Bug Bounty tools for hunters by YesWeHack

Logo YesWeBurp


YesWeBurp is a Burp Suite extension that gives you access to all your YesWeHack Bug Bounty Programs from within Burp. Configure Burp according to the public and private programs you are participating in by adding scopes and defining User-Agents.

Pwn Fox Bug hunting tool by YesWeHack


PwnFox is a Firefox/Burp extension that has been described as “an IDOR Hunter’s best friend”. PwnFox allows you to containerize up to eight sessions within one Firefox browser, while all proxied traffic is colour-coded. Features include single-click BurpProxy, Containers Profiles, PostMessage Logger, Toolbox Injection and Security Header Remover.

PP finder tool by YesWeHack

PP Finder

A powerful tool for tackling prototype pollution bugs, a dangerous vulnerability class that can lead to remote code execution. PP Finder simplifies the search for prototype pollution gadgets and the detection of vulnerabilities within JavaScript codebases. All JavaScript files present in a targeted directory are analysed and an instrumented version is generated that highlights potentially vulnerable code.

Pwning Machine

The Pwning Machine helps hunters navigate complex modern web services in the privacy-preserving way demanded by some Bug Bounty Programs. This customizable, extensible suite of tools provides an ideal environment for testing complex exploits in a world of containers and microservices. A Docker-based environment can be set up on a dedicated server in less than 10 minutes.

VDP Finder

VDP Finder

The VDP Finder plugin tells you whether a website you visit has a Vulnerability Disclosure Program (VDP). Available on Chrome and Firefox, the extension saves you from wasting time trawling a website for evidence of a VDP. VDP Finder removes friction from the vulnerability reporting process by displaying available security.txt and checking domains against FireBounty databases.

XSS tools by YesWeHack


XSStools is a cross-site scripting (XSS) development framework that simplifies the crafting of XSS payloads. Generate powerful payloads quickly with the payload generator, and use one of many available wrappers without the need for encoding. You also need only supply the targeted element to write clickjacking code – a usually tiresome task. A collection of exfiltrators is included.


Read our “PimpMyBurp” series of articles to learn how to use Burp Suite extensions effectively. These tutorials will help you harness these tools to adeptly identify vulnerabilities such as Insecure Direct Object Reference (IDOR), Improper Access Control, Business Logic and Privilege Escalation bugs.


Watch interviews with our top-performing hunters. Hear about the secrets of their success, technical tips and tricks, and their experiences disclosing vulnerabilities and earning bounties through YesWeHack.


Join the pro-hunter service run by hackers for hackers