Share
## https://sploitus.com/exploit?id=3C05B801-8687-5076-995A-55DFAC5DBCAC
# Unified BB Suite β€” Combined Workflow


  
  
  
  

**Two workflows merged into one Β· 33 tools Β· 30 Python scripts Β· 3 enhanced core tools**
**Zero CGO Β· Termux-native Β· Async Β· Proxy pool Β· Platform import Β· Secret validation**

---

## What's Inside

```
unified_bb_suite/
β”‚
β”œβ”€β”€ pipelines/
β”‚   └── chain_orchestrator.py      β˜… Master driver β€” 29 stages, 4 modes
β”‚
β”œβ”€β”€ core/                          ← Infrastructure (run first)
β”‚   β”œβ”€β”€ scope_enforcer.py          β˜… MERGED: H1/BC/Intigriti/YesWeHack import
β”‚   β”‚                                        + Unix socket API + httpx middleware
β”‚   β”œβ”€β”€ rate_budget_manager.py     β˜… MERGED: token bucket + SQLite proxy pool
β”‚   β”‚                                        + WAF-triggered proxy rotation
β”‚   β”œβ”€β”€ waf_profiler.py            WAF fingerprint + bypass header exporter
β”‚   └── termux_utils.py            Shared OOM watchdog, client factory
β”‚
β”œβ”€β”€ connectors/                    ← Gap bridges
β”‚   β”œβ”€β”€ deep_recon_adapter.py      deep_recon.sh β†’ Python pipeline JSON
β”‚   β”œβ”€β”€ js_to_omega.py             jsreaper β†’ bb_omega_scan connector
β”‚   └── fingerprint_to_vertical.py tech stack β†’ bb_scan --only mapper
β”‚
β”œβ”€β”€ finding_pipeline/              ← Detection β†’ quality β†’ reporting
β”‚   β”œβ”€β”€ secret_rotator.py          β˜… FROM bw-suite: live AWS/Stripe/GitHub/Slack validation
β”‚   β”œβ”€β”€ triage_engine.py           β˜… FROM bw-suite: exploitability scoring + FP suppression
β”‚   β”œβ”€β”€ vuln_kb.py                 β˜… FROM bw-suite: cross-engagement knowledge base
β”‚   β”œβ”€β”€ vuln_deduplicator.py       Cross-tool dedup (URL-normalized + IDOR path merge)
β”‚   β”œβ”€β”€ finding_correlator.py      10 exploit chain detectors + PoC narrative generator
β”‚   └── template_fabricator.py     Confirmed finding β†’ nuclei-go YAML template
β”‚
β”œβ”€β”€ attack_surface/                ← New bug classes (all from bb_toolkit)
β”‚   β”œβ”€β”€ sqlprobe.py                SQLi: error + boolean + time-based blind
β”‚   β”œβ”€β”€ lfiprobe.py                LFI: 7 bypass layers + PHP wrappers
β”‚   β”œβ”€β”€ graphql_depth_probe.py     GraphQL: 7 checks incl. APQ, batch abuse
β”‚   β”œβ”€β”€ jwt_forge.py               JWT: 10 attacks incl. JWK injection
β”‚   β”œβ”€β”€ android_apk_recon.py       APK: DEX string pool + manifest (pure Python)
β”‚   β”œβ”€β”€ depconscan.py              Dependency confusion: 7 ecosystems
β”‚   β”œβ”€β”€ prototype_polluter.py      Server-side PP: canary + gadget confirmation
β”‚   └── cors_chain_exploiter.py    CORS: bypass testing + HTML PoC generator
β”‚
β”œβ”€β”€ reporting/                     ← Output + alerting (all from bw-suite)
β”‚   β”œβ”€β”€ report_templater.py        H1 / Bugcrowd / Intigriti / YesWeHack format
β”‚   β”œβ”€β”€ chatops_bot.py             Slack + Discord + Telegram notifications
β”‚   └── payload_gen.py             Tech-adaptive payloads (PHP/Java/Node/.NET/Python)
β”‚
β”œβ”€β”€ monitoring/                    ← Continuous (merged)
β”‚   β”œβ”€β”€ subdomain_monitor_alert.py  CT log watcher + real-time differential alert
β”‚   β”œβ”€β”€ continuous_monitor.py       Differential re-scan + regression detection
β”‚   └── diff_scanner.py             β˜… FROM bw-suite: semantic HTTP response diff
β”‚
β”œβ”€β”€ fixed_scripts/                 ← Security-patched versions of existing tools
β”‚   β”œβ”€β”€ gitdump.py                 Fix: path traversal in tree object filenames
β”‚   β”œβ”€β”€ recon_pipeline_v4.py       Fix: YAML template injection (3 sites)
β”‚   β”œβ”€β”€ nuclei-harvest.py          Added: --pipeline-v4 + parse_recon_pipeline_v4()
β”‚   β”œβ”€β”€ apifuzz.py                 Added: BB_WAF_BYPASS_HEADERS env injection
β”‚   β”œβ”€β”€ ssrfprobe.py               Added: BB_WAF_BYPASS_HEADERS env injection
β”‚   β”œβ”€β”€ paramfuzz.py               Added: BB_WAF_BYPASS_HEADERS env injection
β”‚   └── oauthprobe.py              Added: BB_WAF_BYPASS_HEADERS env injection
β”‚
└── docs/
    β”œβ”€β”€ Workflow_Comparison.md     Full analysis: both suites compared (12 dimensions)
    β”œβ”€β”€ IMPLEMENTATION_SUMMARY.md  Per-tool reference + execution sequences
    └── BB_Workflow_DeepResearch.md Original integration gap analysis
```

