BugBounty — Mastering the Basics (along with Resources)[Part-3]
Bug Bounty Hunting is a career that is known for the heavy use of security tools. These tools help to find vulnerabilities in software, web, and mobile applications and are an integral part of bounty hunting. Below is a list of security tools which should be leveraged by bug bounty hunters.
Bug Bounty Tools & Scripts: Your Arsenal for Successful Hunting
Tools you should definitely know about:
- BurpSuite: Burp Suite is a software security application used for penetration testing of web applications.
- ZAP: OWASP ZAP is an open-source web application security scanner.
- Caido: A lightweight web security auditing toolkit.
Below is an awesome list to know more about the Bug Bounty Tools.
Recon
Subdomain Enumeration
- Sublist3r
Fast subdomains enumeration tool for penetration testers
- Amass
In-depth Attack Surface Mapping and Asset Discovery
- Massdns
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
- Findomain
The fastest and cross-platform subdomain enumerator, do not waste your time.
- Sudomy
Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting.
- Chaos client
Go client to communicate with Chaos DNS API.
- Domained
Multi Tool Subdomain Enumeration
- Bugcrowd levelup subdomain enumeration
This repository contains all the material from the talk “Esoteric sub-domain enumeration techniques” given at Bugcrowd LevelUp 2017 virtual conference
- Shuffledns
shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
- Censys subdomain finder
Perform subdomain enumeration using the certificate transparency logs from Censys.
- Turbolist3r
Subdomain enumeration tool with analysis features for discovered domains
- Censys enumeration
A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
- Tugarecon
Fast subdomains enumeration tool for penetration testers.
- As3nt
Another Subdomain Enumeration Tool
- Subra
A Web-UI for subdomain enumeration (subfinder)
- Substr3am
Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
- Domain
enumall.py Setup script for Regon-ng
- Altdns
Generates permutations, alterations and mutations of subdomains and then resolves them
- Brutesubs
An automation framework for running multiple open-sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
- DNS parallel prober
This is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.
- Dnscan
Dnscan is a python wordlist-based DNS subdomain scanner.
- Knock
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
- Hakrevdns
Small, fast tool for performing reverse DNS lookups en masse.
- Dnsx
Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
- Subfinder
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
- Assetfinder
Find domains and subdomains related to a given domain
- Crtndstry
Yet another subdomain finder
- VHostScan
A virtual host scanner that performs reverse lookups
- Scilla
Information Gathering tool — DNS / Subdomains / Ports / Directories enumeration
- sub3suite
A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.
- Cero
Scrape domain names from SSL certificates of arbitrary hosts
Port Scanning
- Masscan
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
- RustScan
The Modern Port Scanner
- Naabu
A fast port scanner written in go with focus on reliability and simplicity.
- Nmap
The Network Mapper. Github mirror of official SVN repository.
- Sandmap
Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
- ScanCannon
Combines the speed of masscan with the reliability and detailed enumeration of nmap.
Screenshots
- EyeWitness
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
- Screenshoteer
Make website screenshots and mobile emulations from the command line.
- Gowitness
A golang, web screenshot utility using Chrome Headless
- WitnessMe
Web Inventory tool takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
- Eyeballer
Convolutional neural network for analyzing pentest screenshots
- Scrying
A tool for collecting RDP, web and VNC screenshots all in one place
- Depix
Recovers passwords from pixelized screenshots
- httpscreenshot
HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.
Technologies
- Wappalyzer
Identify technology on websites.
- Webanalyze
Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
- python-builtwith
BuiltWith API client
- Whatweb
Next-generation web scanner
- Retire.js
Scanner detecting the use of JavaScript libraries with known vulnerabilities
- Httpx
Httpx is a fast and multi-purpose HTTP toolkit that allows to run multiple probers using a retryable http library, it is designed to maintain the result reliability with increased threads.
- Fingerprintx
Fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.
Content Discovery
- Gobuster
Directory/File, DNS and VHost busting tool written in Go
- Recursebuster
Rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
- Feroxbuster
A fast, simple, recursive content discovery tool written in Rust.
- Dirsearch
Web path scanner
- Dirsearch
A Go implementation of dirsearch.
- Filebuster
An extremely fast and flexible web fuzzer
- Dirstalk
Modern alternative to dirbuster/dirb
- Dirbuster-ng
Dirbuster-ng is C CLI implementation of the Java dirbuster tool
- Gospider
Gospider — Fast web spider written in Go
- Hakrawler
Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
- Crawley
Fast, feature-rich unix-way web scraper/crawler written in Golang.
Links
- LinkFinder
A python script that finds endpoints in JavaScript files
- JS-Scan
A js scanner, built in php designed to scrape urls and other info
- LinksDumper
Extract (links/possible endpoints) from responses & filter them via decoding/sorting
- GoLinkFinder
A fast and minimal JS endpoint extractor
- BurpJSLinkFinder
Burp Extension for a passive scanning JS files for endpoint links.
- Urlgrab
A golang utility to spider through a website searching for additional links.
- Waybackurls
Fetch all the URLs that the Wayback Machine knows about for a domain
- Gau
Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
- Linx
Reveals invisible links within JavaScript files
Parameters
- Parameth
This tool can be used to brute discover GET and POST parameters.
- Param-miner
This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.
- ParamPamPam
This tool for brute discover GET and POST parameters.
- Arjun
HTTP parameter discovery suite.
- ParamSpider
Mining parameters from dark corners of Web Archives.
- x8
Hidden parameters discovery suite written in Rust.
Fuzzing
- Wfuzz
Web application fuzzer
- FFUF
Fast web fuzzer written in Go
- Fuzzdb
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
- IntruderPayloads
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads, web pentesting methodologies, and checklists.
- fuzz.txt
Potentially dangerous files
- Fuzzilli
A JavaScript Engine Fuzzer
- Fuzzapi
Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
- Qsfuzz
Qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
- VAF
A very advanced (web) fuzzer written in Nim.
Cloud Security Tools
- SkyArk — Privilege Escalation and Data Collection for AWS
- Pacu — AWS Exploitation Framework
- AWS Exploitation Framework — RhinoSecurityLabs
Exploitation
List of tools that will be helpful during exploitation.
Command Injection
- Commix
Automated All-in-One OS command injection and exploitation tool.
CORS Misconfiguration
- Corsy
CORS Misconfiguration Scanner
- CORStest
A simple CORS misconfiguration scanner
- Cors-scanner
A multi-threaded scanner that helps identify CORS flaws/misconfigurations
- CorsMe
Cross-Origin Resource Sharing MisConfiguration Scanner
CRLF Injection
- CRLFsuite
A fast tool specially designed to scan CRLF injection
- crlfuzz
A fast tool to scan CRLF vulnerability written in Go
- CRLF-Injection-Scanner
Command line tool for testing CRLF injection on a list of domains.
- Injectus
CRLF and open redirect fuzzer.
CSRF Injection
- XSRFProbe
The Prime Cross-Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
Directory Traversal
- Dotdotpwn
The Directory Traversal Fuzzer
- FDsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
- off-by-slash
Burp extension to detect alias traversal via NGINX misconfiguration at scale.
- liffier
Tired of manually adding dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.
File Inclusion
- Liffy
Local file inclusion exploitation tool
- Burp-LFI-tests
Fuzzing for LFI using Burpsuite
- LFI-Enum
Scripts to execute enumeration via LFI
- LFISuite
Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
- LFI-files
Wordlist to bruteforce for LFI
GraphQL Injection
- Inql
InQL — A Burp Extension for GraphQL Security Testing
- GraphQLmap
GraphQLmap is a scripting engine to interact with a GraphQL endpoint for pentesting purposes.
- Shapeshifter
GraphQL security testing tool
- Graphql Beautifier
Burp Suite extension to help make Graphql request more readable
- Clairvoyance
Obtain GraphQL API schema despite disabled introspection!
Header Injection
- Headi
Customisable and automated HTTP header injection.
Insecure Deserialization
- Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
- GadgetProbe
Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
- Ysoserial.net
Deserialization payload generator for a variety of .NET formatters
- Phpggc
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
Insecure Direct Object References
- Autorize
Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily
Open Redirect
- Oralyzer —
Open Redirection Analyzer
- Injectus
CRLF and open redirect fuzzer
- Dom-red
Small script to check a list of domains against open redirect vulnerability
- OpenRedireX
A Fuzzer for OpenRedirect issues
Race Condition
- Razzer
A Kernel fuzzer focusing on race bugs
- Racepwn
Race Condition framework
- Requests Racer
Small Python library that makes it easy to exploit race conditions in web apps with Requests.
- Turbo-intruder
Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
- Race-the-web
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
Request Smuggling
- Http-request-smuggling
HTTP Request Smuggling Detection Tool
- Smuggler
Smuggler — An HTTP Request Smuggling / Desync testing tool written in Python 3
- H2Csmuggler
HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
- Tiscripts
These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.
Server Side Request Forgery
- SSRFmap
Automatic SSRF fuzzer and exploitation tool
- Gopherus
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
- Ground control
A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
- SSRFire
An automated SSRF finder. Just give the domain name and your server and chill! 😉 Also has options to find XSS and open redirects
- Httprebind
Automatic tool for DNS rebinding-based SSRF attacks
- SSRF sheriff
A simple SSRF-testing sheriff written in Go
- B-XSSRF
Toolkit to detect and keep track on Blind XSS, XXE & SSRF
- Extended-ssrf-search
Smart ssrf scanner using different methods like parameter brute forcing in post and get…
- Gaussrf
Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
- SSRFDetector
Server-side request forgery detector
- Grafana-ssrf
Authenticated SSRF in Grafana
- SentrySSRF
Tool to searching sentry config on page or in javascript files and check blind SSRF
- Lorsrf
Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
- Singularity
A DNS rebinding attack framework.
- Whonow
A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
- DNS rebind toolkit
A front-end JavaScript toolkit for creating DNS rebinding attacks.
- Dref
DNS Rebinding Exploitation Framework
- Rbndr
Simple DNS Rebinding Service
- Httprebind
Automatic tool for DNS rebinding-based SSRF attacks
- DnsFookup
DNS rebinding toolkit
SQL Injection
- SQLmap
Automatic SQL injection and database takeover tool
- NoSQLMap
Automated NoSQL database enumeration and web application exploitation tool.
- SQLiScanner
Automatic SQL injection with Charles and SQLmap API
- SleuthQL
Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
- MySQL proxy
MS SQL proxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
- SQLI hunter
SQLI Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
- waybackSqliScanner
Gather urls from wayback machine then test each GET parameter for sql injection.
- ESC
Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
- mssqli-duet
SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
- BurpSQLTruncSanner
Messy BurpSuite plugin for SQL Truncation vulnerabilities.
- Andor
Blind SQL Injection Tool with Golang
- Blinder
A python library to automate time-based blind SQL injection
- SQLIV
Massive SQL injection vulnerability scanner
- NoSQLI
NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.
XSS Injection
- XSStrike
Most advanced XSS scanner.
- xssor2
XSS’OR — Hack with JavaScript.
- xsscrapy
XSS spider — 66/66 wavsep XSS detected
- sleepy-puppy
Sleepy Puppy XSS Payload Management Framework
- ezXSS
ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
- xsshunter
The XSS Hunter service — a portable version of XSSHunter.com
- Dalfox
DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
- xsser
Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
- XSpear
Powerfull XSS Scanning and Parameter analysis tool&gem
- weaponised-XSS-payloads
XSS payloads designed to turn alert(1) into P1
- Tracy
A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
- ground control
A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
- xssValidator
This burp intruder extender is designed for automation and validation of XSS vulnerabilities.
- JSShell
An interactive multi-user web JS shell
- bXSS
bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
- Docem
Utility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
- XSS-Radar
XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
- BruteXSS
BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
- findom-xss
A fast DOM based XSS vulnerability scanner with simplicity.
- Domdig
DOM XSS scanner for Single Page Applications
- Femida
Automated blind-xss search for Burp Suite
- B-XSSRF
Toolkit to detect and keep track on Blind XSS, XXE & SSRF
- domxssscanner
DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
- XSShunter client
Correlated injection proxy tool for XSS Hunter
- Extended XSS search
A better version of my xssfinder tool — scans for different types of XSS on a list of URLs.
