software-security r&d; bashturbation
apkleaks. Scanning APK file for URIs, endpoints & secrets.
6.2kawesome-oneliner-bugbounty. A collection of awesome one-liner scripts especially for bug bounty tips.
3.2kcrlfuzz. A fast tool to scan CRLF vulnerability written in Go
1.6kgo-dork. The fastest dork scanner written in Go.
1.3kfindom-xss. A fast DOM based XSS vulnerability scanner with simplicity.
863ppfuzz. A fast tool to scan client-side prototype pollution vulnerability written in Rust. 🦀
669galer. A fast tool to fetch URLs from HTML attributes by crawl-in.
263gf-secrets. Secret and/or credential patterns used for gf.
245cf-check. CloudFlare Checker written in Go
238go-stare. A fast & light web screenshot without headless browser but Chrome DevTools Protocol!
184proxylogscan. A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
164unew. A tool for append URLs, skipping duplicates/paths & combine parameters.
129slackcat. A simple way of sending messages from the CLI output to your Slack with webhook.
117ngocok. ngrok Collaborator Link — yet another Burp Collaborator alternative for free with ngrok.
116tlder. TLDs finder — check domain name availability across all valid top-level domains.
108unch. Hides message with invisible Unicode characters
99noizy. A drop-in replacement to Apple Hearing - Background Sounds with over 30+ available sounds.
98wadl-dumper. Dump all available paths and/or endpoints on WADL file.
97chatgptui. ChatGPT 🤖 with Textual User Interface (TUI) mode written in Go.
94ipfuscator. A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go.
93hinject. Host Header Injection Checker
84stargather. A fast GitHub stargazers information gathering tool
70CVE-2025-49844. CVE-2025-49844 – Redis Lua Parser Use-After-Free
66gfx. A wrapper around grep, to help you grep for things! - Improved version of gf by @tomnomnom.
62bounty-targets-alert. It's an watcher for new scopes added to bounty-targets-data and send you alert to Slack.
60nuclei-templates-dir. Nuclei Templates Directory
58continuous-nuclei. Running nuclei Continuously
57cve-2023-50164-poc. Proof of Concept for Path Traversal in Apache Struts ("CVE-2023-50164")
57look4jar. Looking for JAR files that are vulnerable to Log4j RCE (CVE‐2021‐44228)?
44secpat2gf. convert secret patterns to gf compatible.
38cekBin. Free source to check, verify & validate BIN (Bank Identification Number), credit, debit, charge or a prepaid card.
36discat. A simple way of sending messages from the CLI output to your Discord channel with webhook.
36nodep. A tool for check available dependency packages across npmjs, PyPI or RubyGems registry.
30leakz-passive-workflow. Caido's passive workflow to find potential leaked secrets, PII, and sensitive fields.
28gD0rk. Google Hack Database dork automatic tool.
27WiFiID. @wifi.id Account Extractor & Checker
24BitslerBOT. Automatically Betting for Bitsler.com
23delve-mcp. MCP server for Delve debugger integration
21osscope. A curated GitHub repository that's in-scope and eligible for bounty.
21Faucet-DOGE-Bot. Get faucet DOGE coin every minutes
17huntr-hacktivity. huntr.dev public disclosures/hacktivity watcher
17gollina. Follina MS-MSDT 0-day MS Office RCE (CVE-2022-30190) PoC in Go
17advisory. My advisories (backlog)
7ghostify-crack. A crack 💥 version of Ghostify, that helps you view Instagram stories without a trace (the story owner won't know you saw their story!)
7CVE-2020-24148. CVE-2020-24148 Proof-of-Concept
5xss-cheatsheet-data. This repository contains all the XSS cheatsheet data to allow contributions from the community.
5offsectools_www. A vast collection of security tools.
5CVE-2018-7600. PoC for CVE-2018-7600 Drupal SA-CORE-2018-002 (Drupalgeddon 2).
4awesome-search-queries. Community curated list of search queries for various products across multiple search engines.
4ovaa. Oversecured Vulnerable Android App
4