Web OSINT Toolbox
Recon is the unsexy part of bug bounty hunting and it's where most of the easy wins live. Before you start poking at endpoints, you want a clear picture of what the target looks like from the outside: who owns the IPs, what tech stack is running, what's exposed, and whether anyone has already flagged something worth a closer look.
Every tool below does some of that work for free, using data that's already public. If you got here from a target's lookup page, every card pre-fills with that target's domain, so each one is a single click away from a real result.
The toolbox
- Hudson Rock
Identify Infostealer infection data related to domains and emails - SSL Labs Test
Analyzes the SSL configuration of a server and grades it - Virus Total
Checks a URL against multiple antivirus engines - Shodan
Search engine for Internet-connected devices - Archive
View previous versions of a site via the Internet Archive - URLScan
Scans a URL and provides information about the page - Sucuri SiteCheck
Checks a URL against blacklists and known threats - Domain Tools
Run a WhoIs lookup on a domain - NS Lookup
View DNS records for a domain - DNS Checker
Check global DNS propagation across multiple servers - Censys
Lookup hosts associated with a domain - Page Speed Insights
Checks the performance, accessibility and SEO of a page on mobile + desktop - Built With
View the tech stack of a website - DNS Dumpster
DNS recon tool, to map out a domain from it's DNS records - BGP Tools
View realtime BGP data for any ASN, Prefix or DNS - Similar Web
View approx traffic and engagement stats for a website - Blacklist Checker
Check if a domain, IP or email is present on the top blacklists - Cloudflare Radar
View traffic source locations for a domain through Cloudflare - Mozilla HTTP Observatory
Assesses website security posture by analyzing various security headers and practices - AbuseIPDB
Community-sourced database of IPs and domains reported for abuse - IBM X-Force Exchange
View shared human and machine generated threat intelligence - URLVoid
Checks a website across 30+ blocklist engines and website reputation services - URLhaus
Checks if the site is in URLhaus's malware URL exchange - ANY.RUN
An interactive malware and web sandbox
A note on scope
Everything here is passive recon. You aren't poking the target's servers, you're asking other companies what they've already collected about it. That makes these tools safe to run against almost anything without prior permission.
It does not give you a free pass to wander outside scope. If a program tells you to focus on api.example.com, don't paste example.com into Shodan and start chasing leads from the parent org. Use these to confirm what you're looking at, surface forgotten infrastructure that's actually in scope, and build a clean mental model before you touch a real request.
What each category is good for
- Certificates and security headers. SSL Labs and Mozilla HTTP Observatory grade the TLS configuration and security headers. This is often the first place a real misconfiguration shows up.
- DNS and infrastructure. NS Lookup, DNS Checker, DNS Dumpster, BGP Tools, and Censys map out related hostnames, sibling domains, BGP prefixes, and other hosts on the same network. Forgotten subdomains live here.
- Threat intelligence. VirusTotal, URLScan, URLhaus, URLVoid, Sucuri, AbuseIPDB, IBM X-Force, and Hudson Rock show you what other people have already noticed about a target: blocklists, malware sightings, infostealer logs.
- History and traffic. Internet Archive shows what the site used to look like, often with old endpoints that still work. SimilarWeb and Cloudflare Radar give you a rough sense of how much traffic it sees and where it comes from.
- Tech stack. BuiltWith identifies frameworks and libraries, sometimes down to versions you can check against CVE feeds. PageSpeed Insights is technically a performance tool but the underlying audit data leaks useful info too.
- Sandboxing. ANY.RUN lets you detonate suspicious payloads or URLs in an isolated VM so you don't have to.