AI-Powered Autonomous Vulnerability Scanner for Bug Bounty Hunters
Features • Demo • Quick Start • Test Results • Architecture
BugBountyAI is an autonomous vulnerability scanner designed for bug bounty hunters and security researchers. It uses AI-powered detection techniques to identify critical security flaws in web applications, helping you find real bugs and earn bounties faster.
| Feature | Benefit |
|---|---|
| AI-Powered | Intelligent payload generation and context-aware detection |
| Fast Execution | Complete scans in 2-20 seconds |
| High Accuracy | 90%+ detection rate with low false positives |
| Bug Bounty Ready | Find real vulnerabilities on real targets |
| Free LLM Support | Works with Ollama, Groq, or rule-based fallback |
Clean, modern UI for initiating security assessments
Vulnerability findings with CVSS scores and CWE references
Prioritized remediation guidance for bug bounty submissions
Tested against Acunetix Vulnerable Test Application (authorized testing environment):
Target: testphp.vulnweb.com/listproducts.php?cat=1
Duration: 2 seconds
| Finding | Severity | CVSS | CWE |
|---|---|---|---|
| Error-Based SQL Injection: cat | CRITICAL | 9.8 | CWE-89 |
| IDOR Vulnerability: cat | HIGH | 7.5 | CWE-639 |
| Reflected XSS: cat | MEDIUM | 6.1 | CWE-79 |
Target: testphp.vulnweb.com/artists.php?artist=1
Duration: 5 seconds
| Finding | Severity | CVSS | CWE |
|---|---|---|---|
| Error-Based SQL Injection: artist | CRITICAL | 9.8 | CWE-89 |
| IDOR Vulnerability: artist | HIGH | 7.5 | CWE-639 |
Target: testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg
Duration: 19 seconds
| Finding | Severity | CVSS | CWE |
|---|---|---|---|
| SSRF: Internal Network Access | HIGH | 8.6 | CWE-918 |
| IDOR via Enumeration: file | HIGH | 7.5 | CWE-639 |
| Reflected XSS: file | MEDIUM | 6.1 | CWE-79 |
┌────────────────────────────────────────────────────────────┐
│ BUGBOUNTYAI SCAN SUMMARY │
├────────────────────────────────────────────────────────────┤
│ Total Endpoints Tested: 3 │
│ Total Vulnerabilities: 8 │
│ Critical: 2 ████████████ │
│ High: 4 ████████████████████████ │
│ Medium: 2 ████████████ │
│ Average Scan Time: 8.7 seconds │
└────────────────────────────────────────────────────────────┘
- Error-based detection for MySQL, PostgreSQL, MSSQL, Oracle, SQLite
- Boolean-based blind injection with response differential analysis
- Time-based blind injection with configurable delays
- 40+ payloads with automatic database fingerprinting
- Context-aware detection: HTML, attribute, JavaScript, URL contexts
- Filter bypass techniques: encoding, case manipulation, tag nesting
- Polyglot payloads for multi-context exploitation
- DOM-based XSS detection patterns
- Sequential ID enumeration with differential analysis
- UUID manipulation and prediction
- Sensitive data detection in unauthorized responses
- Horizontal privilege escalation patterns
- Internal network access: 127.0.0.1, 10.x, 172.x, 192.168.x
- Cloud metadata endpoints: AWS, GCP, Azure, DigitalOcean, Kubernetes
- Protocol handlers: file://, gopher://, dict://
- Bypass techniques: IP encoding, DNS rebinding, URL parsing
- Python 3.10+
- Node.js 18+ (for frontend)
# Clone repository
git clone https://github.com/waqarazim/bugbountyai.git
cd bugbountyai
# Install Python dependencies
pip install -r requirements.txt
# Install frontend dependencies
cd frontend && npm install && cd ..
