Free online tools for bug bounty, recon & web security

Aggregate subdomains from 11 passive sources (crt.sh, OTX, CertSpotter, Anubis, SubdomainCenter, RapidDNS, Wayback, urlscan.io, HackerTarget, Shodan and more) into one ranked list. Batch up to 3 domains, detect wildcard DNS, optionally resolve DNS or probe HTTP alive. Highlights interesting subdomain patterns and exports with handoff to ProbeMaster, DNS Recon Pro, Takeover Scan and Vuln Scanner.

RDAP and port-43 WHOIS combined into one structured record. Batch up to 3 targets, accepts IDN, follows registrar referrals. Surfaces drop-catch and redemption alerts, groups EPP status codes, names the privacy provider, recognises 50+ DNS hosts and badges key signals (DNSSEC, lock, expiry, age). Harvested emails pivot in one click to ViewDNS, WhoXY, Hunter.io, HIBP and IntelX.

Resolve all common DNS records (A, AAAA, CNAME, MX, NS, TXT, CAA, SOA, SRV) for up to 3 domains at once. Follows CNAME chains with NXDOMAIN takeover detection, fingerprints 45+ services, probes 15 DKIM selectors, parses SPF mechanism by mechanism and DMARC tag by tag, and checks DNSSEC, MTA-STS, TLS-RPT and BIMI. Markdown and JSON export.

Full domain intelligence for up to 3 domains. DoH-based DNS records, DNSSEC, CAA, SRV, MTA-STS, TLS-RPT, BIMI, SPF mechanism breakdown, DMARC tag table, 15 DKIM selectors, TXT vendor classification, CNAME-chain takeover detection, per-IP ASN / ports / CVEs (Shodan + Team Cymru), RDAP registration, AXFR test and CT-log hostnames. Findings ranked by severity.

120+ recon dorks across 10 engines (Google, Bing, DuckDuckGo, Yandex, Brave, GitHub, GitLab, SourceGraph, grep.app, Shodan). Covers files, secrets, employees, SaaS webhooks, exposed services and cloud storage. Includes a custom dork builder with operator dropdown, multi-engine launch, favourites, history, regex filter, keyboard shortcuts and CSV / MD export.

Pull historical URLs from the Internet Archive and AlienVault OTX for up to 3 domains, with date-range filter. Mines parameters with risk tags (open-redirect, SSRF, LFI), groups URLs into endpoint patterns, categorises sensitive files (.env, .bak, .sql), and surfaces a Tokens-in-URLs view (JWT, AWS, Google, Stripe, Slack, GitHub keys). Advanced filters, archive replay, copy-as-ffuf and MD / CSV / TXT export.

Turn a URL list into 4 views: hierarchical host/path tree, sortable flat list, pattern-frequency (collapses /users/1, /users/2 to /users/{id}) and per-host stats. 10 categories (API, Auth, Params, JS, Sensitive paths/files, Backups, Documents, JSON/XML). Advanced filter (regex, exclude, host pattern, depth), saved lists and one-click handoff to ProbeMaster, Takeover and more.

Harvest robots.txt (per user-agent), recurse gzipped sitemap indexes, fetch lastmod-sorted URLs, and pull 14 well-known files (security.txt, Asset Links, AASA, OIDC, OAuth metadata, host-meta, JWKS, NodeInfo) plus ads.txt. Classifies disclosed paths into 13 categories with uniqueness scoring, generates probe variants and validates security.txt against RFC 9116. Batch up to 3 domains.

Map every web asset likely owned by the same entity. Scrapes analytics, AdSense, GTM and Pixel IDs from the homepage, computes the favicon hash, does reverse-IP and ASN, then hands you the reverse-WHOIS, PublicWWW, SpyOnWeb and Shodan pivots.

Mine URLs, JS endpoints, domains and parameters from pasted source code or a fetched remote file. Categorises findings by type and exports the clean set.

Batch-extract EXIF / IPTC / XMP from uploads, URLs or pasted images. Pulls GPS (reverse-geocoded, GPX / KML export), device serials, owner, embedded thumbnail (hidden-crop) and edit / tamper signals.

IPv4 and IPv6 subnet math. Expand CIDRs, parse ranges and netmasks, aggregate lists into covering CIDRs, split subnets, classify RFC scope (private, CGNAT, public), and build reverse-DNS and scanner targets.

Passive open-port and CVE exposure lookup (Shodan InternetDB), plus ready-to-run nmap, naabu and rustscan commands you can run from your own machine.

Bulk-probe hosts in parallel for status, redirects, title, tech stack, server, IP and timing. Flags notable findings (directory listing, phpinfo, API docs) with filtering and export.

Fingerprint the stack (server, CMS, frameworks, JS libs, CDN / WAF) with versions, confidence and inline CVE flags. Deep scan reads assets for exact versions, leaked keys and favicon hash. Bulk mode maps a list of hosts.

All-in-one passive and opt-in active scanner. Feed a URL or a raw HTTP request and surface misconfigurations and vulnerabilities, graded by severity.

Grade a URL's security posture across HSTS, CSP, XFO and cookies. Audits cookie flags (Secure, HttpOnly, SameSite), info-disclosure leaks, CORS exposure and redirect chains, with prioritised findings.

Deep Content-Security-Policy analysis with per-directive source classification and real bypass detection (unsafe-inline, unsafe-eval, wildcards, data:, JSONP and AngularJS whitelist bypasses). Includes a graded score and a hardened-policy generator.

Fire a battery of crafted-Origin probes (reflection, null, sub-domain, prefix/suffix and HTTP-downgrade bypasses) plus a pre-flight check, with a credentials-aware verdict and an auto-generated exploit PoC.

Audit cookie flags (Secure, HttpOnly, SameSite, __Host- / __Secure- prefixes, Domain scope) and JWT attacks (alg=none, alg-confusion, jku/jwk/x5u/kid, expiry, privilege claims). Live JWT editor re-signs (none / HMAC) so you can forge and test. Fully client-side.

Resolve CNAME chains and match against 30+ takeover-prone services (S3, GitHub, Heroku, Azure, Netlify and more). Detects NXDOMAIN dangling, verifies with a live error-fingerprint, and ranks verdicts with the claim method.

Automated open-redirect scan (rich bypass payloads, external canary), plus an SSRF toolkit with any-IP encoder (decimal, hex, octal, IPv6), localhost / metadata / protocol-smuggling payloads, curl / ffuf / Burp commands and OOB guidance.

Out-of-Band interaction listener (Burp-Collaborator-style canary tokens) for SSRF, blind XSS, XXE, Log4Shell, CSV injection and email-pixel tracking. Generate a unique URL, plant it during testing, then see every inbound hit in real-time with full method, headers, body, IP, UA and referer. 12 ready-to-copy payload templates and cURL reproduction.

Reverse, bind and MSFVenom shells across ~30 languages (Linux / Windows / macOS) with matched listeners, Base64 / URL encoding and a TTY-stabilisation cheat sheet.

Validate leaked API keys across 153 services (AWS, GCP, Stripe, OpenAI, Slack, GitHub, Twilio, MongoDB and many more). Each entry has severity, impact, regex pattern and a one-liner curl validation. Paste-and-scan mode finds known key formats in source code, .env or JS bundles, fully client-side.

15 payload categories: XSS, SQLi, NoSQLi, cmd-injection, LFI, SSTI, XXE, CRLF, LDAP, XPath, SSI, CSV, Host-header, GraphQL and polyglots. Includes WAF-bypass variants, your own value plus OOB host substitution, and 9 encoders.

Curated payload library: 26 vulnerability classes, 140+ sections, 700+ payloads. Covers XSS, SQLi, NoSQLi, Command-Injection, SSRF, XXE, SSTI, LFI / RFI, JWT, GraphQL, CORS, File-Upload, Auth-Bypass, OAuth, HTTP-Smuggling, Deserialization, Prototype-Pollution, CSV-Injection and WAF-bypass.

Parametrised CLI generator for 30+ pentest tools across 9 categories (subdomain, port, HTTP probe, crawler, fuzzer, vuln scan, exploitation, brute force, hash crack, secrets, TLS), with wordlist presets and a downloadable .sh script.

Generate (MD5, NTLM, SHA) and identify 60+ hash types with ranked candidates. Builds tailored hashcat and John commands (wordlist, rules, mask), with file-extraction helpers and crack-speed guidance. Fully client-side.

Realistic-looking test data across 22 countries: names, emails, phone numbers (fiction-reserved ranges), addresses, postal codes and format-valid sample IDs. Safety-reserved ranges so values look real but never collide with live data. Cards, text, JSON and CSV export.

Custom-charset strings (1-512 chars, up to 5000 at a time), passwords with entropy scoring, preset tokens (UUID v4, ULID, hex, base64, JWT secrets, Stripe / Slack / GitHub / AWS-style API keys, Luhn-valid test cards) and bulk numeric ranges.

4-tab workbench: 20+ encodings (URL, double-URL, percent-all, Base64, Base64URL, HTML, JS \xXX / \uXXXX, CSS, Hex, Binary, Octal, ASCII, ROT-N, Atbash, Morse), all-encodings multi-view, hashes (MD5, SHA family, HMAC), and Unix-timestamp / ISO 8601 conversions.

Convert HTTP requests between 6 formats: Raw HTTP (Burp), curl, fetch(), HAR, JSON spec and form / query string. Auto-detects input, handles full shell quoting, JSON bodies, multi-line curl and HAR entries from DevTools.

Format, validate (with line / col error), minify, sort keys, unescape stringified, convert to YAML / XML / CSV / PHP / JS / JSONL / query, JSONPath query, two-pane diff, extract secrets (URLs / emails / JWTs / AWS / Stripe / private keys), depth and type stats. 100% client-side.

7-tab text workbench: regex find/replace, sort/dedupe/sample, keep-drop line filter, set operations (A−B, ∩, ∪), URL-parts extraction, case conversion (camel, snake, kebab and more), per-line transforms, secret extraction and stats. Per-tab undo (10 steps), drag-drop import.

4-tab diff workbench: true LCS line / word / char diff, side-by-side, Git-style unified, inline word-level, and stats (added, removed, similarity %). Trim, case-insensitive, ignore-blank-lines toggles. Drag-drop file import, live recompare.

CVE detail and product search with prioritisation signals: CVSS, EPSS exploit-probability, CISA KEV (actively-exploited) status, SSVC, CWE and categorised exploit / patch references.

Browse Bugcrowd's Vulnerability Rating Taxonomy with bug-class definitions, severity priorities and CVSS mappings. Searchable and filterable, useful for triaging finds and writing reports.

Submission-ready bug-bounty and pentest reports. 29 templates with CWE / OWASP / CVSS / VRT pre-mapped, platform-specific output (HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack, Formal Pentest), CVSS 3.1 calculator, live Markdown preview, multi-format export (MD / HTML / JSON) and draft autosave.

Pentest scratchpad with a Markdown editor, live preview, YAML frontmatter tags, pinning, full-text search across all notes, 5 templates (Recon log, Bug write-up, Engagement summary, Quick ref, OWASP checklist), 2-second auto-save, multi-format export (MD, HTML, TXT), keyboard shortcuts (Ctrl+S, Ctrl+N), saved to your account.