Share
## https://sploitus.com/exploit?id=3C05B801-8687-5076-995A-55DFAC5DBCAC
# Unified BB Suite β Combined Workflow
**Two workflows merged into one Β· 33 tools Β· 30 Python scripts Β· 3 enhanced core tools**
**Zero CGO Β· Termux-native Β· Async Β· Proxy pool Β· Platform import Β· Secret validation**
---
## What's Inside
```
unified_bb_suite/
β
βββ pipelines/
β βββ chain_orchestrator.py β
Master driver β 29 stages, 4 modes
β
βββ core/ β Infrastructure (run first)
β βββ scope_enforcer.py β
MERGED: H1/BC/Intigriti/YesWeHack import
β β + Unix socket API + httpx middleware
β βββ rate_budget_manager.py β
MERGED: token bucket + SQLite proxy pool
β β + WAF-triggered proxy rotation
β βββ waf_profiler.py WAF fingerprint + bypass header exporter
β βββ termux_utils.py Shared OOM watchdog, client factory
β
βββ connectors/ β Gap bridges
β βββ deep_recon_adapter.py deep_recon.sh β Python pipeline JSON
β βββ js_to_omega.py jsreaper β bb_omega_scan connector
β βββ fingerprint_to_vertical.py tech stack β bb_scan --only mapper
β
βββ finding_pipeline/ β Detection β quality β reporting
β βββ secret_rotator.py β
FROM bw-suite: live AWS/Stripe/GitHub/Slack validation
β βββ triage_engine.py β
FROM bw-suite: exploitability scoring + FP suppression
β βββ vuln_kb.py β
FROM bw-suite: cross-engagement knowledge base
β βββ vuln_deduplicator.py Cross-tool dedup (URL-normalized + IDOR path merge)
β βββ finding_correlator.py 10 exploit chain detectors + PoC narrative generator
β βββ template_fabricator.py Confirmed finding β nuclei-go YAML template
β
βββ attack_surface/ β New bug classes (all from bb_toolkit)
β βββ sqlprobe.py SQLi: error + boolean + time-based blind
β βββ lfiprobe.py LFI: 7 bypass layers + PHP wrappers
β βββ graphql_depth_probe.py GraphQL: 7 checks incl. APQ, batch abuse
β βββ jwt_forge.py JWT: 10 attacks incl. JWK injection
β βββ android_apk_recon.py APK: DEX string pool + manifest (pure Python)
β βββ depconscan.py Dependency confusion: 7 ecosystems
β βββ prototype_polluter.py Server-side PP: canary + gadget confirmation
β βββ cors_chain_exploiter.py CORS: bypass testing + HTML PoC generator
β
βββ reporting/ β Output + alerting (all from bw-suite)
β βββ report_templater.py H1 / Bugcrowd / Intigriti / YesWeHack format
β βββ chatops_bot.py Slack + Discord + Telegram notifications
β βββ payload_gen.py Tech-adaptive payloads (PHP/Java/Node/.NET/Python)
β
βββ monitoring/ β Continuous (merged)
β βββ subdomain_monitor_alert.py CT log watcher + real-time differential alert
β βββ continuous_monitor.py Differential re-scan + regression detection
β βββ diff_scanner.py β
FROM bw-suite: semantic HTTP response diff
β
βββ fixed_scripts/ β Security-patched versions of existing tools
β βββ gitdump.py Fix: path traversal in tree object filenames
β βββ recon_pipeline_v4.py Fix: YAML template injection (3 sites)
β βββ nuclei-harvest.py Added: --pipeline-v4 + parse_recon_pipeline_v4()
β βββ apifuzz.py Added: BB_WAF_BYPASS_HEADERS env injection
β βββ ssrfprobe.py Added: BB_WAF_BYPASS_HEADERS env injection
β βββ paramfuzz.py Added: BB_WAF_BYPASS_HEADERS env injection
β βββ oauthprobe.py Added: BB_WAF_BYPASS_HEADERS env injection
β
βββ docs/
βββ Workflow_Comparison.md Full analysis: both suites compared (12 dimensions)
βββ IMPLEMENTATION_SUMMARY.md Per-tool reference + execution sequences
βββ BB_Workflow_DeepResearch.md Original integration gap analysis
```
---
## Quick Start (3-Step Setup)
### Step 1 β Replace patched scripts
```bash
