BountySecurity / gbounty

GBounty is a multi-step website vulnerability scanner developed in Golang designed to help companies, pentesters, and bug hunters identify potential vulnerabilities in web applications.
https://gbounty.bountysecurity.ai
MIT License
52 stars 9 forks source link


GBounty

Fast, reliable, and highly customizable website vulnerability scanner.

InstallDocumentation


Downloads Contributors

Multi-step website vulnerability scanner designed to help pentesters and bug hunters identify potential vulnerabilities in web applications.

We have a dedicated repository that houses various type of web vulnerability profiles contributed by security researchers and engineers.

[!WARNING]
This project is in active development. Expect breaking changes with releases. Review the release changelog before updating.

[!CAUTION]
This project was primarily built to be used as a standalone CLI tool. Running gbounty as a service may pose security risks. It's recommended to use with caution and additional security measures.

Getting started

Install GBounty

To start using GBounty, you can either install it using Go, or download one of the pre-compiled binaries from GitHub Releases.

Installation with Go

GBounty requires Go v1.21 to install successfully. Run the following command to install the latest version under development:

go install -v github.com/bountysecurity/gbounty/cmd/gbounty@main

Installation with GitHub Releases

Navigate to the GitHub Releases page and download the pre-compiled binary of the latest version (or any other) for the operating system (Linux, macOS, or Windows) and architecture (amd64, arm64, 386...) of your preference.

Other installation mechanism

Unfortunately, currently we don't have support for other installation mechanisms, like Homebrew, Snap, Choco or Docker, but contributions are welcome! See #1, for instance.

Usage

gbounty -h

This will display help for the tool.

 INFO  GBounty is a multi-step web scanner that uses web vulnerability profiles
 INFO  GBounty profiles can be found at: https://github.com/BountySecurity/gbounty-profiles

Usage:
  gbounty [flags]

Flags:
  -h, --help
        Show help
  --update
        Update app and profiles
  --update-app
        Update app
  --update-profiles
        Update profiles
  --force-update-profiles
        Update profiles forcefully

TARGET INPUT:
  -u, --url value
        If specified, it will be used as the target url
    Can be used more than once: -u url1 -u url2
  -uf, --urls-file string
        If specified, each line present on the file will be used as the target urls
  -rf, --requests-file string
        If specified, each file present on the requests file will be used as the target url and request template
    Only zipped (.zip) requests files are supported
  -rr, --raw-request value
        If specified, contents on given path will be used as the target url and request template
    Can be used more than once: --raw-request path/requests/req1.txt --raw-request path/requests/req2.txt
  -pf, --params-file string
        If specified, each line present on the file will be used as a request parameter
    Used in combination with --params-split
  -ps, --params-split int
        Determines the amount of parameters (-pf/--params-file) included into each group (default: 10)
    Use one (1) to scan every param individually
  -pm, --params-method string
        Determines the HTTP method the params (-pf/--params-file) will be included into (default: "GET")
    Supported methods are: "GET" (url) and "POST" (www/url-encoded, body)
  -pe, --params-encoding string
        Determines the encoding the params (-pf/--params-file) will be included into (default: "url")
    Supported encodings are: "url" (application/x-www-form-urlencoded) and "json" (application/json)
    Only used when --params-method/-pm is set to "POST"

Options for --url (-u) and --urls-file:
  -X, --method string
        If specified, it will be used as default HTTP method for request templates
  -H, --header value
        If specified, they will be used as the default HTTP header(s) for request templates
    Can be used more than once: -H "Accept: application/json" -H "Content-Type: application/json"
  -d, --data value
        If specified, it will be used as the default HTTP body data for request templates

PROFILE OPTIONS:
  -p, --profiles value
        Determines the path where profile file(s) will be read from (default: "./profiles/")
    It can also be used with the path to a specific profile file
    Can be used more than once: -p profiles/XSS.bb -p profiles/SQLi.bb
  -t, --tag value
        If specified, only profiles tagged with provided tags will be used
    Can be used more than once: -t tag1 -t tag2
  -active, --only-active
        If specified, only active profiles will be analyzed during the scan
  -passive, --only-passive
        If specified, only passive profiles will be analyzed during the scan
  -psreq, --only-passive-req
        If specified, only passive request profiles will be analyzed during the scan
  -psres, --only-passive-res
        If specified, only passive response profiles will be analyzed during the scan
  -tags, --print-tags
        Print available profile tags

RUNTIME OPTIONS:
  -c, --concurrency int
        Determines how many target URL(s) will be scanned concurrently (default: 10)
  -r, --rps int
        Determines the limit of requests per second (per URL) (default: 10)
  -s, --silent
        If specified, no results will be printed to stdout
  -sos, --save-on-stop
        Saves the scan's status when stopped
  -f, --from string
        Scan's identifier to be used to continue
  -m, --in-memory
        Use memory (only) as scan storage
  -ih, --interaction-host string
        (Deprecated) If specified, the interaction host is injected into {IH}, {BH} and {BC} labels
  -bh, --blind-host string
        If specified, the interaction host is injected into {IH}, {BH} and {BC} labels
  -email, --email-address string
        If specified, the email address is injected into {EMAIL} labels
  --proxy-address string
        If specified, requests are proxied to the given address
    To specify host and port use host:port
  --proxy-auth string
        If specified, proxied requests will include authentication details

OUTPUT OPTIONS:
  -o, --output string
        Determines the path where the output file will be stored to
    By default, the output file is formatted as plain text
  -j, --json
        If specified, the output file will be JSON-formatted
    By default, the output file is formatted as plain text
  -md, --markdown
        If specified, the output file will be Markdown-formatted
    By default, the output file is formatted as plain text
  -a, --all
        If specified, results will include all requests and responses
    By default, only those requests that caused a match are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -areq, --all-requests
        If specified, results will include all requests
    By default, only those requests that caused a match are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -ares, --all-responses
        If specified, results will include all responses
    By default, only those requests that caused a match are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -se, --show-errors
        If specified, failed requests are included in results
  -sr, --show-responses
        If specified, those requests that caused a match are printed with the corresponding response
  -ste, --stream-errors
        If specified, failed requests are printed to stdout during the scan (live)
    By default, they are only printed at the end, only when the -se/--show-errors flag is provided
  -stm, --stream-matches
        If specified, those requests that caused a match are printed to stdout during the scan (live)
    Enabled by default, can be disabled with --stream-matches=false or -stm=false

DEBUG OPTIONS:
  -v, --verbose
        If specified, the internal logger will write warning and error log messages
  -vv, --verbose-extra
        If specified, the internal logger will write info, warning and error log messages
  -vvv, --verbose-all
        If specified, the internal logger will write debug, info, warning and error log messages
  -vout, --verbose-output string
        If specified, the internal logger will write the log messages to a file

EXAMPLES:
gbounty -u https://example.org -X POST -d "param1=value1&param2=value2" -t XSS -r 20 -a -o /tmp/results.json --json
gbounty --urls-file urls.txt -c 200 -r 10 -p /tmp/gbounty-profiles --silent --markdown -o /tmp/results.md
gbounty --raw-request raw_1.txt --raw-request raw_2.txt --blind-host yourblindhost.net
gbounty --requests-file requests.zip -r 150 --proxy-address=127.0.0.1:8080 -o /tmp/results.txt --all

Credits

Please, consider exploring the following comparable open-source projects that might also be beneficial for you:

FFuF, Jaeles, Nuclei, Qsfuzz, Inception, Snallygaster, Gofingerprint, Sn1per, Google tsunami, and ChopChop.

License

GBounty is distributed under MIT License