Your Bug Bounty ToolKit

We have hand picked some tools below which we believe will be useful for your hunt. All of the them together should be enough to help you gather large amounts of data, enough to hopefully find at least one bug! New tools come out all the time and we will do our best to keep updating this list. Be sure to check each creator out on GitHub & show your support!

Burp Suite

Burp Suite by PortSwigger is used for monitoring requests from your computer & websites. PortSwigger offer a free community edition and also a PRO edition, which also gives you access to extensions. The community edition works fine for those just starting out in bug bounties however the extensions that come with PRO definitely do make your life a lot easier. If you can upgrade, it's recommended. This is the most used tool when conducting website security testing.

An alternative to Burp Suite is Fiddler by Telerik. Fiddler does everything Burp can do and even has extensions.

GetJS by 003random

GetJS will take a list of domains and extract any .js files found on each domain. This is useful if you want to sort through lots of .js files for new urls/endpoints on a mass scale.

GoLinkFinder by 0xsha

GoLinkFinder will extract URLs and endpoints from JS files from a list of urls you provide.

WayBackUrls by mhmdiaa

WayBackUrls will extract urls archived by WayBackMachine for the domain you input. An alternative in GO is TomNomNom's WayBackUrls

WayBackRobots by mhmdiaa

WayBackRobots — Lots of companies list endpoints in /robots.txt and this changes overtime. Who's got it all archived? WayBackMachine! WayBackRobots will extract as much robots.txt information as possible from years ago for your chosen domain. Very useful for finding old endpoints which may still work!

MassDNS by blechschmidt

MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.

Alternative subdomain scanners

There are a lot of alternative subdomain scanners such as:

Subdomain Discovery Services

There are a variety of services available to provide you with recon data. Some of the data is free and some require a membership, although if you follow them each on twitter they often post free trials to test their services!


Fuzz Faster U Fool! Let the GitHub repo do the talking: FFuF. An alternative to FFuF is wfuzz - WFUZZ

codingo has a great video on How to master FFUF for Bug bounties and Pen testing and InsiderPHD also has a video titled, How to use ffuf - Hacker toolbox. Be sure to check both out so you can learn how to use FFuF to it's true potential (because trust me, you want to!).


Other helpful tools / scripts

Have we missed a tool? Want to add yours? Email us - [email protected]