Post cover image

June 23, 2026

BUG Framework v5.0: The All-in-One Bug Bounty Recon Suite That Actually Works

A deep dive into one of the most comprehensive open-source security frameworks — and how it stacks up against Recon-ng, OWASP ZAP, Burp…

By cyber security

10 min read

A deep dive into one of the most comprehensive open-source security frameworks — and how it stacks up against Recon-ng, OWASP ZAP, Burp Suite, and Nuclei

A deep dive into one of the most comprehensive open-source security frameworks — and how it stacks up against Recon-ng, OWASP ZAP, Burp Suite, and Nuclei

If you've spent any time doing bug bounty hunting, you already know the pain. You've got subfinder in one terminal, katana spinning in another, a nuclei scan running somewhere in the background, dalfox waiting for its input, and you're stitching together outputs with grep and awk while simultaneously trying not to lose track of which domains you've actually tested. You're running twelve tools to do the job of one pipeline.

That's the problem BUG Framework was built to solve.

What Is BUG Framework?

BUG Framework v5.0 is a professional-grade bash script — a single file — that orchestrates 20+ security tools into a coherent, automated pipeline covering the entire bug bounty recon lifecycle. From passive subdomain enumeration to authenticated IDOR testing to a polished HTML report with a manual testing guide, it handles the full chain.

It is explicitly designed for authorized, in-scope targets only. Every run requires you to confirm you have written permission before a single packet is sent. This isn't just legal boilerplate — it's baked into the tool's execution flow.

The Full Pipeline, Module by Module

The tool runs in sequential modules, each building on the last. Here's what actually happens under the hood when you run bug -d target.com:

Subdomain Enumeration pulls from subfinder, crt.sh, assetfinder, amass, alterx permutation expansion, urlscan.io, HackerTarget, RapidDNS, and ThreatCrowd. It merges and deduplicates everything, runs DNS resolution via dnsx, checks for wildcard DNS, and flags takeover candidates against known cloud patterns (GitHub Pages, Heroku, AWS, Netlify, etc.).

Live Host Probing sends every resolved subdomain through httpx, checking ports 80, 443, 8080, 8443, 8888, 3000, 4000, 5000, 9000, and 9443 simultaneously. It returns status codes, page titles, web server versions, tech stack fingerprints, CDN detection, and IP resolution — all in parallel.

URL Collection is where it gets aggressive. It runs waybackurls, gau (AlienVault + URLScan + Wayback), waymore, urlscan.io direct API, katana in three modes (standard, list-crawl across all live hosts, and headless for JavaScript-heavy apps), and hakrawler. The raw output gets deduplicated with uro, then filtered through GF patterns for XSS, SQLi, SSRF, LFI, redirect, RCE, and IDOR candidates.

JavaScript Analysis extracts JS URLs, downloads target-domain files, runs LinkFinder and SecretFinder, then does its own regex mining for AWS keys (AKIA...), GCP API keys (AIza...), JWTs (eyJ...), hardcoded secrets, DOM XSS sinks (innerHTML, document.write, eval, etc.), postMessage usage, S3 bucket references, and API base URLs. Any secrets found get flagged immediately.

Path Discovery runs ffuf against the top 20 live hosts with raft-large wordlists, feroxbuster recursively to depth 4, a dedicated API endpoint wordlist pass, and a backup/sensitive file pass. Then it runs 16 different 403 bypass techniques — both path manipulation tricks (/./admin, //admin, %2fadmin, ..;/) and header injection (X-Original-URL, X-Rewrite-URL, X-Forwarded-For: 127.0.0.1, etc.). Arjun handles hidden parameter discovery.

WAF Fingerprinting uses wafw00f for passive detection, header signature matching against Cloudflare, Akamai, AWS WAF, Imperva, F5 BIG-IP, Sucuri, Fastly, and ModSecurity, then sends behavioral probes (XSS, SQLi, LFI, SSTI, command injection payloads) and checks rate-limit thresholds. If a WAF is detected, it auto-generates a bypass payload set.

API Schema Discovery hunts for OpenAPI/Swagger specs across 25+ known paths, probes 9 GraphQL endpoints for introspection, checks for batch query support and missing depth limits, and fuzzes undocumented API versions (/api/v1 through /api/v5, plus beta, alpha, dev, internal) against 30+ resource endpoints.

Nuclei runs four separate passes: a full scan across all severity levels with CVE + misconfig + exposure + takeover tags, a DAST pass on parameterized URLs, a dedicated CVE scan, and a misconfiguration scan. Results are extracted and sorted by severity.

XSS pipes GF-filtered URLs through dalfox with worker threads and discovery mode. It also audits every live host for Content-Security-Policy headers, flagging any missing CSP.

SQLi filters URLs to active targets first (skipping 403s and WAF-blocked responses), then runs sqlmap with tamper scripts (space2comment, between, randomcase), smart detection mode, and a 600-second cap.

SSRF tests GF-filtered URLs with 12 payloads covering AWS metadata (169.254.169.254), GCP metadata, Azure, decimal/hex IP encodings, localhost variants, and file://, dict://, and gopher:// schemes.