---

## Quick Start (3-Step Setup)

### Step 1 β€” Replace patched scripts
```bash
cp fixed_scripts/*.py /path/to/SubTakeover/scripts/
cp fixed_scripts/recon_pipeline_v4.py /path/to/recon_pipeline/
```

### Step 2 β€” Place unified tools
```bash
TOOLS_DIR=~/bb-pipeline
cp core/*.py           $TOOLS_DIR/
cp connectors/*.py     $TOOLS_DIR/
cp finding_pipeline/*.py $TOOLS_DIR/
cp attack_surface/*.py $TOOLS_DIR/
cp reporting/*.py      $TOOLS_DIR/
cp monitoring/*.py     $TOOLS_DIR/
cp pipelines/*.py      $TOOLS_DIR/
```

### Step 3 β€” Session setup
```bash
cd ~/bb-pipeline

# Option A β€” Manual scope
python3 scope_enforcer.py init --domain target.com

# Option B β€” Import from HackerOne JSON export (one command)
python3 scope_enforcer.py import --platform h1 --file h1_scope.json
python3 scope_enforcer.py import --platform bugcrowd --file bc_scope.json
python3 scope_enforcer.py import --platform auto --file program.json  # auto-detect

export BB_SCOPE_FILE=$(pwd)/scope.json

# WAF profile β†’ injects bypass headers into ALL fuzzers automatically
python3 waf_profiler.py --domain target.com --output waf_profile.json
eval $(python3 waf_profiler.py --domain target.com --export-env)
```

---

## Full Pipeline Run

```bash
# Standard full run
python3 chain_orchestrator.py \
        -d target.com \
        --mode full \
        --oob yourserver.oastify.com \
        --rules ~/bb-framework/rules/ \
        --platform hackerone

# With proxy pool (for IP rotation on aggressive scans)
python3 chain_orchestrator.py \
        -d target.com --mode full \
        --proxies ~/proxies.txt \
        --oob yourserver.oastify.com

# With ChatOps alerts (Slack/Discord/Telegram)
python3 chain_orchestrator.py \
        -d target.com --mode full \
        --chatops slack \
        --webhook https://hooks.slack.com/services/XXX/YYY/ZZZ

# Fast path (skip deep recon + SAST, run all exploitation tools)
python3 chain_orchestrator.py -d target.com --mode fast

# Passive only (no active fuzzing, safe for sensitive targets)
python3 chain_orchestrator.py -d target.com --mode passive

# Resume after failure
python3 chain_orchestrator.py -d target.com --resume

# Skip to specific stage
python3 chain_orchestrator.py -d target.com --from-stage 6_secret_rotator

# Dry run (preview all commands without executing)
python3 chain_orchestrator.py -d target.com --mode full --dry-run

# List all 29 stages with modes
python3 chain_orchestrator.py --list-stages
```

---

## What's New vs Each Individual Workflow

### New vs bb_toolkit (from bb-workflow-suite)

| Tool | What it adds |
|---|---|
| `secret_rotator.py` | Validates found secrets against live APIs (AWS STS, Stripe, GitHub, Slack, Firebase, SendGrid). Turns "secret in JS" β†’ "confirmed valid AWS key". Highest payout multiplier of any single tool. |
| `triage_engine.py` | Exploitability scoring (`EXPLOITABLE > FALSE_POSITIVE`), false-positive pattern suppression, live HTTP re-validation. Cuts manual review time significantly. |
| `vuln_kb.py` | SQLite knowledge base that persists across engagements. `--suggest ` returns what has historically worked. Compounds in value over time. |
| `report_templater.py` | Generates submission-ready reports per platform (H1/BC/Intigriti) with CVSS vectors + curl PoC. Removes the formatting step from the workflow. |
| `chatops_bot.py` | Real-time Slack/Discord/Telegram alerts. Interactive commands (`/findings`, `/top-critical`). Batch mode for non-critical findings. |
| `payload_gen.py` | Technology-specific payloads for PHP/Java/Node/.NET/Python with WAF bypass encoding. Feeds directly into `sqlprobe.py` + `lfiprobe.py` payload lists. |
| `diff_scanner.py` | Semantic HTTP response diffing (SECURITY_RELEVANT vs NON_SECURITY classification). Catches CSP relaxations and new admin paths without a full tool re-run. |
| `scope_enforcer.py` v2 | Platform JSON import (H1/BC/Intigriti/YesWeHack), Unix socket API for non-Python tools, SQLite violation log. |
| `rate_budget_manager.py` v2 | SQLite proxy pool + proxy liveness testing + WAF-triggered rotation. IP ban recovery without manual intervention. |

### New vs bb-workflow-suite (from bb_toolkit)

| Tool | What it adds |
|---|---|
| `sqlprobe.py` | Detects SQLi dynamically (error + boolean + time-based). Previously only `payload_gen.py` wordlists β€” no prober. |
| `lfiprobe.py` | 7-layer LFI confirmation including PHP wrapper source disclosure and `expect://` RCE. |
| `graphql_depth_probe.py` | 7 GraphQL checks: APQ injection, subscription exposure, mutation CSRF, schema sensitive field scan. |
| `jwt_forge.py` | 10 JWT attacks including JWK injection, kid path traversal, kid SQL injection, alg confusion. |
| `android_apk_recon.py` | Pure-Python DEX string pool extraction + AXML manifest parser. No jadx required. |
| `depconscan.py` | Dependency confusion across npm/pip/Go/Ruby/Maven/Composer with optional registry verification. |
| `prototype_polluter.py` | Dynamic server-side PP confirmation with gadget testing (pug RCE, Express header injection). |
| `cors_chain_exploiter.py` | 8 CORS bypass origin patterns + self-contained HTML PoC page generator. |
| `subdomain_monitor_alert.py` | Real-time CT log polling (crt.sh + certspotter). Detects new subdomains in seconds vs hours. |
| Security fixes | YAML injection + path traversal in existing scripts β€” not fixed in bw-suite's `apply_fixes.py`. |
| `BB_WAF_BYPASS_HEADERS` env | WAF bypass headers propagated to ALL fuzzers automatically. Fixes silent false negatives. |

---

## Pipeline Stage Flow (full mode β€” 29 stages)

```
Stage 0:  scope_enforcer          (scope.json)
Stage 1:  deep_recon + subtakeover + recon_pipeline  [parallel]
Stage 2:  adapter + reconharvest + fingerprint + payload_gen + gitdump  [parallel]
Stage 3:  WAF profile → jsreaper → JS→Omega → SAST  [sequential with inner parallel]
Stage 4:  headeraudit + cloudexpose + bypass + apifuzz + paramfuzz +    [all parallel]
          ssrfprobe + oauthprobe + sqlprobe + lfiprobe + graphql +
          jwt_forge + prototype_polluter + depconscan + cors_chain
Stage 5:  nuclei-go scan + cors_chain_exploiter
Stage 6:  secret_rotator   ← validates every discovered credential
Stage 7:  vuln_deduplicator β†’ triage_engine  [exploitability + FP filter]
Stage 8:  finding_correlator (10 chains) + template_fabricator + vuln_kb
Stage 9:  nuclei-harvest β†’ report_templater β†’ chatops_bot
```

