Essential Tools for Bug Hunting

Many websites, organizations, and software developers provide bug bounty programs as a way for people to be recognized and paid for reporting bugs, particularly those that relate to security exploits and vulnerabilities.

Burp Suite

For many researchers, Burp Suite is the golden standard proxy program. Burp Suite allows you to intercept, modify, and repeat requests on the fly, as well as install custom plugins to make things easier. Professional Edition just makes the process easier by allowing you to add more plugins and using the burp collaborator client.

Discovering Subdomains & Content - AMASS (

It is overall the most thorough tool for discovering subdomains, as it uses the most sources for discovery with a mixture of passive, and active and will even do alterations to discovered subdomains. Command - amass enum -brute -active -d -o amass-output.txt.


To find working HTTP and HTTPS servers with HTTPROBE by TomNomNom ( You can probe extra ports by setting the -p flag: cat amass-output.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 50 | tee online-domains.txt


To find new domains. If you already have a list of domains and want to see if there are new ones, anew by TomNomNom ( also plays nicely as the new domains go straight to stdout, for example, cat new-output.txt | anew old-output.txt  | httprobe

DNSGEN - Low-hanging fruits

To find some gems, dnsgen by Patrik Hudak ( works brilliantly: cat amass-output.txt | dnsgen - | httprobe


It is a good idea to do a visual inspection. Aquatone (
is indeed a great tool, but most people don't realize it takes endpoints and files as well as domains, so it can sometimes be worth looking for everything and then giving it all into aquatone.


To discover files and directories. FFuF ( is by far the fastest and most customizable, it’s worth reading all the documentation, however for basic usage ffuf -ac -v -u https://domain/FUZZ -w wordlist.txt.


Daniel Miessler has provided us with “SecLists” ( which contains wordlists for every type of scanning you want to do. Grab a list and start scanning to
see what you can find.

JS endpoint discovery

ParamScanner – A custom tool to scrape each endpoint discovered and search for input names, ids, and javascript parameters. The script will look for <input> and scrape the name & ID and then try it as a parameter. As well as this it will also search for var {name} = “” and try to determine parameters referenced in javascript.


It ( works in the same way as other web crawlers. Basically, the tool accepts line-delimited domains on stdin, fetches known URLs from the Wayback Machine for *.domain, and outputs them on stdout.


Dirsearch is a frequently used free and open-source application for brute-forcing directories and files on websites. Multithreaded, Keep alive connections, numerous extensions, exporting reports in both plain text and JSON, HTTP proxy support, User-agent randomization, and many other features are included in this program. You can also brute-force files and directories using a custom wordlist like SecList. This utility is user-friendly and simple to operate, and it works with three major operating systems (Windows, MacOSX, and GNU/Linux). Command - python -u -e html,php,jpeg


Gitrob tool is widely popular to find sensitive files on public Github repositories this tool will clone user or organizations public repositories and in-depth iterate all the commit history and it matches with the potentially sensitive files such as api_key, access_token, password, database_name, etc. To install this tool you need to have Golang set up on your local machine. GitHub repo —

Google Dork

Google Dork ( is also known as "Google Hacking," and it is a technique for using Google search to uncover security weaknesses in a website. It's quite useful for security researchers, and you can obtain information such as usernames, passwords, and sensitive information by employing Google's web crawling.


Shodan is a search engine that hackers and security researchers use to locate insecure Internet of Things devices. By querying the engine, they can obtain information such as the device's IP address, web server data, banner, ISP, SSH, FTP, TELNET, and more.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment