |
| ezXSS | 1,869 | 15 days ago | ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting |
| xsshunter | 1,474 | almost 2 years ago | The XSS Hunter service - a portable version of XSSHunter.com |
| dalfox | 3,604 | 23 days ago | DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang |
| xsser | 1,158 | 11 days ago | Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications |
| XSpear | 1,171 | about 2 years ago | Powerfull XSS Scanning and Parameter analysis tool&gem |
| weaponised-XSS-payloads | 1,315 | about 1 year ago | XSS payloads designed to turn alert(1) into P1 |
| tracy | 552 | over 1 year ago | A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner |
| ground-control | 528 | over 7 years ago | A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities |
| xssValidator | 409 | over 2 years ago | This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities |
| JSShell | 358 | about 2 years ago | An interactive multi-user web JS shell |
| bXSS | 501 | over 1 year ago | bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting |
| docem | 502 | 8 months ago | Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids) |
| XSS-Radar | 317 | over 6 years ago | XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities |
| BruteXSS | 489 | over 3 years ago | BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application |
| findom-xss | 749 | almost 2 years ago | A fast DOM based XSS vulnerability scanner with simplicity |
| domdig | 394 | 2 months ago | DOM XSS scanner for Single Page Applications |
| femida | 276 | almost 5 years ago | Automated blind-xss search for Burp Suite |
| B-XSSRF | 294 | about 5 years ago | Toolkit to detect and keep track on Blind XSS, XXE & SSRF |
| domxssscanner | 190 | over 5 years ago | DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities |
| xsshunter_client | 248 | almost 2 years ago | Correlated injection proxy tool for XSS Hunter |
| extended-xss-search | 182 | about 5 years ago | A better version of my xssfinder tool - scans for different types of xss on a list of urls |
| xssmap | 258 | about 4 years ago | XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具 |
| XSSCon | 209 | about 5 years ago | XSSCon: Simple XSS Scanner tool |
| BitBlinder | 106 | over 1 year ago | BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities |
| XSSOauthPersistence | 74 | over 5 years ago | Maintaining account persistence via XSS and Oauth |
| shadow-workers | 220 | 12 months ago | Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW) |
| rexsser | 75 | almost 4 years ago | This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope |
| xss-flare | XSS hunter on cloudflare serverless workers | ||
| Xss-Sql-Fuzz | 60 | almost 6 years ago | burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz |
| vaya-ciego-nen | 39 | over 1 year ago | Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities |
| dom-based-xss-finder | 70 | over 1 year ago | Chrome extension that finds DOM based XSS vulnerabilities |
| XSSTerminal | Develop your own XSS Payload using interactive typing | ||
| xss2png | 165 | almost 2 years ago | PNG IDAT chunks XSS payload generator |
| XSSwagger | 53 | about 5 years ago | A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks |
Awesome Bug Bounty Tools / Exploitation / XXE Injection | |||
| ground-control | 528 | over 7 years ago | A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities |
| dtd-finder | 601 | 7 months ago | List DTDs and generate XXE payloads using those local DTDs |
| docem | 502 | 8 months ago | Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids) |
| xxeserv | 326 | 9 months ago | A mini webserver with FTP support for XXE payloads |
| xxexploiter | 535 | over 1 year ago | Tool to help exploit XXE vulnerabilities |
| B-XSSRF | 294 | about 5 years ago | Toolkit to detect and keep track on Blind XSS, XXE & SSRF |
| XXEinjector | 1,509 | about 4 years ago | Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods |
| oxml_xxe | 1,030 | 3 months ago | A tool for embedding XXE/XML exploits into different filetypes |