LFI tests 11 payloads including standard path traversal, double encoding, null byte, URL encoding variants, and PHP stream wrappers.

CSRF scans live hosts for POST forms without CSRF tokens and audits SameSite cookie settings, then generates ready-to-use HTML PoC files for any finding.

CORS tests 6 origin variants per host — evil.com, attacker subdomain, null, domain.evil.com, evildomain.com, HTTP variant — and flags any misconfigured Access-Control-Allow-Origin with credential detection. A CORS critical finding with credentials: true is one of the highest-value bug classes on most programs.

IDOR/BAC extracts numeric ID parameters, UUID patterns, API object paths, and ownership parameters from all collected URLs. It probes privileged endpoints without authentication and tests HTTP method switching (GET → POST/PUT/DELETE/PATCH) on admin paths.

OAuth Analysis finds OAuth/OIDC endpoints, flags tokens in URL parameters (critical finding), checks for missing state parameters, missing PKCE, tests redirect_uri bypass with evil.com, and analyzes JWT tokens for alg: none and HS256 weaknesses.

Parameter Mutation Fuzzing tests SSTI with 14 payloads across Jinja2, Twig, Freemarker, Velocity, and ERB syntaxes, runs type confusion probes (null, undefined, [], {}, -1, NaN, Infinity), discovers hidden GET/POST parameters with ffuf + burp-parameter-names wordlist, and tests JSON mutation for prototype pollution, constructor pollution, NoSQLi operators, and mass assignment.

Smart Classifier is where BUG Framework genuinely separates itself. It runs regex classification across every URL and endpoint collected, producing prioritized target lists for IDOR, BAC, OAuth, Upload, Export, Payment, Webhook, and Debug endpoints — pre-sorted by the patterns most likely to yield findings.

Report generates both an interactive HTML dashboard and a Markdown report, including OWASP Top 10 coverage mapping, a 10-step manual testing workflow, a full data file index, and tool-by-tool manual testing guidance.

How Does It Compare to Other Tools?

Let's put it in context with the tools most bug bounty hunters are already using.

BUG Framework vs. Recon-ng

Recon-ng is a modular Python framework with a database backend, workspace management, and a marketplace of community modules. It's excellent for structured OSINT and passive recon — particularly for enriching target intelligence with WHOIS, DNS records, social profiles, breach data, and contact information. Its strength is depth on a single domain or organization.

BUG Framework is not an OSINT tool. It doesn't care about LinkedIn profiles or breach databases. Where Recon-ng excels at intelligence gathering, BUG Framework is a vulnerability-finding engine. It picks up where Recon-ng leaves off — taking a target domain and actively hunting for injectable parameters, exposed files, misconfigurations, and access control failures.

The two tools genuinely complement each other. Run Recon-ng first for organizational intelligence and scope mapping. Then feed BUG Framework the confirmed in-scope domains.

Winner for bug bounty: BUG Framework for active testing. Recon-ng for pre-engagement intelligence.

BUG Framework vs. OWASP ZAP

ZAP is the most widely known open-source DAST scanner. It has a GUI, an API, a spider, an active scanner, and a strong ecosystem of add-ons. It's excellent for web application testing where you want to interactively browse an application and let the scanner analyze your traffic.

ZAP's weakness in a bug bounty context is scale. It's designed to test one application at a time, interactively. Running ZAP across 200 subdomains with parameterized URL collection, JS analysis, and IDOR classification is not what it was built for.

BUG Framework handles scale natively. It was designed from the start to work against entire programs with dozens or hundreds of live hosts, collected URLs in the tens of thousands, and automated triage across multiple vulnerability classes simultaneously.

ZAP's GUI is also its advantage for developers and security engineers running targeted tests on their own applications — the visual traffic analysis, break-and-intercept, and report export are excellent for that use case. BUG Framework has no GUI. It's a terminal tool for hunters who know what they're looking for.

Winner for bug bounty at scale: BUG Framework. Winner for developer-focused AppSec testing: OWASP ZAP.

BUG Framework vs. Burp Suite Professional

This is the most important comparison because Burp is the industry standard.

Burp Suite Pro is irreplaceable for manual testing. Its intercept proxy, Repeater, Intruder, Collaborator, and the extension ecosystem (Autorize, Auth Analyzer, Param Miner, InQL, Turbo Intruder) are unmatched for the hands-on validation work that turns a scanner finding into a confirmed, reproducible bug.

What Burp doesn't do well is automated wide-scope recon. Running subdomain enumeration, URL collection, JS analysis, and multi-class vulnerability scanning across an entire program's attack surface is not Burp's job. The built-in spider and scanner are powerful but slow at that scale, and setting up scopes across hundreds of subdomains manually is painful.

BUG Framework is designed to do the reconnaissance and initial triage that feeds into Burp. It explicitly generates Burp-ready output — the classified/burp_imports/ directory contains pre-sorted URL lists for IDOR, BAC, and OAuth targets ready to load into Autorize or Auth Analyzer. The parameter list feeds directly into Param Miner. The CSRF PoC files open in a browser.

The intended workflow is: BUG Framework first, Burp Suite for validation and manual exploitation.

They are not competing tools. Any serious bug bounty hunter should use both.

Verdict: Complementary. BUG Framework for recon and initial triage. Burp Suite for manual testing and exploitation.

BUG Framework vs. Nuclei (standalone)

Nuclei is already a component inside BUG Framework, but it's worth comparing them as scanning philosophies.

Standalone Nuclei is extraordinarily powerful for template-based detection. Its community template library now covers thousands of CVEs, misconfigurations, exposure patterns, and technology-specific checks. If you know what you're looking for and have a list of URLs, Nuclei is the fastest way to check them.

The gap is everything before and after the Nuclei scan. You need to build the URL list, filter it, run DAST on parameterized URLs, extract secrets from JS, classify findings by vulnerability class, and produce a report. Nuclei doesn't do any of that. It's a scanner, not a pipeline.

BUG Framework wraps Nuclei with a complete pipeline. It runs four separate Nuclei passes (full, DAST on params, CVE-targeted, and misconfig), then combines the findings with results from every other module for a unified report.

If you're only running Nuclei standalone, you're likely missing a significant portion of your attack surface — particularly IDOR, BAC, OAuth flows, and custom parameter injection that templates don't cover.

Winner: Both, used together — which BUG Framework handles automatically.

Feature Comparison Matrix

Where BUG Framework Genuinely Shines

None None

The Smart Classifier is underrated. Most automated tools give you a flat list of findings. BUG Framework classifies every URL it collects into typed buckets — numeric IDOR candidates, UUID-based IDOR, BAC admin paths, user management endpoints, API list-all endpoints, OAuth flows, upload endpoints, payment flows, webhook handlers, and debug pages. This is the kind of triage that normally takes hours of manual URL review. The classifier does it in seconds and produces IDOR_PRIORITY.txt and BAC_PRIORITY.txt files that you can drop directly into Burp.

The Burp integration story is well thought through. Rather than being a standalone tool that competes with Burp, BUG Framework explicitly feeds into it. The classified/burp_imports/ directory, the parameter list that feeds into Param Miner, the CSRF PoC HTML files — these are artifacts designed for the manual testing phase, not replacements for it.

The HTML report is production-quality. The generated report is an interactive dashboard with collapsible sections, severity-coded findings, OWASP Top 10 coverage mapping, a full data file index with counts, and a 12-row manual testing guide covering each vulnerability class. It's genuinely presentable.

The resume capability matters. Long scans get interrupted. --resume lets you pick up from the last completed module checkpoint, which is a quality-of-life feature that most similar tools lack.

Honest Limitations

No tool is perfect. Here's what to know going in:

It's bash. That means it's Linux/macOS only, dependencies can be finicky across different distros, and error handling — while present — is not as robust as a purpose-built Python or Go application. The || true pattern throughout means most errors are silently swallowed to keep the scan running.

Tool availability assumptions. The full scan assumes all dependencies are installed. If dalfox isn't in your PATH, the XSS module silently produces empty output. Running bug --install first is non-optional, not optional.

Scan time. A full deep scan against a large program can take several hours. The --quick flag helps significantly, but comprehensive coverage takes time by nature.

False positives exist. Automated scanners produce false positives. The dalfox XSS results, the SSRF hits, and the JSON mutation findings all require manual validation before reporting. The tool is explicit about this in its generated report — it tells you to open dalfox results in a browser to confirm.

No GUI, no interactive proxy. BUG Framework is a fire-and-report tool. If you need to intercept and modify individual requests, that's Burp's domain.

Getting Started

# 1. Install all dependencies
git clone https://github.com/tanvirahmedcs/Bug-Framework.git
cd Bug-Framework
bug --install
# 2. Run a quick scan to see the output structure
bug -d example.com --quick
# 3. Run a full authenticated scan
bug -d example.com --cookie "session=your_token_here"
# 4. Open the report
xdg-open ~/bug-bounty/example.com/reports/report.html

After your first scan, spend ten minutes with the output directory. The classified target lists, the parameter buckets, the WAF bypass payloads — understanding what got generated and why is what separates hunters who use automated tools as a crutch from hunters who use them as a force multiplier.

Final Verdict

BUG Framework v5.0 is the most complete single-file bug bounty automation tool available. It does not replace Burp Suite for manual testing or Recon-ng for OSINT intelligence gathering. What it does is compress what would normally be six to eight hours of setup, enumeration, and triage into a single command — and produce structured, prioritized output that makes the manual testing phase significantly more efficient.

For bug bounty hunters who are already comfortable with the individual tools (subfinder, nuclei, dalfox, sqlmap), BUG Framework is the missing orchestration layer. For hunters who are still running each tool individually and stitching outputs together by hand, it's a significant upgrade.

The tool reflects a mature understanding of how bug bounty engagements actually work — recon feeds detection, detection feeds classification, classification feeds manual testing, and manual testing feeds the report. Every module in the pipeline was built with that flow in mind.

Run it on your authorized targets. Read what it finds. Then open Burp.

⚡ BUG Framework v5.0 is for authorized security testing on in-scope targets only. Always obtain written permission before testing any system you do not own.