Share
## https://sploitus.com/exploit?id=EB6C73DA-7DAA-5D3C-B2EF-B41D64951C04
# Bug Bounty Toolkit

Automated reconnaissance-to-triage pipeline for bug bounty hunting. 17 modular scanners driven by a checkpoint-safe orchestrator, from subdomain discovery to interactive finding triage.

```mermaid
graph TD
    subgraph "Layer 0 โ€” Infrastructure"
        SG[scope_guard] --> AP[auth_profiles]
        AP --> PS[pipeline_state]
    end

    subgraph "Layer 1 โ€” Asset Discovery"
        ST[subtakeover10] --> RH[reconharvest]
        RH --> GD[gitdump]
        RH --> JR[jsreaper]
    end

    subgraph "Layer 2 โ€” Content & JS"
        JR --> SR[spa_router]
        JR --> HA[headeraudit]
        JR --> AF[apifuzz]
        JR --> PF[paramfuzz]
        JR --> SS[ssrfprobe]
        JR --> OA[oauthprobe]
    end

    subgraph "Layer 3 โ€” Targeted Testing"
        HA --> NH
        AF --> NH[nuclei-harvest]
        PF --> XS[xss_context]
        ST --> CE[cloudexpose]
        CE --> NH
        OA --> NH
        GD --> NH
    end

    subgraph "Layer 4 โ€” Verification"
        AF --> IC[idor_crosssession]
        PF --> XS
        XS --> NH
        JR --> SV[secret_verify]
        SV --> NH
    end

    subgraph "Layer 5 โ€” Triage"
        NH --> TM[triage_memory]
        TM --> WR[reports/]
    end

    subgraph "Layer 6 โ€” Manual"
        WR --> H1[HackerOne / Bugcrowd]
    end
```

## Pipeline in 3 commands

```bash
cp toolkit/configs/scope.example.yaml scope.yaml   # edit your targets
pip install httpx pyyaml
python orchestrator.py --target example.com --deep --scope scope.yaml
```

Output: `work/example.com//triage_queue.md` โ€” severity-sorted, ready to submit.

## What it does

### Discovery
| Tool | What it finds | Input |
|------|--------------|-------|
| `subtakeover10.py` | Subdomains via CT logs, passive DNS (8 sources), TLS, WHOIS, permutations, CNAME takeover | domain name |
| `reconharvest.py` | Passive enrichment โ€” Wayback URLs, HTTP headers, port scan, IP metadata | subtakeover.json |
| `gitdump.py` | Exposed `.git` repositories โ€” reconstructs source, hunts committed secrets | subtakeover.json |

### Content & JS Analysis
| Tool | What it finds | Input |
|------|--------------|-------|
| `jsreaper.py` | API endpoints, auth tokens, AWS/GCP keys, internal URLs from JS bundles | reconharvest.json |
| `spa_router.py` | Static route-table reconstruction for Next.js/Nuxt/React Router/Vue Router | jsreaper.json |
| `headeraudit.py` | Missing security headers (CSP, HSTS, XFO, COOP, etc.) | reconharvest.json |

### Fuzzing & Probing
| Tool | What it finds | Input |
|------|--------------|-------|
| `4xxbypass.py` | 403/401 bypass via method override, headers, path tricks | reconharvest.json |
| `apifuzz.py` | BOLA/IDOR, mass assignment, JWT `alg: none`, rate-limit gaps | jsreaper.json |
| `paramfuzz.py` | Hidden parameters โ€” debug, privilege, IDOR, pagination | jsreaper.json |
| `ssrfprobe.py` | SSRF via OOB + reflective โ€” metadata endpoints, internal services | jsreaper.json |
| `oauthprobe.py` | OAuth misconfig โ€” redirect URI takeover, state CSRF, token leakage | jsreaper.json |

### Cloud & Infra
| Tool | What it finds | Input |
|------|--------------|-------|
| `cloudexpose.py` | Exposed S3 buckets, Firebase DBs, Azure blobs, GCP storage | subtakeover.json |

### Verification
| Tool | What it finds | Input |
|------|--------------|-------|
| `xss_context.py` | Context-aware reflected XSS verification (payload fires or not) | paramfuzz.json |
| `idor_crosssession.py` | Cross-session BOLA proof โ€” needs 2 auth profiles | apifuzz.json |
| `secret_verify.py` | Provider-side liveness check for harvested secrets | jsreaper.json |

### Aggregation & Triage
| Tool | What it finds | Input |
|------|--------------|-------|
| `nuclei-harvest.py` | Master aggregator โ€” dedup, chain detection, bounty report generation | All stage outputs |
| `triage_memory.py` | Interactive finding triage with H1/Bugcrowd writeup generation | nuclei-harvest.json |

### Additional
| Tool | What it finds |
|------|--------------|
| `graphql_deep.py` | GraphQL schema recovery, introspection, batching/depth abuse |
| `upload_probe.py` | File upload abuse โ€” polyglot, path traversal, MIME bypass |
| `apk_static.py` | Android APK static analysis โ€” exported components, hardcoded secrets |
| `anomaly_baseline.py` | Response-size distribution baseline for anomaly detection |
| `oob_catcher.py` | Self-hosted interact.sh OOB callback server for blind SSRF/XXE |
| `watch_daemon.py` | Continuous monitoring โ€” diffs each scan, alerts on new signal |

## Pipeline modes

| Mode | Stages | Runtime | Use case |
|------|--------|---------|----------|
| `--quick` | 6 | ~5 min | Initial recon, re-scans |
| `--deep` | 20 | 30โ€“90 min | Full attack surface coverage |
| `--resume` | varies | varies | Continue from last checkpoint |
| `--watch` | varies | continuous | Monitor for new assets (cron replacement) |

`python orchestrator.py --target example.com --deep --scope scope.yaml`

On any stage failure, the orchestrator skips to the next non-dependent stage rather than aborting. Use `--resume` to retry only the failed stages.

## Configuration

### scope.yaml (mandatory)
```yaml
program: bug-bounty-toolkit
scope:
  includes:
    - example.com
    - "*.example.com"
  excludes: []
rate_limit:
  max_rps: 10
  max_concurrent: 5
```

Every tool calls `scope_guard.check_scope()` before each request. Out-of-scope targets are logged to `blocked.log` and skipped immediately.

### auth_profiles.yaml (for IDOR verification)
```yaml
profiles:
  user_a: { cookies: { session: "..." }, bearer: "..." }
  user_b: { cookies: { session: "..." }, bearer: "..." }
```

Required by `idor_crosssession.py` for BOLA verification. Optional for all other stages.

## Requirements

- **Python 3.9+** (stdlib + httpx + PyYAML)
- Tested on: Linux (x86_64, ARM64), Termux (Android)
- Optional: `beautifulsoup4`, `rich` for prettier output
- Optional: `interactsh-client` + `espeak` for OOB alerting (`scripts/start_ish.sh`)

## Output format

Every tool writes a `NormalizedFinding`-compatible JSON with this shape:

```json
{
  "domain": "example.com",
  "findings": [{
    "id": "cloudexp_92115",
    "host": "testphp.com",
    "type": "S3_LIST",
    "severity": "HIGH",
    "confidence": "candidate",
    "evidence": "GET ... โ†’ HTTP 200 Body: ...",
    "curl_command": "curl -s https://testphp.com.s3.amazonaws.com/",
    "impact_tier": "P1",
    "payout_range": "$100โ€“$2,000"
  }],
  "host_reports": [...]
}
```

`nuclei-harvest.py` aggregates all stage outputs, deduplicates, detects attack chains, and generates:
- `final.json` โ€” master findings
- `final.html` โ€” interactive dashboard
- `final.csv` โ€” remediation tracker
- `final-reports/` โ€” per-finding bounty writeups

`triage_memory.py` walks through findings interactively, lets you review/submit/reject each, and generates HackerOne-formatted writeups.

## Test suite

```bash
pip install httpx pyyaml pytest
python -m pytest toolkit/tests/ -v
```

139 tests covering unit + integration paths with a mock HTTP server fixture.

## Documentation

- `QUICKSTART.md` โ€” 5-command end-to-end guide
- `WORKFLOW.md` โ€” pipeline architecture, stage details, manual follow-up
- `toolkit/IMPLEMENTATION_NOTES.md` โ€” deviations from original spec with rationale
- Per-tool READMEs in `toolkit//.README.md`

## Project structure

```
โ”œโ”€โ”€ orchestrator.py          # Pipeline driver (quick/deep/resume/watch)
โ”œโ”€โ”€ watch_daemon.py          # Continuous monitoring daemon
โ”œโ”€โ”€ scope.yaml               # Target scope + rate limits
โ”œโ”€โ”€ auth_profiles.yaml       # Test identities
โ”œโ”€โ”€ QUICKSTART.md
โ”œโ”€โ”€ WORKFLOW.md
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ subtakeover10.py     # Subdomain takeover scanner
โ”‚   โ”œโ”€โ”€ reconharvest.py      # Passive recon enrichment
โ”‚   โ”œโ”€โ”€ gitdump.py           # .git repository extraction
โ”‚   โ”œโ”€โ”€ jsreaper.py          # JS asset + secret extraction
โ”‚   โ”œโ”€โ”€ headeraudit.py       # Security header audit
โ”‚   โ”œโ”€โ”€ 4xxbypass.py         # 403/401 bypass
โ”‚   โ”œโ”€โ”€ apifuzz.py           # API fuzzing
โ”‚   โ”œโ”€โ”€ paramfuzz.py         # Hidden parameter discovery
โ”‚   โ”œโ”€โ”€ ssrfprobe.py         # SSRF probing
โ”‚   โ”œโ”€โ”€ oauthprobe.py        # OAuth misconfiguration
โ”‚   โ”œโ”€โ”€ cloudexpose.py       # Cloud storage exposure
โ”‚   โ”œโ”€โ”€ nuclei-harvest.py    # Pipeline aggregator
โ”‚   โ””โ”€โ”€ start_ish.sh         # OOB interaction monitor
โ”œโ”€โ”€ toolkit/
โ”‚   โ”œโ”€โ”€ __init__.py
โ”‚   โ”œโ”€โ”€ configs/             # Example YAML configs
โ”‚   โ”œโ”€โ”€ infra/               # Infrastructure (scope, auth, pipeline state, findings)
โ”‚   โ”œโ”€โ”€ infra_ext/           # OOB catcher
โ”‚   โ”œโ”€โ”€ discover/            # SPA router discovery
โ”‚   โ”œโ”€โ”€ testers/             # graphql_deep, upload_probe, apk_static, anomaly_baseline
โ”‚   โ”œโ”€โ”€ verify/              # xss_context, idor_crosssession, secret_verify, triage_memory
โ”‚   โ”œโ”€โ”€ schemas/             # Pydantic models
โ”‚   โ””โ”€โ”€ tests/               # 139 pytest tests
โ””โ”€โ”€ toolkit/
```

## License

For authorized penetration testing and bug bounty research only. Ensure you have written permission before scanning any target.