| metahttp | 37 | almost 4 years ago | A bash script that automates the scanning of a target network for HTTP resources through XXE |
Awesome Bug Bounty Tools / Exploitation / SSTI Injection | |||
| tplmap | 3,746 | 5 months ago | Server-Side Template Injection and Code Injection Detection and Exploitation Tool |
| SSTImap | 765 | about 1 month ago | Automatic SSTI detection tool with interactive interface |
Awesome Bug Bounty Tools / Miscellaneous / Passwords | |||
| thc-hydra | 9,528 | about 2 months ago | Hydra is a parallelized login cracker which supports numerous protocols to attack |
| DefaultCreds-cheat-sheet | 5,545 | 10 days ago | One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password |
| changeme | 1,430 | almost 3 years ago | A default credential scanner |
| BruteX | 1,918 | about 1 month ago | Automatically brute force all services running on a target |
| patator | 3,541 | 9 months ago | Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage |
Awesome Bug Bounty Tools / Miscellaneous / Secrets | |||
| git-secrets | 12,310 | 6 months ago | Prevents you from committing secrets and credentials into git repositories |
| gitleaks | 17,494 | 2 days ago | Scan git repos (or files) for secrets using regex and entropy |
| truffleHog | 15,664 | 10 days ago | Searches through git repositories for high entropy strings and secrets, digging deep into commit history |
| gitGraber | 2,007 | 2 months ago | gitGraber: monitor GitHub to search and find sensitive data in real time for different online services |
| talisman | 1,890 | 2 months ago | By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys |
| GitGot | 1,431 | 7 months ago | Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets |
| git-all-secrets | 1,103 | over 5 years ago | A tool to capture all the git secrets by leveraging multiple open source git searching tools |
| github-search | 1,323 | over 1 year ago | Tools to perform basic search on GitHub |
| git-vuln-finder | 390 | 12 months ago | Finding potential software vulnerabilities from git commit messages |
| commit-stream | #OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API | ||
| gitrob | 5,902 | about 2 years ago | Reconnaissance tool for GitHub organizations |
| repo-supervisor | 633 | over 1 year ago | Scan your code for security misconfiguration, search for passwords and secrets |
| GitMiner | 2,086 | about 4 years ago | Tool for advanced mining for content on Github |
| shhgit | 3,821 | about 1 year ago | Ah shhgit! Find GitHub secrets in real time |
| detect-secrets | 3,758 | 11 days ago | An enterprise friendly way of detecting and preventing secrets in code |
| rusty-hog | 445 | 25 days ago | A suite of secret scanners built in Rust for performance. Based on TruffleHog |
| whispers | 480 | 12 months ago | Identify hardcoded secrets and dangerous behaviours |
| yar | 231 | over 3 years ago | Yar is a tool for plunderin' organizations, users and/or repositories |
| dufflebag | 278 | over 1 year ago | Search exposed EBS volumes for secrets |
| secret-bridge | 188 | about 1 month ago | Monitors Github for leaked secrets |
| earlybird | 703 | 30 days ago | EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more |
| Trufflehog-Chrome-Extension | 363 | almost 3 years ago | Trufflehog-Chrome-Extension |
| noseyparker | 1,643 | 15 days ago | Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history |
Awesome Bug Bounty Tools / Miscellaneous / Git | |||
| GitTools | 3,821 | over 1 year ago | A repository with 3 tools for pwn'ing websites with .git repositories available |
| gitjacker | 1,540 | almost 2 years ago | Leak git repositories from misconfigured websites |
| git-dumper | 1,775 | 6 months ago | A tool to dump a git repository from a website |
| GitHunter | 91 | 9 months ago | A tool for searching a Git repository for interesting content |
| dvcs-ripper | 1,689 | 2 months ago | Rip web accessible (distributed) version control systems: SVN/GIT/HG |
| Gato (Github Attack TOolkit) | 534 | about 2 months ago | GitHub Self-Hosted Runner Enumeration and Attack Tool |
Awesome Bug Bounty Tools / Miscellaneous / Buckets | |||
| S3Scanner | 2,521 | 5 days ago | Scan for open AWS S3 buckets and dump the contents |
| AWSBucketDump | 1,354 | 6 months ago | Security Tool to Look For Interesting Files in S3 Buckets |
| CloudScraper | 493 | over 2 years ago | CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space |
| s3viewer | 430 | 12 months ago | Publicly Open Amazon AWS S3 Bucket Viewer |
| festin | 227 | almost 4 years ago | FestIn - S3 Bucket Weakness Discovery |
| s3reverse | 82 | over 1 year ago | The format of various s3 buckets is convert in one format. for bugbounty and security testing |
| mass-s3-bucket-tester | 51 | 3 months ago | This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable |
| S3BucketList | 74 | over 1 year ago | Firefox plugin that lists Amazon S3 Buckets found in requests |
| dirlstr | 50 | almost 3 years ago | Finds Directory Listings or open S3 buckets from a list of URLs |
| Burp-AnonymousCloud | 41 | over 1 year ago | Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities |
| kicks3 | 33 | over 4 years ago | S3 bucket finder from html,js and bucket misconfiguration testing tool |
| 2tearsinabucket | 6 | over 4 years ago | Enumerate s3 buckets for a specific target |
| s3_objects_check | 74 | over 2 years ago | Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files |
| s3tk | 451 | 2 months ago | A security toolkit for Amazon S3 |
| CloudBrute | 855 | about 2 months ago | Awesome cloud enumerator |
| s3cario | 15 | over 3 years ago | This tool will get the CNAME first if it's a valid Amazon s3 bucket and if it's not, it will try to check if the domain is a bucket name |
| S3Cruze | 70 | over 5 years ago | All-in-one AWS S3 bucket tool for pentesters |
Awesome Bug Bounty Tools / Miscellaneous / CMS | |||
| wpscan | 8,520 | 19 days ago | WPScan is a free, for non-commercial use, black box WordPress security scanner |
| WPSpider | 75 | over 4 years ago | A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility |
| wprecon | 13 | almost 2 years ago | Wordpress Recon |
| CMSmap | 1,021 | almost 3 years ago | CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs |
| joomscan | 1,058 | 17 days ago | OWASP Joomla Vulnerability Scanner Project |
| pyfiscan | 556 | about 1 month ago | Free web-application vulnerability and version scanner |
| aemhacker | 741 | 2 months ago | Tools to identify vulnerable Adobe Experience Manager (AEM) webapps |
| aemscan | 180 | over 1 year ago | Adobe Experience Manager Vulnerability Scanner |
Awesome Bug Bounty Tools / Miscellaneous / JSON Web Token | |||
| jwt_tool | 5,292 | about 2 months ago | A toolkit for testing, tweaking and cracking JSON Web Tokens |
| c-jwt-cracker | 2,368 | over 1 year ago | JWT brute force cracker written in C |
| jwt-heartbreaker | 121 | about 4 years ago | The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources |
| jwtear | 99 | over 1 year ago | Modular command-line tool to parse, create and manipulate JWT tokens for hackers |
| jwt-key-id-injector | 50 | almost 4 years ago | Simple python script to check against hypothetical JWT vulnerability |
| jwt-hack | 753 | 4 months ago | jwt-hack is tool for hacking / security testing to JWT |
| jwt-cracker | 1,001 | 3 months ago | Simple HS256 JWT token brute force cracker |
Awesome Bug Bounty Tools / Miscellaneous / postMessage | |||
| postMessage-tracker | 1,032 | 8 months ago | A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon |
| PostMessage_Fuzz_Tool | 33 | almost 5 years ago | #BugBounty #BugBounty Tools #WebDeveloper Tool |
Awesome Bug Bounty Tools / Miscellaneous / Subdomain Takeover | |||
| subjack | 1,892 | about 1 year ago | Subdomain Takeover tool written in Go |
| SubOver | 919 | 12 months ago | A Powerful Subdomain Takeover Tool |
| autoSubTakeover | 130 | about 1 year ago | A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible |
| NSBrute | 82 | over 1 year ago | Python utility to takeover domains vulnerable to AWS NS Takeover |
| can-i-take-over-xyz | 4,758 | 21 days ago | "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records |
| cnames | 14 | over 1 year ago | take a list of resolved subdomains and output any corresponding CNAMES en masse |
| subHijack | 8 | about 5 years ago | Hijacking forgotten & misconfigured subdomains |
| tko-subs | 741 | over 3 years ago | A tool that can help detect and takeover subdomains with dead DNS records |
| HostileSubBruteforcer | 449 | over 3 years ago | This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup |
| second-order | 374 | over 1 year ago | Second-order subdomain takeover scanner |
| takeover | 46 | over 3 years ago | A tool for testing subdomain takeover possibilities at a mass scale |
| dnsReaper | 1,978 | 18 days ago | DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal! |
Awesome Bug Bounty Tools / Miscellaneous / Vulnerability Scanners | |||
| nuclei | 20,069 | about 15 hours ago | Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use |
| Sn1per | 7,940 | about 2 months ago | Automated pentest framework for offensive security experts |
| metasploit-framework | 33,778 | 11 days ago | Metasploit Framework |
| nikto | 8,343 | 20 days ago | Nikto web server scanner |
| arachni | 3,753 | over 1 year ago | Web Application Security Scanner Framework |
| jaeles | 2,143 | 5 months ago | The Swiss Army knife for automated Web Application Testing |
| retire.js | 3,663 | 1 day ago | scanner detecting the use of JavaScript libraries with known vulnerabilities |
| Osmedeus | 5,272 | 4 months ago | Fully automated offensive security framework for reconnaissance and vulnerability scanning |
| getsploit | 1,712 | 4 months ago | Command line utility for searching and downloading exploits |
| flan | 4,052 | 7 months ago | A pretty sweet vulnerability scanner |
| Findsploit | 1,612 | about 3 years ago | Find exploits in local and online databases instantly |
| BlackWidow | 1,502 | over 1 year ago | A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website |
| backslash-powered-scanner | 626 | 12 months ago | Finds unknown classes of injection vulnerabilities |
| Eagle | 106 | over 1 year ago | Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities |
| cariddi | 1,490 | about 1 month ago | Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more |
| OWASP ZAP | 12,506 | 11 days ago | World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers |
| SSTImap | 765 | about 1 month ago | SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself |
Awesome Bug Bounty Tools / Miscellaneous / Useful | |||
| anew | 1,354 | 9 months ago | A tool for adding new lines to files, skipping duplicates |
| gf | 1,779 | 4 months ago | A wrapper around grep, to help you grep for things |
| uro | 1,116 | 4 months ago | declutters url lists for crawling/pentesting |
| unfurl | 1,057 | about 1 year ago | Pull out bits of URLs provided on stdin |
| qsreplace | 747 | almost 2 years ago | Accept URLs on stdin, replace all query string values with a user-supplied value |
Awesome Bug Bounty Tools / Miscellaneous / Uncategorized | |||
| JSONBee | 658 | 5 months ago | A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP) of different websites |
| CyberChef | 28,546 | about 1 month ago | The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis |
| - | |||
| bountyplz | 439 | over 5 years ago | Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported) |
| PayloadsAllTheThings | 59,992 | 13 days ago | A list of useful payloads and bypass for Web Application Security and Pentest/CTF |
| bounty-targets-data | 3,115 | 10 days ago | This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports |
| android-security-awesome | 8,035 | 26 days ago | A collection of android security related resources |
| awesome-mobile-security | 2,947 | 7 months ago | An effort to build a single place for all useful android and iOS security related stuff |
| awesome-vulnerable-apps | 966 | about 2 months ago | Awesome Vulnerable Applications |
| XFFenum | 86 | 5 months ago | X-Forwarded-For [403 forbidden] enumeration |
| httpx | 7,485 | 11 days ago | httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads |
| csprecon | 360 | 13 days ago | Discover new target domains using Content Security Policy |
bytesnipers/awesome-pentest-cheat-sheets