# Initialize database
python -c "from src.database.init_db import init_database; init_database()"Backend API:
python -m uvicorn src.main:app --port 8000Frontend Dashboard:
cd frontend && npm run devAccess:
- Dashboard: http://localhost:3000
- API Documentation: http://localhost:8000/docs
- Navigate to http://localhost:3000
- Enter target URL with parameters (e.g.,
https://target.com/page?id=1) - Select vulnerability types (SQL Injection, XSS, IDOR, SSRF)
- Click "Start Scan"
- View findings in Results tab
- Generate report for bug bounty submission
# Start a scan
curl -X POST http://localhost:8000/api/v1/scans \
-H "Content-Type: application/json" \
-d '{"target_url": "https://target.com/api?id=1"}'
# Get scan status
curl http://localhost:8000/api/v1/scans/{scan_id}
# Get vulnerabilities
curl http://localhost:8000/api/v1/scans/{scan_id}/vulnerabilities
# Get assessment report
curl http://localhost:8000/api/v1/scans/{scan_id}/reportimport asyncio
from src.agents.orchestrator import ScanOrchestrator
async def hunt_bugs():
scanner = ScanOrchestrator()
result = await scanner.execute(
'https://target.com/page?id=1',
scan_types=['sql_injection', 'xss', 'idor', 'ssrf']
)
print(f"Bugs Found: {result['vulnerabilities_found']}")
print(f"Critical: {result['statistics']['critical']}")
print(f"High: {result['statistics']['high']}")
for vuln in result['vulnerabilities']:
print(f"[{vuln['severity'].upper()}] {vuln['title']}")
print(f" CVSS: {vuln['cvss_score']}, CWE: {vuln['cwe_id']}")
print(f" Payload: {vuln['payload']}")
asyncio.run(hunt_bugs())bugbountyai/
├── src/
│ ├── scanners/ # Vulnerability Detection
│ │ ├── base_scanner.py # Abstract base with common logic
│ │ ├── sql_injection.py # SQLi (40+ payloads, 5 databases)
│ │ ├── xss.py # XSS (context-aware, filter bypass)
│ │ ├── idor.py # Access control testing
│ │ └── ssrf.py # Server-side request forgery
│ │
│ ├── agents/ # AI Orchestration
│ │ ├── orchestrator.py # Scan coordination & workflow
│ │ └── report_generator.py # Bug bounty report generation
│ │
│ ├── models/ # AI/LLM Integration
│ │ └── llm_interface.py # Ollama, Groq, rule-based
│ │
│ ├── api/ # REST API
│ │ └── routes.py # FastAPI endpoints
│ │
│ ├── database/ # Persistence
│ │ ├── models.py # SQLAlchemy ORM models
│ │ └── repositories.py # Data access layer
│ │
│ └── utils/ # Utilities
│ ├── http_client.py # Async HTTP with retry logic
│ └── rate_limiter.py # Request throttling
│
├── frontend/ # React Dashboard
│ ├── src/App.jsx # Main application component
│ └── src/index.css # Vercel-inspired dark theme
│
├── docs/screenshots/ # Documentation assets
├── docker-compose.yml # Container deployment
├── requirements.txt # Python dependencies
└── LICENSE # MIT License
| Layer | Technology | Purpose |
|---|---|---|
| Backend | Python 3.10+, FastAPI | Async API server |
| Frontend | React 18, Vite | Dashboard UI |
| AI/LLM | Ollama, Groq | Intelligent analysis |
| Database | SQLite/PostgreSQL | Scan data persistence |
| HTTP Client | aiohttp, httpx | Async requests with retry |
| Parsing | BeautifulSoup, lxml | HTML/XML analysis |
BugBountyAI works with free AI models:
| Provider | Setup | Cost |
|---|---|---|
| Ollama | ollama run llama3.2 |
Free (local) |
| Groq | Set GROQ_API_KEY |
Free tier available |
| Rule-based | Default fallback | No API needed |
- Always get authorization before testing
- Read the program scope carefully
- Document everything with screenshots
- Use the report generator for submissions
- Chain vulnerabilities for higher impact
- Test edge cases and unusual inputs
{
"scan_id": 1,
"status": "completed",
"duration_seconds": 2,
"vulnerabilities_found": 3,
"statistics": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 0
},
"vulnerabilities": [
{
"title": "Error-Based SQL Injection: cat",
"type": "sql_injection",
"severity": "critical",
"cvss_score": 9.8,
"cwe_id": "CWE-89",
"parameter": "cat",
"payload": "'",
"description": "Database errors (mysql) exposed in responses...",
"remediation": "Use parameterized queries or prepared statements."
}
]
}- Browser automation for JavaScript-rendered pages
- Authentication/session support
- Additional vulnerabilities (XXE, CSRF, Command Injection)
- PDF report generation for bug bounty submissions
- Integration with HackerOne and Bugcrowd APIs
- Nuclei template support
This tool is for authorized security testing only.
- Always obtain written permission before testing
- Respect bug bounty program scope and rules
- Never test systems without explicit authorization
- The author assumes no liability for misuse
MIT License - Copyright (c) 2024 Waqar Azim
See LICENSE for full details.
Built by Waqar Azim
Empowering Bug Bounty Hunters with AI