MCPcopy Index your code
hub / github.com/BountySecurity/gbounty

github.com/BountySecurity/gbounty @v3.1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v3.1.0 ↗ · + Follow
1,223 symbols 4,108 edges 182 files 554 documented · 45% updated 10mo agov3.1.0 · 2025-01-24★ 1659 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

GBounty

Fast, reliable, and highly customizable website vulnerability scanner.

InstallDocumentation


Downloads Contributors

Multi-step website vulnerability scanner designed to help pentesters and bug hunters identify potential vulnerabilities in web applications.

We have a dedicated repository that houses various type of web vulnerability profiles contributed by security researchers and engineers.

[!WARNING]
This project is in active development. Expect breaking changes with releases. Review the release changelog before updating.

[!CAUTION]
This project was primarily built to be used as a standalone CLI tool. Running gbounty as a service may pose security risks. It's recommended to use with caution and additional security measures.

Getting started

Install GBounty

To start using GBounty, you can either install it using Go, or download one of the pre-compiled binaries from GitHub Releases.

Installation with Go

GBounty requires Go v1.21 to install successfully. Run the following command to install the latest version under development:

go install -v github.com/bountysecurity/gbounty/cmd/gbounty@main

Installation with GitHub Releases

Navigate to the GitHub Releases page and download the pre-compiled binary of the latest version (or any other) for the operating system (Linux, macOS, or Windows) and architecture (amd64, arm64, 386...) of your preference.

Other installation mechanism

Unfortunately, currently we don't have support for other installation mechanisms, like Homebrew, Snap, Choco or Docker, but contributions are welcome! See #1, for instance.

Usage

gbounty -h

This will display help for the tool.

 INFO  GBounty is a multi-step web scanner that uses web vulnerability profiles
 INFO  GBounty profiles can be found at: https://github.com/BountySecurity/gbounty-profiles



Usage:
  gbounty [flags]
​
Flags:
  -h, --help
        Show help
  --update
        Update the binary and profiles to the latest version
  --update-app
        Update the binary to the latest version
  --update-profiles
        Update profiles to the latest version
  --force-update-profiles
        Re-download the latest version of profiles
  --check-updates
        Check for available updates forcefully
    By default, available updates are checked only once a day
​
TARGET INPUT:
  -u, --url value
        If specified, it will be used as a target url
    Can be used more than once: -u url1 -u url2
  -uf, --urls-file string
        If specified, each line present on the file will be used as a target urls
  -rf, --requests-file string
        If specified, each file present on the compressed file will be used as a target url and request template
    Only zipped (.zip) requests files are supported
  -rr, --raw-request value
        If specified, contents on given path will be used as a target url and request template
    Can be used more than once: --raw-request path/requests/req1.txt --raw-request path/requests/req2.txt
    The host address must be in the first line before the raw request. Otherwise, the 'Host' header will be used
  -pf, --params-file string
        If specified, each line present on the file will be used as a request parameter
    Used in combination with --params-split
  -ps, --params-split int
        Determines the amount of parameters (-pf/--params-file) included into each group (default: 10)
    Use one (1) to scan every param individually
  -pm, --params-method string
        Determines the HTTP method the params (-pf/--params-file) will be included into (default: "GET")
    Supported methods are: "GET" (url) and "POST" (www/url-encoded, body)
  -pe, --params-encoding string
        Determines the encoding the params (-pf/--params-file) will be included into (default: "url")
    Supported encodings are: "url" (application/x-www-form-urlencoded) and "json" (application/json)
    Only used when --params-method/-pm is set to "POST"
  -h2, --http2
        Forces HTTP/2. If enabled, the proto from the request template, if present, will be ignored
​
Options for --url (-u) and --urls-file:
  -X, --method string
        If specified, it will be used as the HTTP method for request templates
  -H, --header value
        If specified, it will be used as the HTTP header(s) for request templates
    Can be used more than once: -H "Accept: application/json" -H "Content-Type: application/json"
  -d, --data value
        If specified, it will be used as the HTTP body data for request templates
​
PROFILE OPTIONS:
  -p, --profiles value
        Determines the path where profile file(s) will be read from (default: "./profiles/")
    It can also be used with the path to a specific profile file
    Can be used more than once: -p profiles/XSS.bb2 -p profiles/SQLi.bb2
  -t, --tag value
        If specified, only profiles tagged with provided tags will be used
    Can be used more than once: -t tag1 -t tag2
  -active, --only-active
        If specified, only active profiles will be analyzed during the scan
  -passive, --only-passive
        If specified, only passive profiles will be analyzed during the scan
  -psreq, --only-passive-req
        If specified, only passive request profiles will be analyzed during the scan
  -psres, --only-passive-res
        If specified, only passive response profiles will be analyzed during the scan
  -tags, --print-tags
        Print available profile tags
    Used in combination with --tag
  -poc, --only-poc
        If specified, only matched requests will be printed, nothing else.
​
RUNTIME OPTIONS:
  -c, --concurrency int
        Determines how many target URL(s) will be scanned concurrently (default: 10)
  -r, --rps int
        Determines the limit of requests per second (per URL) (default: 10)
  -safm, --stop-at-first-match
        If specified, the scan will stop at the first match found for each combination of
    (a) profile, (b) step and (c) entrypoint
    Enabled by default, can be disabled with --stop-at-first-match=false or -safm=false
  -s, --silent
        If specified, no results will be printed to stdout
  -bh, --blind-host string
        If specified, the blind host will be injected into {BH} labels
  -email, --email-address string
        If specified, the email address will be injected into {EMAIL} labels
  --proxy-address string
        If specified, requests are proxied to the given address
    To specify host and port use 'host:port'
  --proxy-auth string
        If specified, proxied requests will include authentication details
  -m, --in-memory
        Use memory (only) as storage for intermediate scan results.
    Otherwise, it will use the filesystem (default)
  -sos, --save-on-stop
        Save the scan's status, when manually interrupted
    The scan's identifier will be printed, to be used in combination with --from
  -f, --from string
        Scan's identifier to be used to continue from
​
OUTPUT OPTIONS:
  -o, --output string
        Determine the path where the output file will be stored to
    By default, the output file is formatted as plain text
  -j, --json
        If specified, the output file will be JSON-formatted
    By default, the output file is formatted as plain text
  -md, --markdown
        If specified, the output file will be Markdown-formatted
    By default, the output file is formatted as plain text
  -a, --all
        If specified, results will include all requests and responses
    By default, only those requests that caused a match are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -areq, --all-requests
        If specified, results will include all requests
    By default, only those requests that caused a match are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -ares, --all-responses
        If specified, results will include all responses
    By default, only those requests that caused a match, and no response, are included in results
    As it causes a noisy output, must be used in combination with -o/--output flag
  -se, --show-errors
        If specified, failed requests are included in results
  -sr, --show-responses
        If specified, those requests that caused a match are printed with the corresponding response
  -ste, --stream-errors
        If specified, failed requests are printed to stdout during the scan (live)
    By default, they are only printed at the end, only when the -se/--show-errors flag is provided
  -stm, --stream-matches
        If specified, those requests that caused a match are printed to stdout during the scan (live)
    Enabled by default, can be disabled with --stream-matches=false or -stm=false
​
DEBUG OPTIONS:
  -v, --verbose
        If specified, the internal logger will write warning and error log messages
  -vv, --verbose-extra
        If specified, the internal logger will write info, warning and error log messages
  -vvv, --verbose-all
        If specified, the internal logger will write debug, info, warning and error log messages
  -vout, --verbose-output string
        If specified, the internal logger will write the log messages to a file
    By default, those are printed to stdout
​
EXAMPLES:
gbounty -u https://example.org -X POST -d "param1=value1&param2=value2" -t XSS -r 20 -a -o /tmp/results.json --json
gbounty --urls-file domains.txt -c 200 -r 10 -p /tmp/gbounty-profiles --silent --markdown -o /tmp/results.md
gbounty --raw-request 1.txt --raw-request 2.txt --blind-host yourblindhost.net
gbounty --requests-file requests.zip -r 150 --proxy-address=127.0.0.1:8080 -o /tmp/results.txt --all

