• Find Amazon s3 buckets:
    s3-buckets-bruteforce /opt/SecLists/mine/s3-buckets.txt <project>-
    if found: s3-buckets-extractor <bucket>
  • Explore GitHub account:
    github-search -o <project> -r 1000 -s password
    gitrob analyze quizlet --no-color --no-server

Here is a non exhausted list of vulnerabilities that I use as a reminder with links for reference. It’s based on many different resources available on the Internet.


Actarus is a custom tool that can perform automatic recon and store all datas in a database. Afterwards you could consult/search keywords in it to find vulnerabilities or at least entry points.

After some months of inactivity, I finally decided to publicly release the source code of Actarus. I started this project to learn Symfony, now I hate it. Maybe someone will give him another chance to grow up.


One quick and easy way to make cash in bug bounty job is subdomain takeover. The goal is to steal a forgetted/unused subdomain of your target and put a PoC in place. If you are able to do that, that means that instead of a plain text file, an attacker could replicate the true site of the victim and perform phishing. This way he could trick users and even the employees of the company to grab useful data like credentials, this can also have really huge impact on the companies reputation.

First of all you have to find a list of subdomains of your target. To perform that task, you can use a single tool like TheHarvester or DNSRecon.


We all know the famous quote “Think out of the box”. Technical knowledge is important but creativity is also. In bug bounty, to get nice rewards, sometimes you don’t need to be a crazy coder or great network engineer, you simply need to try what other didn’t.

This year, Slack get in trouble because many developers leave their credentials in their public repository. Last year Uber had to deal with a major security issue: database keys were stored in GitHub (this leads to a sweet bounty for the finder).

I found an interesting project, on GitHub itself, to parse the search engine results: vcsmap from Melvinsh. Unfortunately the scrapper seems to have trouble with search that required authentication. Since I don’t understand Ruby, I wrote my own tool with PHP.