Awesome Bug Bounty Tips Awesome
Awesome Bug Bounty Tips 
A curated list of amazingly bug bounty tips from security researchers around the world. Here’s a detailed Awesome Scripting and Automation Tools list designed to focus on bug bounty automation. It's GitHub-ready, beginner-friendly, and curated with actionable scripts and tools for effective automation.
Awesome Bug Bounty Scripting & Automation Tools
A curated list of scripts, tools, and techniques to automate bug bounty and cybersecurity workflows.
Table of Contents
1. Introduction
Bug hunting often involves repetitive tasks like subdomain enumeration, vulnerability scanning, and reporting. Automating these tasks helps to:
Save time and effort.
Focus on manual, high-value targets.
Reduce human errors.
This list focuses on tools and scripts that streamline automation while keeping the process beginner-friendly.
2. Environment Setup
Install Essential Tools
Install core tools for scripting and automation:
sudo apt update && sudo apt install -y git curl jq python3 python3-pip golangDirectory Structure
Organize your workspace:
mkdir -p ~/bugbounty/{scripts,tools,results,reports}Install Common Tools
# Subdomain Enumeration
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# HTTP Probing
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# Vulnerability Scanning
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest3. Automation Tools
Recon Tools
Vulnerability Scanning Tools
Content Discovery
4. Essential Scripts
Template for a Recon Script
#!/bin/bash
# Recon Automation Script
target=$1
output_dir="results/$target"
mkdir -p $output_dir
echo "[+] Enumerating subdomains for $target"
subfinder -d $target -silent | anew $output_dir/subdomains.txt
echo "[+] Probing live subdomains"
cat $output_dir/subdomains.txt | httpx -silent | anew $output_dir/live_subdomains.txt
echo "[+] Scanning for vulnerabilities"
nuclei -l $output_dir/live_subdomains.txt -t vulnerabilities/ -o $output_dir/vulnerabilities.txtGit Sync Automation
#!/bin/bash
# Auto-sync a GitHub repository
repo_dir="/path/to/repo"
cd $repo_dir
echo "[+] Pulling latest changes..."
git pull origin main
echo "[+] Running automation scripts..."
./scripts/automate.sh
echo "[+] Pushing updates..."
git add .
git commit -m "Automated updates"
git push origin mainHealth Check Script
#!/bin/bash
# Server Health Check
hosts=("host1.com" "host2.com" "host3.com")
for host in "${hosts[@]}"; do
if ping -c 1 $host &> /dev/null; then
echo "[+] $host is reachable"
else
echo "[-] $host is unreachable"
fi
done5. Automated Recon
Full Recon Pipeline
#!/bin/bash
# Full Recon Automation Script
target=$1
output_dir="recon_results/$target"
mkdir -p $output_dir
echo "[+] Enumerating subdomains"
subfinder -d $target -silent | anew $output_dir/subdomains.txt
amass enum -passive -d $target | anew $output_dir/subdomains.txt
echo "[+] Probing live subdomains"
cat $output_dir/subdomains.txt | httpx -silent | anew $output_dir/live_hosts.txt
echo "[+] Fuzzing directories"
ffuf -w wordlist.txt -u https://FUZZ -t 50 -o $output_dir/fuzzing.txt
echo "[+] Scanning for vulnerabilities"
nuclei -l $output_dir/live_hosts.txt -t vulnerabilities/ -o $output_dir/vulnerabilities.txt6. Reporting Automation
Generate Markdown Report
#!/bin/bash
# Markdown Report Generator
target=$1
output_file="reports/$target.md"
echo "# Vulnerability Report for $target" > $output_file
echo "## Reconnaissance" >> $output_file
echo "- Subdomains: $(wc -l recon_results/$target/subdomains.txt)" >> $output_file
echo "- Live Hosts: $(wc -l recon_results/$target/live_hosts.txt)" >> $output_file
echo "## Vulnerabilities" >> $output_file
cat recon_results/$target/vulnerabilities.txt >> $output_file7. Learning Resources
Documentation
Practice Labs
Contribute
Feel free to fork this repo, add your custom scripts, and submit pull requests!
This Awesome Scripting and Automation Tools list is designed to grow and adapt. Suggestions and contributions are always welcome! 🚀
Why?
It is hard to look for Bug Bounty Tips from different social media websites. This repo helps to keep all these scattered tips at one place.
Contents
Website
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel (/users/sign_in), navigate to
/explore. Once you get in, use the search function to find passwords, keys, etc. - @EdOverflow
If you have found an authenticated stored XSS vulnerability that requires specific permissions to exploit — say administrator-level access — always check to see if the POST request that transmitts the payload is vulnerable to CSRF or an IDOR. This will increase the impact, since as an attacker you no longer need an account with certain permissions to exploit the issue. - @EdOverflow
If you are in heroku, try calling /app/Procfile to get the installation instructions that a dev had when deploying to heroku. If that loads and you know what stack it uses, you should be able to find the source code of the app in /app directory. For example if it is rails, you can pull routes.rb by calling /app/config/routes.rb. The app folder is the main directory where all deployed code is stored. - @uraniumhacker
most java web apps allow bypassing common LFI filtering rules by doing the following: http://domain.tld/page.jsp?include=..;/..;/sensitive.txt - @zer0pwn
If you find jsp page with no parameters. You can actually add path parameters using semicolon. Like this example.com/test.jsp;');alert(1)// & perform XSS. Apache tomcat support this. - @akshukatkar
When you have a SSRF vulnerability on a Google Cloud server, the fastest way to grab all internal metadata is this "All in one" payload: http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true - @adrien_jeanneau
Always do printenv to see if your inside a container when you have a RCE you can escalate it further if you break outside the container. - @Random_Robbie
Mobile
Struggling with SSL Pinning or root detection on Android or iOS? Use [Objection] (https://github.com/sensepost/objection) to easily bypass them. - @skeltavik
Dont just statically analyze apps. Dynamic analysis is where I find 90% of my mobile bugs. Look at old and new versions of apps. Sometimes you can derive API keys from the older apps that still work! - @nullenc0de
Tools
Use commoncrawl for finding subdomains and endpoints. Sometimes you find endpoints that can't directly be visited from the UI but has been indexed from other sites. curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$1&output=json" | jq -r .url | sort -u - @streaak
Add to scope all your target subdomains on @Burp_Suite "Target" tab >> "Scope" >> "Use advanced scope control" checkbox >> "Add" button >> Set Protocol: Any - Host/IP range: .*.domain.com$ >> Enjoy! - @_gonzacabrera
Threatcrowd is able to list domains registered by a specific email address: https://www.threatcrowd.org/email.php?email=domain@teslamotors.com Very handy for open-scope. - MrTuxracer
Need to bypass a firewall? Use securitytrails.com to find the originating server IP. (https://github.com/vincentcox/bypass-firewalls-by-DNS-history) - @vincentcox_be
You can enumerate directories in some buckets with Wfuzz. Rule for Wfuzz: http(s):///FUZZ/ Successful: 200 Status code without content - @Wh11teW0lf
Want to find some internal code of companies or some sample codes of new features? Checkout with: site:repl.it intext:. In companydomain, if you know the internal domain it is even better. @uraniumhacker
To find vulnerable domains and subdomains that is currently pointed to GitHub due to misconfiguration. Try searching the following syntax on publicwww. "There isn't a Github Pages site here". It will return thousands of pages containing domains and subdomains that could be vulnerable to Subdomain Takeover. - [@ajdumanhug](
Others
Look for hackathon-related assets. Companies sometimes run hackathons and give attendees special access to certain API endpoints or temporary credentials. I have found GIT repositories that were set up for hackathons full of sensitive information. - @EdOverflow
If you submit a report and want the triage team to quickly triage your report, include your test credenetials in the report. This is especially useful if user permissions and roles are involved. - @EdOverflow
Do not just inspect source code, check GIT logs for information too. Here are some simple tricks that you can add to your reconnaissance workflow: https://gist.github.com/EdOverflow/a9aad69a690d97a8da20cd4194ca6596 - @EdOverflow
Look for hackathon-related assets. Companies sometimes run hackathons and give attendees special access to certain API endpoints or temporary credentials. I have found GIT repositories that were set up for hackathons full of sensitive information. - @EdOverflow
As a hacker you will come across many different pieces of software that you haven’t used before. It often pays off to take the time to install / use it to 1) create a sandbox to test particular scenarios and 2) understand the software better to find more vulns faster. - @jobertabma
Always check an e-mail's headers and body. They often contain valuable information and endpoints! - @honoki
If a bounty target offers premium features, buy them and test the new endpoints. Most of the times, it's worth the investment! - @vdeschutter
Follow the marketing guys (e.g., Director or Manager) of the product you're targeting for #BugBounty. These guys are awesome in telling you all the new features that are in pipeline or just released. You will be the first to get your hands dirty. - @soaj1664ashar
Did you know that the character '_' acts like the regex character '.' in SQL queries. https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php - @gwendallecoguic
If a website does not verify email, try signing up with @domain.com (the company email). Sometimes this gives you higher privilege like deleting/viewing any other user's profiles etc. @uraniumhacker
Last updated