- XSSCon
XSSCon: Simple XSS Scanner tool
- XSSOauthPersistence
Maintaining account persistence via XSS and Oauth
- Shadow workers
Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
- Rexsser
This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
- Vaya ciego nen
Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
- Dom based xss finder
Chrome extension that finds DOM based XSS vulnerabilities
- XSS2png
PNG IDAT chunks XSS payload generator
- XSSwagger
A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
XXE Injection
- Ground control
A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
- dtd-finder
List DTDs and generate XXE payloads using those local DTDs.
- Docem
Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
- xxeserv
A mini webserver with FTP support for XXE payloads
- xxexploiter
Tool to help exploit XXE vulnerabilities
- B-XSSRF
Toolkit to detect and keep track on Blind XSS, XXE & SSRF
- XXEinjector
Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
- Oxml_xxe
A tool for embedding XXE/XML exploits into different filetypes
- Metahttp
A bash script that automates the scanning of a target network for HTTP resources through XXE
Miscellaneous
Passwords
- thc-hydra
Hydra is a parallelized login cracker that supports numerous protocols to attack.
- DefaultCreds-cheat-sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password
- Changeme
A default credential scanner.
- BruteX
Automatically brute force all services running on a target.
- Patator
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Secrets
- Git secrets
Prevents you from committing secrets and credentials into git repositories
- Gitleaks
Scan git repos (or files) for secrets using regex and entropy
- TruffleHog
Searches through git repositories for high entropy strings and secrets, digging deep into commit history
- GitGraber
Monitor GitHub to search and find sensitive data in real time for different online services
- Talisman
By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for suspicious things — such as authorization tokens and private keys.
- GitGot
Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
- Git all secrets
A tool to capture all the git secrets by leveraging multiple open source git searching tools
- Github search
Tools to perform basic search on GitHub.
- Git vuln finder
Finding potential software vulnerabilities from git commit messages
- Gitrob
Reconnaissance tool for GitHub organizations
- Repo supervisor
Scan your code for security misconfiguration, search for passwords and secrets.
- GitMiner
Tool for advanced mining for content on Github
- Shhgit
Ah shhgit! Find GitHub secrets in real time
- Detect secrets
An enterprise friendly way of detecting and preventing secrets in code.
- Rusty hog
A suite of secret scanners built in Rust for performance. Based on TruffleHog
- Whispers
Identify hardcoded secrets and dangerous behaviours
- Yar
Yar is a tool for plunderin’ organizations, users and/or repositories.
- Dufflebag
Search exposed EBS volumes for secrets
- Secret bridge
Monitors Github for leaked secrets
- Earlybird
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
- Trufflehog Chrome Extension
- Noseyparker
Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Git
- GitTools
A repository with 3 tools for pwning websites with .git repositories available
- Gitjacker
Leak git repositories from misconfigured websites
- Git dumper
A tool to dump a git repository from a website
- GitHunter
A tool for searching a Git repository for interesting content
- Gato (Github Attack TOolkit)
GitHub Self-Hosted Runner Enumeration and Attack Tool
Buckets
- S3Scanner
Scan for open AWS S3 buckets and dump the contents
- AWSBucketDump
Security Tool to Look For Interesting Files in S3 Buckets
- CloudScraper
CloudScraper is a tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
- S3viewer
Publicly Open Amazon AWS S3 Bucket Viewer
- Festin
FestIn is a tool which showcase the S3 Bucket Weakness Discovery
- S3reverse
The format of various s3 buckets is convert in one format for bugbounty and security testing.
- mass s3 bucket tester
This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable
- S3BucketList
Firefox plugin that lists Amazon S3 Buckets found in requests
- Dirlstr
Finds Directory Listings or open S3 buckets from a list of URLs
- Burp Anonymous Cloud
Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
- kicks3
S3 bucket finder from html,js and bucket misconfiguration testing tool
- 2 tears in a bucket
Enumerate s3 buckets for a specific target.
- S3 objects check
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
- S3tk
A security toolkit for Amazon S3
- CloudBrute
Awesome cloud enumerator
- S3cario
This tool will get the CNAME first if it’s a valid Amazon s3 bucket and if it’s not, it will try to check if the domain is a bucket name.
- S3Cruze
All-in-one AWS S3 bucket tool for pentesters.
CMS
- Wpscan
WPScan is a free, for non-commercial use, black box WordPress security scanner
- WPSpider
A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
- Wprecon
WordPress Recon
- CMSmap
CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
- Joomscan
OWASP Joomla Vulnerability Scanner Project
- Pyfiscan
Free web application vulnerability and version scanner
JSON Web Token
- JWT tool
A toolkit for testing, tweaking and cracking JSON Web Tokens
- C JWT cracker
JWT brute force cracker written in C
- Jwt heartbreaker
The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
- Jwtear
Modular command-line tool to parse, create and manipulate JWT tokens for hackers
- jwt key id injector
Simple python script to check against hypothetical JWT vulnerability.
- JWT hack
JWT hack is tool for hacking / security testing to JWT.
- JWT cracker
Simple HS256 JWT token brute force cracker
postMessage
- PostMessage-tracker
A Chrome Extension to track postMessage usage (URL, domain and stack) both by logging using CORS and also visually as an extension icon
- PostMessage_Fuzz_Tool
Subdomain Takeover
- Subjack
Subdomain Takeover tool written in Go
- SubOver
A Powerful Subdomain Takeover Tool
- AutoSubTakeover
A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
- NSBrute
Python utility to takeover domains vulnerable to AWS NS Takeover
- can-i-take-over-xyz
“Can I take over XYZ?” — a list of services and how to claim (sub)domains with dangling DNS records.
- Cnames
Take a list of resolved subdomains and output any corresponding CNAMES en masse.
- SubHijack
Hijacking forgotten & misconfigured subdomains
- Tko-subs
A tool that can help detect and takeover subdomains with dead DNS records
- HostileSubBruteforcer
This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.
- Second order
Second-order subdomain takeover scanner
- Takeover
A tool for testing subdomain takeover possibilities at a mass scale.
- DnsReaper
DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!
Vulnerability Scanners
- Nuclei
Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
- Sn1per
Automated pentest framework for offensive security experts
- Metasploit framework
Metasploit Framework
- Nikto
Nikto web server scanner
- Arachni
Web Application Security Scanner Framework
- Jaeles
The Swiss Army knife for automated Web Application Testing
- retire.js
Scanner detecting the use of JavaScript libraries with known vulnerabilities
- Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning
- Getsploit
Command line utility for searching and downloading exploits
- Flan
A pretty sweet vulnerability scanner
- Findsploit
Find exploits in local and online databases instantly
- BlackWidow
A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
- Backslash powered scanner
Finds unknown classes of injection vulnerabilities
- Eagle
Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
- Cariddi
Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…
- OWASP ZAP
World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers
- SSTImap
SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.
Uncategorized
- JSONBee
A ready to use JSONP endpoints/payloads to help bypass the content security policy (CSP) of different websites.
- CyberChef
The Cyber Swiss Army Knife — a web app for encryption, encoding, compression and data analysis
- Bountyplz
Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
- PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
- Bounty targets data
This repo contains hourly-updated data dumps of bug bounty platform scopes (like HackerOne/Bugcrowd/Intigriti/etc) that are eligible for reports
- Android security awesome
A collection of Android security related resources
- Awesome mobile security
An effort to build a single place for all useful Android and iOS security related stuff.
- Awesome vulnerable apps
Awesome Vulnerable Applications
- XFFenum
X-Forwarded-For [403 forbidden] enumeration
- HTTPX
HTTPX is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
- Csprecon
Discover new target domains using the Content Security Policy
Learning and Practicing Resources:
Capture The Flag (CTF) challenges provide an excellent platform to exercise your abilities by simulating real-world vulnerabilities. Engaging in these challenges exposes you to diverse technologies required to breach applications and systems effectively.
To aid Bug Bounty Hunting journey, here’s a curated list of reputable CTF platforms and learning resources:
- PentesterLab
PentesterLab is an excellent resource for learning about web application security and ways how it can be subverted.
- Hacker101
This platform offers a collection of web security challenges with a focus on practical skills. It covers a wide range of topics, making it suitable for both beginners and seasoned professionals.
- Hack The Box
With a vibrant community, Hack The Box provides a diverse set of realistic challenges that encompass various skill levels. It’s a great platform to enhance your penetration testing skills.
- XSS Game
- OverTheWire Wargames
This platform offers a series of war games designed to teach and test various security concepts. It covers networking, cryptography, and more.
- Pwnable.tw
If you’re interested in binary exploitation and reverse engineering, Pwnable.tw offers challenges that require you to analyze and exploit vulnerable binaries.
