Fully autonomous AI hacker to find actual exploits in your web apps. Shannon has achieved a 96.15% success rate on the hint-free, source-aware XBOW Benchmark.

Burp extension for Recursive Request Exploits (RRE) — DEFCON 2025

A curated list of Claude Skills.

Burp Suite extension that adds built-in MCP tooling, AI-assisted analysis, privacy controls, passive and active scanning and more

Download your Spotify playlists and songs along with album art and metadata (from YouTube if a match is found).

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static a…

Tools to work with android .dex and java .class files

A command-line tool for parsing and filtering FFUF JSON output files. Quickly search, filter, and analyze your web fuzzing results with color-coded output.

Run iOS apps without actually installing them!

Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure Repos, BitBucket, Gitea, AWS S3, Docker images, Jira,…

World’s single largest Internet domains dataset

Passive JavaScript reconnaissance for penetration testers — bridging Burp Suite traffic into structured, AST-based analysis in VSCode.

Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends (Codex, Gemini, Ollama, ...).

Extract subdomains from CSP headers

Monitor your targets and hunt fresh assets in real time.

Matkap - hunt down malicious Telegram bots

Rust-powered HTTP Request Smuggling Scanner.

Automatically exported from code.google.com/p/domxsswiki

A fancier postMessage tracker with Chrome Manifest version V3 support and a few additional features, inspired by Frans Rosens postmessage tracker.

Collection of scripts and tools used during bug bounty work. This will be the location of my automation scripts created for my own personal use, and occassionally public released

A universal MCP client with proxying feature to interact with MCP Servers which support STDIO transport.

TInjA is a CLI tool for testing web pages for template injection vulnerabilities and supports 44 of the most relevant template engines for eight different programming languages.

"Web-Cache-Deception-Scanner" Extension for BurpSuite

Prompt Injection Primer for Engineers

rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks

bug bounty cheat files