BugHunter Arsenal is a comprehensive, unified security scanning platform designed for bug bounty hunters and security researchers. It provides a single interface to run multiple specialized security tools simultaneously, making vulnerability discovery more efficient and organized.
Unlike standalone security tools, BugHunter Arsenal orchestrates multiple scanners through a unified web dashboard and command-line interface, allowing you to discover vulnerabilities across different attack vectors in parallel.
BugHunter Arsenal currently includes four specialized security scanning tools:
API Key Detection & Validation - Scans domains, subdomains, and URLs for exposed API keys and secrets from 50+ providers with real-time validation. Automatically categorizes findings as Valid ✓, Invalid ✗, or Manual Review ?.
Reflected Cross-Site Scripting (XSS) Vulnerability Scanner - Detects XSS vulnerabilities in URL parameters by testing all GET parameters simultaneously with 911+ customizable payloads. Checks for payload reflection in response content.
🔄 ORHunter
Open Redirect Vulnerability Scanner - Identifies open redirect vulnerabilities in web applications by testing URL parameters for redirect behavior. Useful for SSRF chains and social engineering attacks.
Subdomain Takeover Detection Scanner - Detects vulnerable subdomains that can be taken over using fingerprinting from can-i-take-over-xyz. Checks CNAME records, NXDOMAIN responses, and service fingerprints.
- Interactive GUI: Manage all scans from a single web interface
- Real-time Monitoring: Live scan output streaming with Server-Sent Events (SSE)
- Findings Management: Full CRUD operations for organizing vulnerabilities
- Multi-Tool Support: Run multiple tools simultaneously on the same targets
- Rescan Capabilities: Reuse collected URLs with new parameters (rescan, recrawl, rediscover)
- SQLite Database: All scan results stored in organized databases
- Per-Domain Databases: Separate database files for each target (optional)
- Findings Tracking: Severity levels, verification status, false positive flagging
- Scan History: Complete audit trail of all scanning activities
- Checkpoint System: Resume interrupted scans from the last checkpoint
- Database-Backed Configs: Manage API patterns, excluded extensions, and payloads through the web UI
- Settings Management: Add, edit, delete, and restore configuration items
- YAML Sync: Automatic synchronization from YAML config files to database
- Soft Deletes: Preserve user customizations when syncing from YAML
- Custom Patterns: Easy addition of new detection patterns and payloads
- Resume Support: Automatically resumes incomplete scans by default
- Force Restart: Option to start fresh scans when needed
- URL Reuse: Reuse collected URLs for different tool scans without re-crawling
- Subdomain Enumeration: Optional subdomain discovery using
subfinder - Multiple Input Formats: Scan domains, files of domains, or direct URL lists
- Cookie Support: Authenticate with protected endpoints
- Custom Headers: Add X-Request-For and other custom headers for bug bounty programs
- Random User-Agents: Automatically rotates user agents to avoid detection
- Python 3.7+
- Go (for installing external tools)
- External tools:
subfinder,waybackurls,katana,httpx
-
Clone the Repository:
git clone https://github.com/bigzooooz/BugHunterArsenal.git cd BugHunterArsenal -
Install Python Dependencies:
pip install -r requirements.txt
-
Install External Tools:
Option A: Automatic Installation (recommended, requires sudo):
sudo python3 BugHunterArsenal.py --install
Option B: Manual Installation:
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install github.com/tomnomnom/waybackurls@latest go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/projectdiscovery/katana/cmd/katana@latest
Make sure the Go binaries are in your PATH.
-
Verify Installation:
python3 BugHunterArsenal.py --version
Scan a single domain with KeyHunter (default tool):
python3 BugHunterArsenal.py -d example.comScan with a specific tool:
python3 BugHunterArsenal.py -d example.com --tool xsshunterScan multiple domains from a file:
python3 BugHunterArsenal.py -f domains.txt --tool keyhunterScan URLs directly (skip subdomain enumeration):
python3 BugHunterArsenal.py -l urls.txt --tool xsshunterRun multiple tools simultaneously:
python3 BugHunterArsenal.py -d example.com --tool keyhunter,xsshunter,orhunterDisable subdomain enumeration:
python3 BugHunterArsenal.py -d example.com --no-subs --tool keyhunterUse custom output directory:
python3 BugHunterArsenal.py -d example.com -o my_results --tool xsshunterAdd authentication cookie:
python3 BugHunterArsenal.py -d example.com --cookie "session=abc123" --tool keyhunterAdd custom header (for bug bounty programs):
python3 BugHunterArsenal.py -d example.com --x-request-for "HackerOne" --tool xsshunterForce restart (delete existing scan and start fresh):
python3 BugHunterArsenal.py -d example.com --restart --tool keyhunterEnable verbose output:
python3 BugHunterArsenal.py -d example.com -v --tool keyhunterStart the web dashboard:
python3 BugHunterArsenal.py --guiThen open http://127.0.0.1:5000 in your browser.
- Target Management: Add, view, and manage scanning targets
- Scan Wizard: Interactive interface for configuring and starting scans
- Live Monitoring: Real-time output from running scans
- Findings Management: View, edit, verify, and organize discovered vulnerabilities
- Settings Page: Manage API patterns, excluded extensions, and XSS payloads
- Statistics Dashboard: Overview of scans, findings, and subdomains
- Export Functionality: Export findings in various formats
From the target details page, you can:
- 🔍 Re-scan URLs: Reuse existing URLs with new tool parameters (skip subdomain enum and URL collection)
- 🕷️ Re-crawl URLs: Keep subdomains, re-collect URLs from existing subdomains
- 🌐 Re-discover: Fresh start with same parameters (re-enumerate subdomains and crawl)
Detailed documentation for each tool is available in the docs/ directory:
- KeyHunter Documentation - API key detection and validation guide
- XSSHunter Documentation - XSS vulnerability scanning guide
- ORHunter Documentation - Open redirect scanning guide
- DTOHunter Documentation - Subdomain takeover detection guide
For tool-specific features, usage examples, configuration options, and best practices, see the individual tool documentation files.
--tool TOOL_NAME- Specify tool(s) to run (comma-separated). Options:keyhunter,xsshunter,xss,orhunter,openredirect,redirect,dtohunter,takeover. Default:keyhunter
-d, --domain DOMAIN- Target domain to scan-f, --file FILE- File containing list of domains to scan-l, --urls-file FILE- File containing list of URLs to scan directly (skips subdomain enumeration)-ns, --no-subs- Disable subdomain enumeration-o, --output DIR- Custom output directory name (default:output)
--cookie COOKIE- Cookie string for authenticated requests--x-request-for HEADER- Custom X-Request-For header value
--restart- Force restart: delete existing scan and start fresh (default: resumes from checkpoint)-v, --verbose- Enable verbose output
--gui- Start the web dashboard GUI server--install, --setup- Install missing dependencies automatically (requires sudo)--update- Update BugHunter Arsenal to the latest version--version- Display version information
Access the Settings page from the dashboard to manage:
- API Patterns: Add, edit, or delete API key detection patterns
- Excluded Extensions: Manage file extensions to exclude from scanning
- XSS Payloads: Manage XSS payloads, set default payload, add custom payloads
All configurations are stored in the database and automatically synced from YAML files on startup.