- VulnHub
VulnHub provides a collection of vulnerable virtual machines that allow you to practice exploiting real-world scenarios in controlled environments.
This resource offers practical lessons to help you understand how common security vulnerabilities can be exploited and how to prevent them.
- Penetration Testing Practice Labs
Aman Hardikar’s collection of practice labs covers various security concepts and challenges, enabling you to test your skills.
- Bug Bounty Hunter
This platform provides a set of challenges that mimic real-world bug bounty scenarios, helping you refine your skills for actual bug hunting.
- PortSwigger Web Security
PortSwigger offers comprehensive web security training, including hands-on labs and exercises to enhance your web application security skills.
- TryHackMe
TryHackMe offers a variety of virtual rooms and challenges to help you learn and practice penetration testing techniques.
- CTFTime
CTFTime is a platform that provides information about upcoming CTF events, allowing you to participate and challenge yourself against the best.
- Gin and Juice Shop
This is a deliberately vulnerable web application that helps you practice your security testing skills in a realistic setting.
- OWASP Juice Shop
OWASP Juice Shop is another vulnerable web application designed to educate and train security professionals on web security.
Cloud CTFs:
- AWS CTF Challenges — Flaws.Cloud
- Azure CTF Challenges — brokenazure.cloud
- Google Cloud CTF Challanges — thunder-ctf.cloud
- Kubernetes Goat
Kubernetes Goat is a “Vulnerable by Design” Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
- CloudGoat
CloudGoat is Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool
- CdkGoat — Vulnerable AWS CDK Infra
CdkGoat is Bridgecrew’s “Vulnerable by Design” AWS CDK repository.
- Cfngoat — Vulnerable Cloudformation Template
Cfngoat is Bridgecrew’s “Vulnerable by Design” Cloudformation repository.
- TerraGoat — Vulnerable Terraform Infra
TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository.
- Caponeme — Capital One Breach
Repository demonstrating the Capital One breach on your AWS account
- WrongSecrets
WrongSecrets is “Vulnerable by Design” to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).
- AWSGoat
A Damn Vulnerable AWS Infrastructure
- AzureGoat
A Damn Vulnerable Azure Infrastructure
- IAM Vulnerable
Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
- Sadcloud
A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
Mobile CTFs
- Allsafe
Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
- InsecureBankv2
Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.
- Vulnerable Kext
A WIP “Vulnerable by Design” kext for iOS/macOS to play & learn *OS kernel exploitation.
- InjuredAndroid
A vulnerable Android application that shows simple examples of vulnerabilities in a CTF style.
- Damn Vulnerable Bank
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
- InsecureShop
An Intentionally designed Vulnerable Android Application built in Kotlin.
- AndroGoat
AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
- DIVA Android
Damn Insecure and vulnerable App for Android.
- OVAA
Oversecured Vulnerable Android App.
- Vuldroid
Android Application covering various static and dynamic vulnerabilities.
- Android Security Testing
HPAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.
Certifications: Your Learning Path
While hands-on experience and self-study are vital components of becoming a successful Cybersecurity Researcher & a Bug Bounty Hunter, certifications play a significant role in enhancing the skills and credibility as well as helping to get a better job in the future. Here are a few certifications that you might consider pursuing as a beginner:
- CompTIA Security+
- Google Cybersecurity Certificate
- Certified Ethical Hacker (CEH)
- GIAC Security Essentials Certification (GSEC)
- eLearnSecurity Certified Professional Penetration Tester (eCPPT)
- Offensive Security Certified Professional (OSCP)
- (ISC)² CC — Certified in Cybersecurity
Continual Learning and Practice
Bug bounty hunting requires continual learning and practice. As you progress, you’ll find each bug bounty program has its unique challenges and rewards. Learn from your experiences and always strive to improve your skills. As you start your journey to become a bug bounty hunter, you’ll find that practicing and honing your skills is a crucial step.
Any type of comments are welcome. Thank you for your time :)).
Happy Hacking !!!
If you enjoyed reading the article do clap and follow:
Twitter: https://twitter.com/i_amsphinx
LinkedIn: https://www.linkedin.com/in/pathakabhi24/
GitHub: https://github.com/pathakabhi24
