YesWeBurp
YesWeBurp is a Burp Suite extension that gives you access to all your YesWeHack Bug Bounty Programs from within Burp. Configure Burp according to the public and private programs you are participating in by adding scopes and defining User-Agents.
PwnFox
PwnFox is a Firefox/Burp extension that has been described as “an IDOR Hunter’s best friend”. PwnFox allows you to containerize up to eight sessions within one Firefox browser, while all proxied traffic is colour-coded. Features include single-click BurpProxy, Containers Profiles, PostMessage Logger, Toolbox Injection and Security Header Remover.
Dom Explorer
Dom-Explorer is a web-based tool for testing various HTML parsers and sanitisers – potentially leading to mutation XSS. Supported sanitisers include Ammonia, Angular, DomPurify, JsXss and SafeValues; parsers include DomParser, Parse5, srcdocParser and TemplateParser. Pipelines can chain multiple parsers to visualize, step by step, the transformation of HTML. Pipelines can be shared, embedded into websites, saved/reused, and synchronised across multiple browser tabs in real-time.
PP Finder
A powerful tool for tackling prototype pollution bugs, a dangerous vulnerability class that can lead to remote code execution. PP Finder simplifies the search for prototype pollution gadgets and the detection of vulnerabilities within JavaScript codebases. All JavaScript files present in a targeted directory are analysed and an instrumented version is generated that highlights potentially vulnerable code.
Pwning Machine
The Pwning Machine helps hunters navigate complex modern web services in the privacy-preserving way demanded by some Bug Bounty Programs. This customizable, extensible suite of tools provides an ideal environment for testing complex exploits in a world of containers and microservices. A Docker-based environment can be set up on a dedicated server in less than 10 minutes.
VDP Finder
The VDP Finder plugin tells you whether a website you visit has a Vulnerability Disclosure Program (VDP). Available on Chrome and Firefox, the extension saves you from wasting time trawling a website for evidence of a VDP. VDP Finder removes friction from the vulnerability reporting process by displaying available security.txt and checking domains against FireBounty databases.
XSStools
XSStools is a cross-site scripting (XSS) development framework that simplifies the crafting of XSS payloads. Generate powerful payloads quickly with the payload generator, and use one of many available wrappers without the need for encoding. You also need only supply the targeted element to write clickjacking code – a usually tiresome task. A collection of exfiltrators is included.
PIMP MY BURP
Read our “PimpMyBurp” series of articles to learn how to use Burp Suite extensions effectively. These tutorials will help you harness these tools to adeptly identify vulnerabilities such as Insecure Direct Object Reference (IDOR), Improper Access Control, Business Logic and Privilege Escalation bugs.
MEET OUR HUNTERS
Watch interviews with our top-performing hunters. Hear about the secrets of their success, technical tips and tricks, and their experiences disclosing vulnerabilities and earning bounties through YesWeHack.
BUG BOUNTY BLOG
Check out our latest articles and videos for bughunting news, inspiration, practical advice and technical tips.