Configuration files in config/ are automatically synced to the database:
config/api_patterns.yaml: API key detection patternsconfig/excluded_extensions.yaml: File extensions to excludeconfig/xss_payloads.yaml: XSS payloads (911+ payloads included)
Results are stored in SQLite databases:
- Main Database:
output/bughunter.db(default) - Per-Domain Databases:
output/bughunter_{domain}.db(optional, for large targets)
Database Tables:
scans- Scan metadata and checkpointssubdomains- Discovered subdomainsurls- Collected URLs with status codesapi_keys- API key findings (KeyHunter)xss_findings- XSS vulnerability findings (XSSHunter)redirect_findings- Open redirect findings (ORHunter)takeover_findings- Subdomain takeover findings (DTOHunter)config_api_patterns- API pattern configurationsconfig_excluded_extensions- Excluded extension configurationsconfig_xss_payloads- XSS payload configurations
BugHunterArsenal/
├── BugHunterArsenal.py # Main entry point
├── requirements.txt # Python dependencies
├── version.txt # Version information
│
├── tools/ # Security scanning tools
│ ├── keyhunter/ # API key detection tool
│ ├── xsshunter/ # XSS vulnerability scanner
│ ├── orhunter/ # Open redirect scanner
│ └── dtohunter/ # Subdomain takeover scanner
│
├── bughunter/ # Core platform modules
│ ├── server.py # Flask web server
│ ├── database.py # Database operations
│ ├── config_migration.py # Config sync to database
│ ├── recon.py # Reconnaissance utilities
│ └── http_client.py # HTTP client utilities
│
├── web/ # Web dashboard
│ ├── dashboard.html # Main dashboard UI
│ └── logo.png # Logo image
│
├── config/ # Configuration files
│ ├── api_patterns.yaml
│ ├── excluded_extensions.yaml
│ ├── xss_payloads.yaml
│ └── takeover_fingerprints.json
│
├── output/ # Scan results (databases)
├── docs/ # Documentation
│ ├── CHANGELOG.md # Version history
│ ├── KEYHUNTER.md # KeyHunter detailed guide
│ ├── XSSHUNTER.md # XSSHunter detailed guide
│ ├── ORHUNTER.md # ORHunter detailed guide
│ └── DTOHUNTER.md # DTOHunter detailed guide
└── README.md # This file
# Scan a domain with KeyHunter (default tool)
python3 BugHunterArsenal.py -d example.com
# Run multiple tools simultaneously
python3 BugHunterArsenal.py -d example.com --tool keyhunter,xsshunter,orhunter,dtohunter
# Test specific URLs (skip subdomain enumeration)
python3 BugHunterArsenal.py -l urls.txt --tool xsshunter --no-subs# Scan with authentication
python3 BugHunterArsenal.py -d example.com \
--cookie "session=abc123" \
--x-request-for "YourName" \
--tool keyhunter,xsshunter- Navigate to http://127.0.0.1:5000
- View findings in the "Findings Management" section
- Filter by tool, severity, verification status, or domain
- Export findings as JSON, CSV, or text
sqlite3 output/bughunter.db
# View findings by type
SELECT * FROM api_keys WHERE provider = 'aws';
SELECT * FROM xss_findings;
SELECT * FROM redirect_findings;
SELECT * FROM takeover_findings;# Install missing tools
sudo python3 BugHunterArsenal.py --install
# Or manually add Go binaries to PATH
export PATH=$PATH:$(go env GOPATH)/bin- Ensure no other instances are accessing the database
- Close the web dashboard if accessing via SQLite directly
- Wait for current scan operations to complete
- Check if checkpoint exists in the database
- Use
--restartflag to force a fresh start if needed
Contributions are welcome! Whether it's:
- Adding new security scanning tools
- Improving existing tools
- Enhancing the web dashboard
- Adding new detection patterns
- Improving documentation
- Bug fixes and optimizations
Please feel free to submit issues or pull requests!
This project is licensed under the MIT License. See the LICENSE file for details.
If you find BugHunter Arsenal useful, consider:
- ⭐ Starring the repository on GitHub
- ☕ Buying me a coffee on Ko-fi
- 💸 Supporting via PayPal at paypal.me/b4zb0z
- 📢 Sharing with other bug bounty hunters and security researchers
- 💡 Providing feedback and feature requests
This tool is intended for educational and authorized security testing purposes only.
- Only use on systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The authors are not responsible for any misuse or damage caused by this tool
- Always comply with applicable laws and regulations
- Respect bug bounty program rules and scope limitations
Good luck finding bugs! 🐛
Stay ethical, stay legal, and happy hunting! 🎯