Credits

Please, consider exploring the following comparable open-source projects that might also be beneficial for you:

FFuF, Jaeles, Nuclei, Qsfuzz, Inception, Snallygaster, Gofingerprint, Sn1per, Google tsunami, and ChopChop.

License

GBounty is distributed under MIT License

Extension points exported contracts — how you extend this code

Modifier (Interface)
Modifier defines the behavior of a request modifier, which is a component capable of modifying the given request based o [8 …
internal/interfaces.go
Finder (Interface)
Finder defines the behavior of an entrypoints finder, which is a component capable of finding entrypoints in a request. [10 …
internal/entrypoint/entrypoint.go
Profile (Interface)
Profile represents the behavior expected from a scan profile. It can be a passive or active profile (e.g. Active). [3 …
internal/profile/profile.go
WithProofOfConcept (Interface)
WithProofOfConcept is an interface that defines the expected behavior for [scan.Writer] implementations on this package [2 …
internal/platform/writer/option.go
FileSystem (Interface)
FileSystem defines the behavior expected from a [scan] file system, used to store and retrieve [Match], [Error], and [Ta [1 …
internal/interfaces_fs.go
WaitGroup (Interface)
WaitGroup defines the behavior of a `Wait`-able object. [1 implementers]
kit/syncutil/syncutil.go
RequesterBuilder (FuncType)
RequesterBuilder is a function that returns a [Requester] instance.
internal/types.go
CfgOption (FuncType)
CfgOption is a function that modifies a [Config] instance. See [WithRPS] and [WithConcurrency] as examples.
internal/config.go

Core symbols most depended-on inside this repo

For
called by 173
kit/logger/logger.go
Errorf
called by 150
kit/logger/logger.go
Run
called by 137
kit/pool/pool.go
Error
called by 62
kit/logger/logger.go
Bytes
called by 46
internal/request/request.go
Plain
called by 45
kit/console/printer/printer.go
Alias
called by 45
kit/getopt/getopt.go
InjectPayload
called by 41
internal/entrypoint/entrypoint.go

Shape

Method 543
Function 536
Struct 87
TypeAlias 24
Interface 20
FuncType 13

Languages

Go100%

Modules by API surface

internal/profile/grep.go48 symbols
internal/platform/cli/config.go31 symbols
kit/getopt/getopt.go28 symbols
internal/runner_opts.go26 symbols
internal/platform/filesystem/filesystem_test.go26 symbols
internal/request/request.go23 symbols
internal/profile/step.go23 symbols
internal/platform/filesystem/filesystem.go22 symbols
internal/interfaces_fs.go22 symbols
kit/logger/logger.go21 symbols
internal/interfaces.go18 symbols
cmd/gbounty/bootstrap/bootstrap.go18 symbols

For agents

$ claude mcp add gbounty \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact