Skip to content

shuvonsec/vuln-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
vuln_scanner.sh
vuln_scanner.sh
 
 

Repository files navigation

Vuln Scanner — Automated Vulnerability Scanner for Bug Bounty Recon Pipelines

8-category vulnerability scanner that runs against your recon directory and produces organized, actionable findings.

Shell License: MIT nuclei

Vuln Scanner is an open-source automated vulnerability scanner for bug bounty hunters. It takes a structured recon directory as input and runs 8 targeted checks — from XSS and SSRF to subdomain takeover and IDOR — using industry-standard tools like Nuclei, Dalfox, and Subjack. All findings are neatly organized by category for rapid triage.

Table of Contents

Checks

# Category Tools Used
1 XSS dalfox, nuclei (-tags xss)
2 Subdomain Takeover subjack, nuclei (-tags takeover)
3 Misconfigurations nuclei (CORS, headers, misconfig templates)
4 Sensitive Data Exposure nuclei (exposed files, panels, default creds) + curl verification
5 SSRF nuclei (-tags ssrf) + parameter flagging for manual testing
6 Known CVEs nuclei (-tags cve, medium+ severity)
7 Open Redirects nuclei (-tags redirect) + redirect parameter flagging
8 IDOR / Auth Bypass Parameter grep, sequential ID detection, unauthenticated API probing, HTTP method tampering

Prerequisites

Installation

git clone https://github.com/shuvonsec/vuln-scanner.git
cd vuln-scanner
chmod +x vuln_scanner.sh

Usage

# Full scan
./vuln_scanner.sh /path/to/recon/target

# Quick mode (faster, reduced coverage)
./vuln_scanner.sh /path/to/recon/target --quick

Recon Directory Structure

The scanner expects a recon directory with the following layout:

recon/target/
  live/urls.txt            # Live URLs (required)
  live/httpx_full.txt      # Alternative: httpx output
  urls/with_params.txt     # URLs with query parameters
  urls/all.txt             # All discovered URLs
  urls/api_endpoints.txt   # API endpoints
  urls/sensitive_paths.txt # Sensitive file paths
  subdomains/all.txt       # Subdomains list
  params/interesting_params.txt  # Interesting parameters

Output Structure

Findings are saved to findings/<target>/ organized by vulnerability category:

findings/target/
  xss/          # XSS results
  takeover/     # Subdomain takeover results
  misconfig/    # CORS, headers, general misconfigs
  exposure/     # Exposed files, panels, default creds
  ssrf/         # SSRF findings + manual test candidates
  cves/         # Known CVE detections
  redirects/    # Open redirect findings
  idor/         # IDOR candidate URLs
  auth_bypass/  # Unauthenticated access, method tampering
  summary.txt   # Consolidated summary of all findings

License

MIT — built for the bug bounty community.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages