GBounty: Large-Scale Scans with Dynamic Parameters

GBounty: Large-Scale Scans with Dynamic Parameters

 

Today, we want to showcase one of the most powerful and interesting features in GBounty, an open-source tool for detecting vulnerabilities in web applications and APIs. This feature makes it easy to combine multiple URLs with lists of parameters to perform large-scale security assessments, leveraging GBounty’s pre-built or custom profiles.

What Is GBounty?

GBounty is a vulnerability scanner that tests URLs, predefined requests, or zipped request files for common flaws such as XSS, SQL injection, and unauthorized direct access. It also lets you customize each test using profiles and parameters, adapting it to the specific needs of each security audit.

Scanning with Parameter Files

Sometimes, you need to test hundreds or thousands of different parameters to find vulnerabilities on a website, whether via GET or POST. Doing that manually can be slow and tedious. GBounty offers a few flags to streamline this task:

  • -pf, --params-file
    Lets you specify a file containing a list of parameters, one per line. The scanner injects each value into the request.
  • -ps, --params-split
    Tells GBounty how many parameters to include in each request. The default (10) groups 10 parameters at a time to speed up scans. If you want to test each parameter individually, set this to 1.
  • -pm, --params-method
    Sets the HTTP method used to inject parameters. The default is GET, but you can switch to POST (-pm POST) so GBounty sends values in the request body.
  • -pe, --params-encoding
    Controls how parameters are encoded when sent via POST. Use url for application/x-www-form-urlencoded or json for application/json.

These flags work together to give you the flexibility to configure how and how many parameters are injected into each combination of URL and attack profile.

Practical Use Case

Imagine you have a file of URLs (targets.txt) and a parameter list (params_list.txt) you want to test. You’d like to send 10 parameters at a time via POST with URL-encoded data. Your GBounty command might look like this:

gbounty -uf targets.txt -pf params_list.txt -ps 10 -pm POST -pe url -o results.json --json

Here’s what’s happening:

  1. -uf targets.txt reads all the target URLs from targets.txt.
  2. -pf params_list.txt specifies the file containing parameters to inject.
  3. -ps 10 groups 10 parameters per request for faster scanning.
  4. -pm POST sends parameters in the HTTP POST body.
  5. -pe url encodes parameters as application/x-www-form-urlencoded.
  6. Results are written to results.json in JSON format (--json).

Example of targets.txt

Here’s a more detailed illustration of what targets.txt might look like:

https://example.com
https://app.bountysecurity.ai/login
https://test.bountysecurity.ai/path/page
https://shop.bountysecurity.ai/cart
https://api.bountysecurity.ai/v1/users
http://old-legacy-server.local/admin

Each line represents a separate endpoint that GBounty will scan. 

Example of params_list.txt

Below is an example of parameters you might place in params_list.txt. Note that here, we only provide the parameter name for fuzzing purposes; GBounty will inject various payloads or transform them as defined in your profiles:

username
password
search
q
debug
id
page
token
session
input
api_key

Each line corresponds to a single parameter name that GBounty will inject. By using -ps 10, these parameters are batched in groups of 10 per request (or fewer if the list is shorter).

Speed Up Your Scans and Customize Your Tests

If you need to test more aggressively, you can increase concurrency (-c) or the number of requests per second (-r). You can also route traffic through a proxy (--proxy-address) to observe every request in tools like Burp Suite or Zap Proxy.

For instance:

gbounty -uf targets.txt -pf params_list.txt -ps 10 -pm POST -pe url -c 20 -r 50 --proxy-address 127.0.0.1:8080 -o results.json --json

This command groups 10 parameters per request, sends them via POST as application/x-www-form-urlencoded, and ups concurrency and RPS for a faster overall scan.

Publish Your Findings and Contribute

After your testing completes, review the output file and share insights in your vulnerability management platform or final security reports. If you see ways to enhance GBounty’s features or profiles, feel free to open a Pull Request or an Issue in the official GBounty repository .

Conclusion

GBounty adapts to various testing scenarios, enabling broad, sophisticated scans with a single command. Its ability to handle parameter files (-pf) and divide them into groups (-ps) boosts the efficiency of fuzzing and vulnerability discovery. Leverage these options to elevate your security assessments, whether you’re conducting a pentest, participating in CTFs, or running regular internal security checks.

For more details, check out the complete GBounty documentation . If you find this functionality helpful, don’t hesitate to share this article on LinkedIn or Twitter so other security teams can learn about the advantages of this powerful tool. Happy bug hunting!

Back to Posts