## https://sploitus.com/exploit?id=FD8D8072-37FD-514C-B3E2-2E00FA1B6985
# hunter-max
A bug-bounty research framework. Two pieces:
1. **Deep Read** โ a recon module that fetches the JavaScript bundles of a single-page app (including webpack Module Federation chunks the rest of the SPA loads at runtime), extracts the API surface from the minified code, and ranks the discovered endpoints by attack potential using an LLM.
2. **Hunter pipeline** โ a multi-tier scanning pipeline that watches public bug-bounty programs for newly-launched scope, runs nuclei templates and JS analysis against live hosts, escalates interesting findings through tiered LLM review (cheap triage โ Sonnet investigation โ Opus verdict), and posts to Discord.
> โ ๏ธ **For authorized security research only.** Read [the disclaimer](#disclaimer) before using.
---
## What makes Deep Read different
Most SPA recon tools fetch the two or three entry bundles a browser loads on the first page hit. Modern apps use webpack Module Federation: the entry bundle contains a `__webpack_require__.u` chunk-name map that points at dozens or hundreds of additional bundles, lazily loaded as the user clicks around. Deep Read parses that map and probes the federated micro-frontend hosts, expanding the visible surface from ~3 bundles to 100+.
The expanded surface gets parsed for endpoints (`fetch`, `axios`, `XMLHttpRequest`, `helper(METHOD, PATH, โฆ)` wrappers, OpenAPI / Swagger specs, GraphQL operations). Endpoints are then deduplicated, scored, and sent to an LLM that writes ranked attack hypotheses with reasoning.
The output is a markdown report โ endpoints, hypotheses, supporting evidence โ that a human operator manually verifies before submitting.
---
## Quickstart โ Deep Read only
```bash
git clone https://github.com/clutchitggs/hunter-max.git
cd hunter-max
python -m venv .venv && source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
export ANTHROPIC_API_KEY=sk-ant-... # or set OPENAI_API_KEY for the OpenAI path
# 1. Log into the target in Chrome (handle WAF / 2FA / SSO manually)
# 2. DevTools โ Network โ copy the Cookie header from any XHR
# 3. Run:
python -m src.deep_read app.example.com \
--cookie "session=...; csrf=..." \
--header "Authorization: Bearer eyJ..."
```
Output lands in `reports/deep_read/_.md`.
## Quickstart โ full pipeline
Requires more setup (Discord webhook, Hetzner / DO VPS recommended for the long-running modes):
```bash
cp config.example.json config.json
# Edit config.json โ set anthropic_balance_usd, daily_budget_usd, Discord webhook
python -m src.infinite_hunter
```
The pipeline runs forever, polling new-program feeds, scope changes, CVE feeds, M&A news, and rotating through registered targets.
---
## Architecture (one screenful)
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ infinite_hunter โ top-level scheduler โ
โ โโโ program_scanner new-program polling โ
โ โโโ scope_checker scope-diff detection โ
โ โโโ cve_monitor CVE โ affected-target lookup โ
โ โโโ ma_recon M&A news โ newly-acquired targets โ
โ โโโ orchestrator pulls targets, drives the pipeline โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ recon โ vuln_scanner โ evidence_enricher โ AI tiers โ
โ โ
โ recon: subfinder, dns_checker, wayback, s3_enum, โ
โ nuclei_runner, js_analyzer, deep_read โ
โ โ
โ AI tiers (cost-controlled, daily budget per tier): โ
โ T1: GPT-4o-mini triage โ
โ T2: Claude Sonnet investigate โ
โ T3: Claude Sonnet challenge T2 reject โ
โ T4: Claude Opus final verdict โ
โ T5: Claude Opus challenge T4 reject โ
โ โ
โ approved findings โ report_drafter โ Discord notification โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
Each tier has its own daily budget cap. When all caps are hit the system stops new analysis until the next day or until the operator tops up.
---
## Repository layout
```
src/
โโโ deep_read/ SPA recon: bundle fetch, JS parsing, LLM ranking
โ โโโ cli.py entry point: python -m src.deep_read
โ โโโ fetcher.py SPA-aware, S3-safe HTTP fetcher
โ โโโ webpack_chunks.py Module Federation chunk-map expansion
โ โโโ js_parser.py endpoint extraction from minified JS
โ โโโ spec_finder.py OpenAPI / Swagger / GraphQL probing
โ โโโ analyzer.py LLM hypothesis ranking + kill-rules
โ โโโ report.py markdown report writer
โ
โโโ infinite_hunter.py top-level scheduler
โโโ orchestrator.py per-target pipeline driver
โโโ ai_analyzer.py tiered LLM review
โโโ llm_client.py unified Anthropic / OpenAI client
โโโ nuclei_runner.py nuclei integration
โโโ js_analyzer.py JS-bundle secret/endpoint extraction
โโโ program_scanner.py bug-bounty platform polling
โโโ scope_checker.py scope-diff detection
โโโ scope_importer.py scope import from various platforms
โโโ cve_monitor.py CVE โ affected-target lookup
โโโ ma_recon.py M&A news โ newly-acquired-asset recon
โโโ target_scorer.py target prioritisation
โโโ notifier_discord.py Discord webhook notifier
โโโ dashboard.py local Flask status dashboard
โโโ โฆ
data/
โโโ wordlist.txt small built-in wordlist
requirements.txt
config.example.json
```
---
## Configuration
Copy `config.example.json` to `config.json` and edit. Important fields:
| Field | Meaning |
|--------------------------------------|------------------------------------------------------|
| `llm.provider` | `"anthropic"` or `"openai"` |
| `llm.api_key_env` | name of the env var holding the API key |
| `llm.anthropic_balance_usd` | your current balance โ system stops at the floor |
| `llm.stop_at_remaining_usd` | floor below which AI calls halt |
| `tiers.tier1.daily_budget_usd` | per-tier daily cap |
| `signals.*_interval_*` | how often each scheduled signal fires |
The config is a plain JSON file; structure is stable across versions.
---
## Disclaimer
This software is intended **only** for authorized security research:
- Bug-bounty programs whose scope explicitly authorizes automated scanning.
- Penetration-testing engagements with written authorization.
- Targets you own.
- CTF / lab environments.
Running this against systems you do not have written permission to test is illegal under most computer-misuse laws (Israel: Computer Law 1995 ยง2/ยง4; US: CFAA 18 USC ยง1030; UK: Computer Misuse Act 1990; EU: NIS2 / national equivalents).
Configure scope checks before pointing the pipeline at anything. **The author assumes no liability for misuse.**
---
## License
MIT โ see [LICENSE](LICENSE).