Three purpose-built tools for bug bounty reconnaissance and vulnerability discovery. Designed to be fast, async, and easy to integrate into your hunting workflow.
📡 recon.sh — Automated Recon Pipeline
Full reconnaissance pipeline in a single command.
./scripts/recon.sh target.comWhat it does:
- Subdomain Enumeration — crt.sh + DNS brute-force (150+ common subdomains)
- DNS Resolution — Resolve all subdomains to IPs
- Port Scanning — Top 100 ports via nmap
- URL Discovery — robots.txt + sitemap.xml extraction
- Technology Detection — Server headers, X-Powered-By
- Quick Vuln Checks — .env, .git, phpinfo, admin panels, debug pages
Output:
recon_target.com_20240101/
├── subdomains/
│ ├── crtsh.txt # crt.sh results
│ ├── bruteforce.txt # DNS brute-force
│ ├── all.txt # Merged + deduped
│ └── resolved.txt # With IPs
├── ports/
│ └── open_ports.txt # Open ports per host
├── urls/
│ ├── robots.txt # From robots.txt
│ ├── sitemap.txt # From sitemap.xml
│ └── all.txt # All URLs
├── tech/
│ └── headers.txt # Server/X-Powered-By
└── vulns/
└── interesting_paths.txt # Exposed paths
🔍 api-fuzzer.py — REST API Security Fuzzer
Automated API security testing for common vulnerability classes.
python scripts/api-fuzzer.py -u https://api.target.com/v1Modules:
| Module | What it tests |
|---|---|
| IDOR | Sequential IDs, UUID manipulation, path-based IDs |
| Auth Bypass | X-Forwarded-Host, X-Original-URL, header injection |
| Method Override | X-HTTP-Method-Override, X-HTTP-Method |
| Mass Assignment | Extra fields (role, is_admin, verified, price) |
| Rate Limiting | Missing 429 on auth endpoints |
| Error Messages | Verbose errors, stack traces, SQL errors |
Output:
📊 Results: 5 findings
🔴 CRITICAL: 1
🟠 HIGH: 2
🟡 MEDIUM: 2
Type Severity Title
----------------------------------------------------------------------
IDOR HIGH Potential IDOR in /api/users?id
AUTH_BYPASS CRITICAL Auth bypass via X-Forwarded-Host
RATE_LIMITING MEDIUM Missing rate limiting: /login
🏴 subdomain-takeover.py — Subdomain Takeover Checker
Check for dangling CNAME records vulnerable to takeover.
python scripts/subdomain-takeover.py -d target.com
python scripts/subdomain-takeover.py -f subdomains.txtSupported Services (15+):
| Service | CNAME Pattern | Bounty Range |
|---|---|---|
| GitHub Pages | *.github.io |
$50-$500 |
| Heroku | *.herokuapp.com |
$100-$500 |
| Shopify | *.myshopify.com |
$500-$2,000 |
| AWS S3 | *.s3.amazonaws.com |
$100-$500 |
| Azure | *.azurewebsites.net |
$200-$1,000 |
| CloudFront | *.cloudfront.net |
$100-$500 |
| Vercel | *.vercel.app |
$50-$200 |
| Netlify | *.netlify.com |
$50-$200 |
| Fly.io | *.fly.dev |
$100-$500 |
| Ghost | *.ghost.io |
$50-$200 |
| Tumblr | *.domains.tumblr.com |
$50-$200 |
| Pantheon | *.pantheonsite.io |
$100-$500 |
| Fastly | *.fastly.net |
$100-$500 |
| Surge.sh | *.surge.sh |
$50-$200 |
| Google Cloud | *.storage.googleapis.com |
$100-$500 |
git clone https://github.com/0xvenatio/security-toolkit.git
cd security-toolkit
pip install aiohttp
chmod +x scripts/recon.shrecon.sh:
curl,jq,nmap,dig(standard Linux tools)
api-fuzzer.py:
aiohttp(Python async HTTP)
subdomain-takeover.py:
aiohttp(Python async HTTP)
Automated security scanning on every push:
- ✅ Dependency vulnerability check (pip-audit, safety)
- ✅ Static analysis (Bandit, Semgrep)
- ✅ Secret detection (TruffleHog)
- ✅ Container scanning (Trivy)
- ✅ License compliance
For authorized security testing only. Always obtain permission before testing.
Built by @0xvenatio