---

## Environment Variables Reference

| Variable | Set By | Read By | Effect |
|---|---|---|---|
| `BB_SCOPE_FILE` | `scope_enforcer.py init/import` | All tools | Block out-of-scope requests |
| `BB_WAF_BYPASS_HEADERS` | `waf_profiler.py --export-env` | apifuzz, ssrfprobe, paramfuzz, oauthprobe, all new tools | WAF bypass on every request |
| `BB_RATE_DELAY_MS` | `waf_profiler.py --export-env` | `rate_budget_manager.py`, all tools | Inter-request delay |
| `BB_CONCURRENCY` | Operator | `termux_utils.adaptive_concurrency()` | Worker count override |

---

## Dependencies

```bash
# Required
pip install httpx --break-system-packages

# Strongly recommended
pip install pyyaml --break-system-packages      # template_fabricator.py
pip install rich   --break-system-packages      # chatops UI + progress bars (optional)

# Optional
pip install ijson         --break-system-packages  # faster JSON streaming (large scans)
pip install cryptography  --break-system-packages  # jwt_forge.py JWK injection
pip install requests      --break-system-packages  # secret_rotator.py (or httpx works)
```

---

## Scope Import Examples

```bash
# HackerOne β€” download program scope as JSON from H1 API or UI export
python3 scope_enforcer.py import --platform h1 --file ~/h1_program.json --scope scope.json

# Bugcrowd
python3 scope_enforcer.py import --platform bugcrowd --file ~/bc_program.json

# Intigriti
python3 scope_enforcer.py import --platform intigriti --file ~/inti_scope.json

# Auto-detect platform from JSON structure
python3 scope_enforcer.py import --platform auto --file ~/program.json

# Start Unix socket server (for bash/Go tools to query scope without Python)
python3 scope_enforcer.py serve --socket /tmp/scope.sock &
echo "CHECK api.target.com /v1/users" | nc -U /tmp/scope.sock

# View scope violations log (who probed what out-of-scope)
python3 scope_enforcer.py violations
```

---

## Knowledge Base Usage

```bash
# After each engagement, findings are auto-imported at Stage 8c
# Manual import
python3 vuln_kb.py --import-findings ./bb_target/triaged.json --domain target.com

# Query KB before next engagement with similar stack
python3 vuln_kb.py --suggest "Shopify"
python3 vuln_kb.py --suggest "Spring Boot"
python3 vuln_kb.py --stats   # what works most often
```

---

## nuclei-go β€” The Scan Engine

nuclei-go (`nuclei-go/`) is your Termux-native Go scanner β€” Stage 5 of the pipeline.
38 Go files, 9,442 lines, CGO_ENABLED=0, full nuclei template compatibility.

### Install on Termux (one command)
```bash
bash nuclei-go/install.sh
```

### Manual build
```bash
cd nuclei-go/
make build              # ARM64 Termux binary
make build-amd64        # x86-64 for desktop testing
make test-unit          # fast unit tests, no network
```

### What makes it Termux-native
- **ResourceGovernor** β€” OOM watchdog, pauses workers + forces GC when heap > 500MB.
  Prevents Android's LMKD from killing 3-hour scans mid-run.
- **Battery throttle** β€” drops to 25% workers below 10% battery
- **Wake lock** β€” `termux-wake-lock` prevents screen-off suspension
- **Checkpoint/resume** β€” atomic state file survives SIGTERM, OOM kill, screen lock.
  `nuclei-go resume -state ~/.nuclei-go/scans/scan-*.state`
- **termux-notification** β€” fires on CRITICAL/HIGH findings even with screen off
- **CGO-free** β€” pure static binary, no NDK, no root required

### How it fits in the pipeline
```
Stage 5_nuclei (chain_orchestrator.py):
  nuclei-go scan \
      -l {workdir}/recon-report-v2.json \   ← from reconharvest
      -t ~/.nuclei-go/templates/ \           ← official templates
      -s critical,high,medium \
      -o {workdir}/nuclei-raw.json           ← read by nuclei-harvest.py

Stage 8b_templates (template_fabricator.py):
  β†’ generates {workdir}/fabricated-templates/*.yaml from confirmed findings

Re-scan with fabricated templates:
  nuclei-go scan -l targets.txt \
      -t {workdir}/fabricated-templates/ \   ← your custom detectors
      -s critical,high
```

### Output wiring
`nuclei-raw.json` is NDJSON format. `nuclei-harvest.py` reads it via
`--nuclei-output nuclei-raw.json` at Stage 9. Template compatibility matrix
and full integration notes: `nuclei-go/INTEGRATION.md`.

---

*For authorized penetration testing and bug bounty research only.*
*Replace fixed_scripts before use β€” they contain security fixes for existing pipeline tools.*