Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
| Name | Description |
|---|---|
| Burp Suite | A Proxy to intercept and manipulate Web Traffic (free & paid version). |
| Caido | A lightweight web security auditing toolkit. |
| OWASP Zap Proxy | A Proxy to intercept and manipulate Web Traffic (free). |
| Wireshark | Wireshark is a network protocol analyzer that lets you capture and read network packets. |
| Name | Description |
|---|---|
| Crobat | A rapid API for the Project Sonar dataset |
| Chaos Client | Go client to communicate with Chaos DB API. |
| MassDNS | A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) |
| Amass | Uses a variety of different techniques to gather subdomains and can build a network map of the target. Very good export options. |
| Metabigor | Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR. |
| Knock | Knockpy is a portable and modular python3 tool designed to quickly enumerate subdomains on a target domain through passive reconnaissance and dictionary scan. |
| Sublist3r | Fast subdomains enumeration tool for penetration testers. |
| Turbolist3r | Subdomain enumeration tool with analysis features for discovered domains |
| subfinder | subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well. |
| SubBrute | A DNS meta-query spider that enumerates DNS records, and subdomains. |
| BruteX | Automatically brute force all services running on a target. |
| dnsgen | generates a combination of domain names from the provided input. |
| Altdns | Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of. |
| shuffleDNS | shuffleDNS is a wrapper around massdns, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support. |
| dnsx | dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers. |
| Name | Description |
|---|---|
| SubOver | A Powerful Subdomain Takeover Tool |
| Sub404 | Sub 404 is a tool written in python which is used to check possibility of subdomain takeover vulnerability and it is fast as it is asynchronous. |
| subjack | Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives. |
| Name | Description |
|---|---|
| FFuF | A very fast Fuzzing Tool to brute force directories or other parameters. Highly configurable. |
| dirsearch | dirsearch is a simple command-line tool designed to brute force directories and files in websites |
| Kiterunner | Contextual Content Discovery Tool |
| IIS Short Name Scanner | latest version of scanners for IIS short filename (8.3) disclosure vulnerability |
| dirb | Dirb a tool created by Ramon Pinuaga, this repo it's a Sourceforge fork(Web Fuzzer) |
| FeroxBuster | A simple, fast, recursive content discovery tool written in Rust |
| ParamSpider | Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing |
| Wfuzz | Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. |
| Name | Description |
|---|---|
| katana | A next-generation crawling and spidering framework. |
| GoSpider | GoSpider - Fast web spider written in Go |
| hakrawler | Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application |
| LinkFinder | SA python script that finds endpoints in JavaScript files |
| Robofinder | Robofinder retrieves historical #robots.txt files from #Archive.org, allowing you to uncover previously disallowed directories and paths for any domain—essential for deepening your #OSINT and #recon process. |
| Name | Description |
|---|---|
| EyeWitness | EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known. |
| gowitness | 🔍 gowitness - a golang, web screenshot utility using Chrome Headless |
| webscreenshot | A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script. |
| Name | Description |
|---|---|
| assetfinder | Find domains and subdomains related to a given domain. |
| httpx | A fast and multi-purpose HTTP toolkit that allows running multiple probes. |
| httprobe | Take a list of domains and probe for working HTTP and HTTPS servers. |
| gau | Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. |
| Gobuster | Directory/File, DNS and VHost busting tool written in Go. |
| gf | A wrapper around grep to avoid typing common patterns. |
| waybackurls | Fetch all the URLs that the Wayback Machine knows about for a domain |
| DirDar | DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it |
| Arjun | HTTP parameter discovery suite. |
| x8 | Hidden parameters discovery suite |
| xnLinkFinder | A python tool used to discover endpoints, potential parameters, and a target specific wordlist for a given target |
| Name | Description |
|---|---|
| sn1per | Discover hidden assets and vulnerabilities in your environment. |
| Raccoon | A high performance offensive security tool for reconnaissance and vulnerability scanning |
| LazyRecon | An automated approach to performing recon for bug bounty hunting and penetration testing. |
| Recon-ng | Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. |
| Name | Description |
|---|---|
| chaos | A live, continuously updated API providing comprehensive internet data, including real-time DNS entries across the entire web. |
| hunter.io | Email Enumeration for big corps |
| intelx.io | Swiss army Knife of OSINT |
| Shodan | Search engine that lets you find systems connected to the internet with a variety of filters |
| Censys | "Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet." |
| crt.sh | SSL certificate search tool |
| Virus Total | WHOIS, DNS, and subdomain recon |
| ZoomEye | Search engine for specific network components |
| NerdyData | Search Engine for Source Code |
| Crunchbase | For finding Information about Businesses and their acquisitions |
| Searchcode | Helping you find real world examples of functions, API's and libraries over 90 languages across multiple sources |
| Name | Description |
|---|---|
| sqlmap | sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. |
| NoSQLMap | Automated NoSQL database enumeration and web application exploitation tool. |
| Nuclei | "Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use." |
| Nikto | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. |
| XSStrike | XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. |
| Dalfox | 🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation. |
| Bxss | Blind XSS Scanner is a tool that can be used to scan for blind XSS vulnerabilities in web applications. |
| Gxss | A tool to check a bunch of URLs that contain reflecting params. |
| X-Recon | A utility for detecting webpage inputs and conducting XSS scans. |
| CORScanner | Fast CORS misconfiguration vulnerabilities scanner. |
| WPScan | WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. |
| Name | Description |
|---|---|
| Nmap | A well known and powerful Tool for port scanning. Nmap provides the possibility to use scripts to further customize its functionality. |
| Masscan | This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. |
| ScanCannon | External attack surface discovery, enumeration and reconnaissance for massive networks |
| Naabu | A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests. |
| Aquatone | Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. |
| RustScan | The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported). |
| Name | Description |
|---|---|
| Notion | "Write, plan, collaborate, and get organized — all in one tool." |
| Xmind | XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings productivity in a remote WFH team. |
| Obsidian | Obsidian is the private and flexible writing app that adapts to the way you think. |
| Draw.io | draw.io is free online diagram software for making flowcharts, process diagrams, org charts, UML, ER and network diagrams. |
| Name | Description |
|---|---|
| SecLists | A huge collection of word lists for hacking. |
| AssetNote's Wordlists | Collection of wordlists created by AssetNote. |
| fuzzdb | It's the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. |
| samlists | Free, libre, effective, and data-driven wordlists for all! |
| Jason Haddix | Jason Haddix Wordlists |
| Name | Description |
|---|---|
| Deduplicate | Remove duplicate urls from input |
| Anew | A tool for adding new lines to files, skipping duplicates |
| unfurl | Pull out bits of URLs provided on stdin |
| WhatWeb | Next generation web scanner |
| JWT Tool | A toolkit for testing, tweaking and cracking JSON Web Tokens |
| HostHunter | HostHunter a recon tool for discovering hostnames using OSINT techniques. |