1. Subdomain Enumeration

  • Amass (amass enum -active -d domain.com -o amass-subdomain-result.txt)
  • Assetfinder (assetfinder -subs-only domain.com | anew assetfinder-subdomain-result.txt)
  • Subfinder (subfinder -d domain.com -o subfinder-subdomain-result.txt)
  • Findomain (findomain -t domain.com -u findomain-subdomain-result.txt)
  • amass (amass enum -brute -d domain.com…

Subdomain enumeration tools

  • assetfinder
  • subfinder
  • amass
  • sublist3r
  • Findomain

Check for live hosts

  • httpx

Web fuzzer/ Content Discovery

  • ffuf (parameter fuzzing, content discovery, etc.)
  • gobuster

Probe for working http and https servers

  • httprobe

Linked Discovery

  • GoSpider
  • Hakrawler

Vulnerability Scanner

Other Tools:

  • EyeWitness
  • S3 Scanner
  • wfuzz
  • Arjun (find hidden parameters)
  • waybackurls (cat subdomains | waybackurls > urls)
  • wpscan
  • wafw00f


  • Seclists
  • Assetnote
  • all.txt (Jason Haddix)

Tools for Blind XSS:

  • XSSHunter
  • ezXSS (has 2FA, email reports, share reports feature)
  • bXSS (has slack/ SMS notification feature)
  • KNOXSS (has email feature)

Burp extensions (BApp Store):

  • Flow
  • Active Scan++
  • JS Link Finder
  • Retire.js
  • Hunt Scanner
  • Burp Bounty, Scan Check Builder
  • Software Vulnerability Scanner
  • Additional Scanner Checks
  • Autorize


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store