awesome-bugbounty-tools

A curated list of various bug bounty tools
https://github.com/vavkamil/awesome-bugbounty-tools

Last synced: 17 days ago
JSON representation

Exploitation
- Command Injection
  - commix - Automated All-in-One OS command injection and exploitation tool.
- CORS Misconfiguration
  - Corsy - CORS Misconfiguration Scanner
  - CORStest - A simple CORS misconfiguration scanner
  - cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations
  - CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner
  - Corser - Corser is a Golang CLI Application for Advanced CORS Misconfiguration Detection.
- CRLF Injection
  - crlfuzz - A fast tool to scan CRLF vulnerability written in Go
  - CRLF-Injection-Scanner - Command line tool for testing CRLF injection on a list of domains.
  - CRLFsuite - A fast tool specially designed to scan CRLF injection
- CSRF Injection
  - XSRFProbe - The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
- Directory Traversal
  - dotdotpwn - DotDotPwn - The Directory Traversal Fuzzer
  - FDsploit - File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
  - off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
  - liffier - tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.
- File Inclusion
  - liffy - Local file inclusion exploitation tool
  - Burp-LFI-tests - Fuzzing for LFI using Burpsuite
  - LFI-Enum - Scripts to execute enumeration via LFI
  - LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
  - LFI-files - Wordlist to bruteforce for LFI
- GraphQL Injection
  - inql - InQL - A Burp Extension for GraphQL Security Testing
  - GraphQLmap - GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
  - shapeshifter - GraphQL security testing tool
  - graphql_beautifier - Burp Suite extension to help make Graphql request more readable
  - clairvoyance - Obtain GraphQL API schema despite disabled introspection!
- Header Injection
  - headi - Customisable and automated HTTP header injection.
- Insecure Deserialization
  - ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
  - GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
  - ysoserial.net - Deserialization payload generator for a variety of .NET formatters
  - phpggc - PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
- Insecure Direct Object References
  - Autorize - Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily
- Open Redirect
  - Oralyzer - Open Redirection Analyzer
  - dom-red - Small script to check a list of domains against open redirect vulnerability
  - OpenRedireX - A Fuzzer for OpenRedirect issues
  - Injectus - CRLF and open redirect fuzzer
- Race Condition
  - razzer - A Kernel fuzzer focusing on race bugs
  - racepwn - Race Condition framework
  - requests-racer - Small Python library that makes it easy to exploit race conditions in web apps with Requests.
  - turbo-intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
  - race-the-web - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
- Request Smuggling
  - http-request-smuggling - HTTP Request Smuggling Detection Tool
  - smuggler - Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
  - h2csmuggler - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
  - tiscripts - These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.
- Server Side Request Forgery
  - SSRFmap - Automatic SSRF fuzzer and exploitation tool
  - Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
  - httprebind - Automatic tool for DNS rebinding-based SSRF attacks
  - ssrf-sheriff - A simple SSRF-testing sheriff written in Go
  - extended-ssrf-search - Smart ssrf scanner using different methods like parameter brute forcing in post and get...
  - gaussrf - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
  - ssrfDetector - Server-side request forgery detector
  - grafana-ssrf - Authenticated SSRF in Grafana
  - sentrySSRF - Tool to searching sentry config on page or in javascript files and check blind SSRF
  - lorsrf - Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
  - singularity - A DNS rebinding attack framework.
  - whonow - A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
  - dns-rebind-toolkit - A front-end JavaScript toolkit for creating DNS rebinding attacks.
  - dref - DNS Rebinding Exploitation Framework
  - rbndr - Simple DNS Rebinding Service
  - dnsFookup - DNS rebinding toolkit
  - surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments. `surf` allows you to filter a list of hosts, returning a list of viable SSRF candidates.
  - SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
  - lorsrf - Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
- SQL Injection
  - sqlmap - Automatic SQL injection and database takeover tool
  - NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
  - SQLiScanner - Automatic SQL injection with Charles and sqlmap api
  - SleuthQL - Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
  - mssqlproxy - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
  - sqli-hunter - SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
  - waybackSqliScanner - Gather urls from wayback machine then test each GET parameter for sql injection.
  - ESC - Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
  - mssqli-duet - SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
  - burp-to-sqlmap - Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
  - BurpSQLTruncSanner - Messy BurpSuite plugin for SQL Truncation vulnerabilities.
  - andor - Blind SQL Injection Tool with Golang
  - Blinder - A python library to automate time-based blind SQL injection
  - sqliv - massive SQL injection vulnerability scanner
  - nosqli - NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.
  - ghauri - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
- SSTI Injection
  - tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
- Waf Evasion
  - nowafpls - Burp Plugin to Bypass WAFs through the insertion of Junk Data.
- Web-Cache-Poisoning
  - toxicache - Go scanner to find web cache poisoning vulnerabilities in a list of URLs .
- XSS Injection
  - XSStrike - Most advanced XSS scanner.
  - xssor2 - XSS'OR - Hack with JavaScript.
  - xsscrapy - XSS spider - 66/66 wavsep XSS detected
  - sleepy-puppy - Sleepy Puppy XSS Payload Management Framework
  - ezXSS - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
  - xsshunter - The XSS Hunter service - a portable version of XSSHunter.com
  - dalfox - DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
  - xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
  - XSpear - Powerful XSS Scanning and Parameter analysis tool&gem
  - weaponised-XSS-payloads - XSS payloads designed to turn alert(1) into P1
  - tracy - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
  - JSShell - An interactive multi-user web JS shell
  - bXSS - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
  - XSS-Radar - XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
  - BruteXSS - BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
  - findom-xss - A fast DOM based XSS vulnerability scanner with simplicity.
  - domdig - DOM XSS scanner for Single Page Applications
  - femida - Automated blind-xss search for Burp Suite
  - domxssscanner - DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
  - xsshunter_client - Correlated injection proxy tool for XSS Hunter
  - extended-xss-search - A better version of my xssfinder tool - scans for different types of xss on a list of urls.
  - xssmap - XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具
  - XSSCon - XSSCon: Simple XSS Scanner tool
  - BitBlinder - BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities
  - XSSOauthPersistence - Maintaining account persistence via XSS and Oauth
  - shadow-workers - Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
  - rexsser - This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
  - Xss-Sql-Fuzz - burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
  - vaya-ciego-nen - Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
  - dom-based-xss-finder - Chrome extension that finds DOM based XSS vulnerabilities
  - xss2png - PNG IDAT chunks XSS payload generator
  - XSSwagger - A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
  - xssValidator - This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
  - xss-flare - XSS hunter on cloudflare serverless workers.
  - XSSTerminal - Develop your own XSS Payload using interactive typing
- XXE Injection
  - ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
  - B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
  - docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
  - dtd-finder - List DTDs and generate XXE payloads using those local DTDs.
  - xxeserv - A mini webserver with FTP support for XXE payloads
  - xxexploiter - Tool to help exploit XXE vulnerabilities
  - XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
  - oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes
  - metahttp - A bash script that automates the scanning of a target network for HTTP resources through XXE
Miscellaneous
- AI Agents
  - shannon - Fully autonomous AI hacker to find actual exploits in your web apps.
  - PentestGPT - AI-powered penetration testing assistant that helps automate security testing workflows and vulnerability discovery.
- Buckets
  - S3Scanner - Scan for open AWS S3 buckets and dump the contents
  - AWSBucketDump - Security Tool to Look For Interesting Files in S3 Buckets
  - CloudScraper - CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
  - s3viewer - Publicly Open Amazon AWS S3 Bucket Viewer
  - festin - FestIn - S3 Bucket Weakness Discovery
  - s3reverse - The format of various s3 buckets is convert in one format. for bugbounty and security testing.
  - mass-s3-bucket-tester - This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable
  - S3BucketList - Firefox plugin that lists Amazon S3 Buckets found in requests
  - dirlstr - Finds Directory Listings or open S3 buckets from a list of URLs
  - Burp-AnonymousCloud - Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
  - kicks3 - S3 bucket finder from html,js and bucket misconfiguration testing tool
  - 2tearsinabucket - Enumerate s3 buckets for a specific target.
  - s3_objects_check - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
  - s3tk - A security toolkit for Amazon S3
  - CloudBrute - Awesome cloud enumerator
  - s3cario - This tool will get the CNAME first if it's a valid Amazon s3 bucket and if it's not, it will try to check if the domain is a bucket name.
  - S3Cruze - All-in-one AWS S3 bucket tool for pentesters.
  - s3dns - Passive DNS-based discovery of S3 (and other cloud) buckets by resolving CNAMEs and IPs during recon—ideal for stealthy and early identification of cloud storage exposures
- CMS
  - wpscan - WPScan is a free, for non-commercial use, black box WordPress security scanner
  - WPSpider - A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
  - CMSmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
  - joomscan - OWASP Joomla Vulnerability Scanner Project
  - pyfiscan - Free web-application vulnerability and version scanner
  - aemhacker - Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
  - aemscan - Adobe Experience Manager Vulnerability Scanner
  - wprecon - Wordpress Recon
  - wprecon - Wordpress Recon
  - Temodar Agent - AI-powered WordPress plugin/theme security analysis platform with Semgrep-based static analysis and agent-assisted investigation workflows
- Forbidden Bypass
  - NoMore403 - Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation.
  - Forbidden Buster - A tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system.
- Git
  - GitTools - A repository with 3 tools for pwn'ing websites with .git repositories available
  - gitjacker - Leak git repositories from misconfigured websites
  - git-dumper - A tool to dump a git repository from a website
  - GitHunter - A tool for searching a Git repository for interesting content
  - dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
  - Gato (Github Attack TOolkit) - GitHub Self-Hosted Runner Enumeration and Attack Tool
  - zizmor - Static analysis tool for GitHub Actions
- JSON Web Token
  - jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
  - c-jwt-cracker - JWT brute force cracker written in C
  - jwt-heartbreaker - The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
  - jwtear - Modular command-line tool to parse, create and manipulate JWT tokens for hackers
  - jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability.
  - jwt-hack - jwt-hack is tool for hacking / security testing to JWT.
  - jwt-cracker - Simple HS256 JWT token brute force cracker
- Origin IP
  - CloudRip - A tool that helps you find the real IP addresses hiding behind Cloudflare by checking subdomains.
  - hakoriginfinder - Tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies.
- Passwords
  - thc-hydra - Hydra is a parallelized login cracker which supports numerous protocols to attack.
  - DefaultCreds-cheat-sheet - One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password
  - changeme - A default credential scanner.
  - BruteX - Automatically brute force all services running on a target.
  - patator - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
- Permutation
  - alterx - Fast and customizable subdomain wordlist generator using DSL. alterx takes patterns as input and generates subdomain permutation wordlist based on that pattern.
  - gotator - Gotator is a tool to generate DNS wordlists through permutations.
  - ripgen - Rust-based high performance domain permutation generator.
  - dnsgen - DNSGen is a powerful and flexible DNS name permutation tool designed for security researchers and penetration testers. It generates intelligent domain name variations to assist in subdomain discovery and security assessments.
  - goaltdns - A permutation generation tool written in golang.
- postMessage
  - postMessage-tracker - A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon
  - PostMessage_Fuzz_Tool - #BugBounty #BugBounty Tools #WebDeveloper Tool
- Secrets
  - git-secrets - Prevents you from committing secrets and credentials into git repositories
  - gitGraber - gitGraber: monitor GitHub to search and find sensitive data in real time for different online services
  - talisman - By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.
  - GitGot - Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
  - git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
  - github-search - Tools to perform basic search on GitHub.
  - git-vuln-finder - Finding potential software vulnerabilities from git commit messages
  - gitrob - Reconnaissance tool for GitHub organizations
  - repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
  - GitMiner - Tool for advanced mining for content on Github
  - shhgit - Ah shhgit! Find GitHub secrets in real time
  - detect-secrets - An enterprise friendly way of detecting and preventing secrets in code.
  - rusty-hog - A suite of secret scanners built in Rust for performance. Based on TruffleHog
  - whispers - Identify hardcoded secrets and dangerous behaviours

Programming Languages

Python 141 Go 100 JavaScript 29 Shell 16 Ruby 13 Rust 10 Java 9 C 8 PHP 6 HTML 4

awesome-bugbounty-tools

Exploitation

Command Injection

CORS Misconfiguration

CRLF Injection

CSRF Injection

Directory Traversal

File Inclusion

GraphQL Injection

Header Injection

Insecure Deserialization

Insecure Direct Object References

Open Redirect

Race Condition

Request Smuggling

Server Side Request Forgery

SQL Injection

SSTI Injection

Waf Evasion

Web-Cache-Poisoning

XSS Injection

XXE Injection

Miscellaneous

AI Agents

Buckets

CMS

Forbidden Bypass

Git

JSON Web Token

Origin IP

Passwords

Permutation

postMessage

Secrets