cp fixed_scripts/*.py /path/to/SubTakeover/scripts/
cp fixed_scripts/recon_pipeline_v4.py /path/to/recon_pipeline/
```
### Step 2 β Place unified tools
```bash
TOOLS_DIR=~/bb-pipeline
cp core/*.py $TOOLS_DIR/
cp connectors/*.py $TOOLS_DIR/
cp finding_pipeline/*.py $TOOLS_DIR/
cp attack_surface/*.py $TOOLS_DIR/
cp reporting/*.py $TOOLS_DIR/
cp monitoring/*.py $TOOLS_DIR/
cp pipelines/*.py $TOOLS_DIR/
```
### Step 3 β Session setup
```bash
cd ~/bb-pipeline
# Option A β Manual scope
python3 scope_enforcer.py init --domain target.com
# Option B β Import from HackerOne JSON export (one command)
python3 scope_enforcer.py import --platform h1 --file h1_scope.json
python3 scope_enforcer.py import --platform bugcrowd --file bc_scope.json
python3 scope_enforcer.py import --platform auto --file program.json # auto-detect
export BB_SCOPE_FILE=$(pwd)/scope.json
# WAF profile β injects bypass headers into ALL fuzzers automatically
python3 waf_profiler.py --domain target.com --output waf_profile.json
eval $(python3 waf_profiler.py --domain target.com --export-env)
```
---
## Full Pipeline Run
```bash
# Standard full run
python3 chain_orchestrator.py \
-d target.com \
--mode full \
--oob yourserver.oastify.com \
--rules ~/bb-framework/rules/ \
--platform hackerone
# With proxy pool (for IP rotation on aggressive scans)
python3 chain_orchestrator.py \
-d target.com --mode full \
--proxies ~/proxies.txt \
--oob yourserver.oastify.com
# With ChatOps alerts (Slack/Discord/Telegram)
python3 chain_orchestrator.py \
-d target.com --mode full \
--chatops slack \
--webhook https://hooks.slack.com/services/XXX/YYY/ZZZ
# Fast path (skip deep recon + SAST, run all exploitation tools)
python3 chain_orchestrator.py -d target.com --mode fast
# Passive only (no active fuzzing, safe for sensitive targets)
python3 chain_orchestrator.py -d target.com --mode passive
# Resume after failure
python3 chain_orchestrator.py -d target.com --resume
# Skip to specific stage
python3 chain_orchestrator.py -d target.com --from-stage 6_secret_rotator
# Dry run (preview all commands without executing)
python3 chain_orchestrator.py -d target.com --mode full --dry-run
# List all 29 stages with modes
python3 chain_orchestrator.py --list-stages
```
---
## What's New vs Each Individual Workflow
### New vs bb_toolkit (from bb-workflow-suite)
| Tool | What it adds |
|---|---|
| `secret_rotator.py` | Validates found secrets against live APIs (AWS STS, Stripe, GitHub, Slack, Firebase, SendGrid). Turns "secret in JS" β "confirmed valid AWS key". Highest payout multiplier of any single tool. |
| `triage_engine.py` | Exploitability scoring (`EXPLOITABLE > FALSE_POSITIVE`), false-positive pattern suppression, live HTTP re-validation. Cuts manual review time significantly. |
| `vuln_kb.py` | SQLite knowledge base that persists across engagements. `--suggest ` returns what has historically worked. Compounds in value over time. |
| `report_templater.py` | Generates submission-ready reports per platform (H1/BC/Intigriti) with CVSS vectors + curl PoC. Removes the formatting step from the workflow. |
| `chatops_bot.py` | Real-time Slack/Discord/Telegram alerts. Interactive commands (`/findings`, `/top-critical`). Batch mode for non-critical findings. |
| `payload_gen.py` | Technology-specific payloads for PHP/Java/Node/.NET/Python with WAF bypass encoding. Feeds directly into `sqlprobe.py` + `lfiprobe.py` payload lists. |
| `diff_scanner.py` | Semantic HTTP response diffing (SECURITY_RELEVANT vs NON_SECURITY classification). Catches CSP relaxations and new admin paths without a full tool re-run. |
| `scope_enforcer.py` v2 | Platform JSON import (H1/BC/Intigriti/YesWeHack), Unix socket API for non-Python tools, SQLite violation log. |
| `rate_budget_manager.py` v2 | SQLite proxy pool + proxy liveness testing + WAF-triggered rotation. IP ban recovery without manual intervention. |
### New vs bb-workflow-suite (from bb_toolkit)
| Tool | What it adds |
|---|---|
| `sqlprobe.py` | Detects SQLi dynamically (error + boolean + time-based). Previously only `payload_gen.py` wordlists β no prober. |
| `lfiprobe.py` | 7-layer LFI confirmation including PHP wrapper source disclosure and `expect://` RCE. |
| `graphql_depth_probe.py` | 7 GraphQL checks: APQ injection, subscription exposure, mutation CSRF, schema sensitive field scan. |
| `jwt_forge.py` | 10 JWT attacks including JWK injection, kid path traversal, kid SQL injection, alg confusion. |
| `android_apk_recon.py` | Pure-Python DEX string pool extraction + AXML manifest parser. No jadx required. |
| `depconscan.py` | Dependency confusion across npm/pip/Go/Ruby/Maven/Composer with optional registry verification. |
| `prototype_polluter.py` | Dynamic server-side PP confirmation with gadget testing (pug RCE, Express header injection). |
| `cors_chain_exploiter.py` | 8 CORS bypass origin patterns + self-contained HTML PoC page generator. |
| `subdomain_monitor_alert.py` | Real-time CT log polling (crt.sh + certspotter). Detects new subdomains in seconds vs hours. |
| Security fixes | YAML injection + path traversal in existing scripts β not fixed in bw-suite's `apply_fixes.py`. |
| `BB_WAF_BYPASS_HEADERS` env | WAF bypass headers propagated to ALL fuzzers automatically. Fixes silent false negatives. |
---
## Pipeline Stage Flow (full mode β 29 stages)
```
Stage 0: scope_enforcer (scope.json)
Stage 1: deep_recon + subtakeover + recon_pipeline [parallel]
Stage 2: adapter + reconharvest + fingerprint + payload_gen + gitdump [parallel]
Stage 3: WAF profile β jsreaper β JSβOmega β SAST [sequential with inner parallel]
Stage 4: headeraudit + cloudexpose + bypass + apifuzz + paramfuzz + [all parallel]
ssrfprobe + oauthprobe + sqlprobe + lfiprobe + graphql +
jwt_forge + prototype_polluter + depconscan + cors_chain
Stage 5: nuclei-go scan + cors_chain_exploiter
Stage 6: secret_rotator β validates every discovered credential
Stage 7: vuln_deduplicator β triage_engine [exploitability + FP filter]
Stage 8: finding_correlator (10 chains) + template_fabricator + vuln_kb
Stage 9: nuclei-harvest β report_templater β chatops_bot
```
---
## Environment Variables Reference
| Variable | Set By | Read By | Effect |
|---|---|---|---|
| `BB_SCOPE_FILE` | `scope_enforcer.py init/import` | All tools | Block out-of-scope requests |
| `BB_WAF_BYPASS_HEADERS` | `waf_profiler.py --export-env` | apifuzz, ssrfprobe, paramfuzz, oauthprobe, all new tools | WAF bypass on every request |
| `BB_RATE_DELAY_MS` | `waf_profiler.py --export-env` | `rate_budget_manager.py`, all tools | Inter-request delay |
| `BB_CONCURRENCY` | Operator | `termux_utils.adaptive_concurrency()` | Worker count override |
---
## Dependencies
```bash
# Required
pip install httpx --break-system-packages
# Strongly recommended
pip install pyyaml --break-system-packages # template_fabricator.py
pip install rich --break-system-packages # chatops UI + progress bars (optional)
# Optional
pip install ijson --break-system-packages # faster JSON streaming (large scans)
pip install cryptography --break-system-packages # jwt_forge.py JWK injection
pip install requests --break-system-packages # secret_rotator.py (or httpx works)
```
---
## Scope Import Examples
```bash
# HackerOne β download program scope as JSON from H1 API or UI export
python3 scope_enforcer.py import --platform h1 --file ~/h1_program.json --scope scope.json
# Bugcrowd
python3 scope_enforcer.py import --platform bugcrowd --file ~/bc_program.json
# Intigriti
python3 scope_enforcer.py import --platform intigriti --file ~/inti_scope.json
# Auto-detect platform from JSON structure
python3 scope_enforcer.py import --platform auto --file ~/program.json
# Start Unix socket server (for bash/Go tools to query scope without Python)
python3 scope_enforcer.py serve --socket /tmp/scope.sock &
echo "CHECK api.target.com /v1/users" | nc -U /tmp/scope.sock
# View scope violations log (who probed what out-of-scope)
python3 scope_enforcer.py violations
```
---
## Knowledge Base Usage
```bash
# After each engagement, findings are auto-imported at Stage 8c
# Manual import
python3 vuln_kb.py --import-findings ./bb_target/triaged.json --domain target.com
# Query KB before next engagement with similar stack
python3 vuln_kb.py --suggest "Shopify"
python3 vuln_kb.py --suggest "Spring Boot"
python3 vuln_kb.py --stats # what works most often
```
---
## nuclei-go β The Scan Engine
nuclei-go (`nuclei-go/`) is your Termux-native Go scanner β Stage 5 of the pipeline.
38 Go files, 9,442 lines, CGO_ENABLED=0, full nuclei template compatibility.
### Install on Termux (one command)
```bash
bash nuclei-go/install.sh
```
### Manual build
```bash
cd nuclei-go/
make build # ARM64 Termux binary
make build-amd64 # x86-64 for desktop testing
make test-unit # fast unit tests, no network
```
### What makes it Termux-native
- **ResourceGovernor** β OOM watchdog, pauses workers + forces GC when heap > 500MB.
Prevents Android's LMKD from killing 3-hour scans mid-run.
- **Battery throttle** β drops to 25% workers below 10% battery
- **Wake lock** β `termux-wake-lock` prevents screen-off suspension
- **Checkpoint/resume** β atomic state file survives SIGTERM, OOM kill, screen lock.
`nuclei-go resume -state ~/.nuclei-go/scans/scan-*.state`
- **termux-notification** β fires on CRITICAL/HIGH findings even with screen off
- **CGO-free** β pure static binary, no NDK, no root required
### How it fits in the pipeline
```
Stage 5_nuclei (chain_orchestrator.py):
nuclei-go scan \
-l {workdir}/recon-report-v2.json \ β from reconharvest
-t ~/.nuclei-go/templates/ \ β official templates
-s critical,high,medium \
-o {workdir}/nuclei-raw.json β read by nuclei-harvest.py
Stage 8b_templates (template_fabricator.py):
β generates {workdir}/fabricated-templates/*.yaml from confirmed findings
Re-scan with fabricated templates:
nuclei-go scan -l targets.txt \
-t {workdir}/fabricated-templates/ \ β your custom detectors
-s critical,high
```
### Output wiring
`nuclei-raw.json` is NDJSON format. `nuclei-harvest.py` reads it via
`--nuclei-output nuclei-raw.json` at Stage 9. Template compatibility matrix
and full integration notes: `nuclei-go/INTEGRATION.md`.
---
*For authorized penetration testing and bug bounty research only.*
*Replace fixed_scripts before use β they contain security fixes for existing pipeline tools.*