Skip to content

Vligai/bobabot

Repository files navigation

BobaBot

Bug bounty hunting automation CLI tool.

Features

  • Recon Automation - Subdomain enumeration, HTTP probing, asset tracking
  • Vulnerability Scanning - Nuclei integration, content discovery, custom checks
  • Authenticated Scanning - Bearer tokens, cookies, basic auth, custom headers
  • AI Analysis - LLM-powered triage, reporting assistance, natural language queries
  • Reporting - Template-based report generation for HackerOne, Bugcrowd, Intigriti
  • Platform Integration - Sync scopes, submit reports, track submissions
  • Notifications - Discord, Slack, and desktop alerts

Installation

cd bobabot
pip install .

Quick Start

# Configure scope
boba scope add "*.example.com"

# Run recon
boba recon run example.com

# List discovered assets
boba assets list --domain example.com

# Export results
boba assets export results.json --domain example.com

Interactive Shell

boba shell opens a persistent msfconsole-style REPL. Set a target and auth credentials once, then run any command without re-typing flags on every invocation.

boba shell
boba [default]> set target example.com
boba (example.com)[default]> set bearer eyJhbGciOiJSUzI1NiJ9...
boba (example.com)[default]> set profile conservative
boba (example.com)[conservative]> scope add *.example.com
boba (example.com)[conservative]> recon
boba (example.com)[conservative]> scan nuclei https://app.example.com
boba (example.com)[conservative]> findings list --severity critical,high
boba (example.com)[conservative]> exit

State commands: set target/bearer/cookie/basic/header/profile, unset, status

Scope: scope list (indexed), scope add, scope remove <index|pattern>, scope clear, scope check

Scanning: recon, hunt, scan nuclei/discover/checks/ports — all use the active auth from set bearer/cookie/...

Results: assets list/show, findings list

Shell: Tab-completion, persistent history (~/.boba/shell_history), Ctrl-C to cancel input, Ctrl-D to exit.

See docs/cli.md for the full command reference.


Recon Commands

Running Recon

# Full recon pipeline
boba recon run example.com

# Use conservative rate limiting
boba recon run example.com --profile conservative

# Custom ports
boba recon run example.com --ports 80,443,8080,8443

# Resume interrupted scan
boba recon run example.com --resume <session-id>

# Stop at enumeration stage
boba recon run example.com --stop-at enumerate

# Export results to JSON
boba recon run example.com --output results.json

Scope Management

# Add scope rules
boba scope add "*.example.com"
boba scope add "api.example.com"
boba scope add "192.168.1.0/24"

# List all rules (shows index numbers)
boba scope list

# Remove scope rules — by pattern or by index number
boba scope remove "*.example.com"
boba scope remove 1

# Clear all rules
boba scope clear --force

# Check if target is in scope
boba scope check sub.example.com

Asset Management

# List all assets
boba assets list

# Filter by domain
boba assets list --domain example.com

# Filter by status (alive, dead, unknown)
boba assets list --status alive

# Show asset details
boba assets show api.example.com

# Export to JSON
boba assets export results.json

Scanning

Basic Scanning

# Run Nuclei vulnerability scan
boba scan nuclei https://app.example.com

# Content discovery
boba scan discover https://app.example.com

# Custom security checks
boba scan checks https://app.example.com

# Port scan
boba scan ports app.example.com

Authenticated Scanning

All scan commands and boba hunt accept auth flags:

# Bearer token
boba scan nuclei https://app.example.com --bearer "eyJhbG..."
boba scan checks https://app.example.com --bearer "eyJhbG..."

# Session cookie
boba scan discover https://app.example.com --cookie "session=abc123; csrf=xyz"

# Basic auth
boba scan discover https://app.example.com --basic-auth "admin:secret"

# Custom header (repeatable, -H shorthand)
boba scan nuclei https://app.example.com -H "X-API-Key: key123"
boba scan checks https://app.example.com -H "X-API-Key: k" -H "X-Tenant: acme"

# Full hunt with auth
boba hunt example.com --bearer "token" --cookie "session=abc"

Auth can also be set persistently in ~/.boba/config.yaml:

auth:
  bearer: "mytoken"
  cookie: "session=abc"
  basic_user: ""
  basic_password: ""
  headers:
    X-API-Key: "apikey123"

CLI flags override config-file auth. Bearer takes priority over basic auth when both are set.

Credentials

API keys for LLM providers and bug bounty platforms are stored in an encrypted local file (~/.boba/credentials.enc) or your system keyring if available. They are never sent to scan targets.

Cookie vs credential store--cookie / set cookie is HTTP session auth forwarded to the target web app on every request. The credential store holds keys that boba itself uses (Anthropic, HackerOne, etc.) and never leaves your machine.

LLM providers

# Interactive setup (picks Anthropic, OpenAI, or platforms from a menu)
boba config credentials

# Direct — Anthropic
boba config credentials --service anthropic

# Direct — OpenAI
boba config credentials --service openai

Alternatively, set an environment variable (not persisted):

export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."

The AI commands prefer a stored key over the env var, and prefer Anthropic over OpenAI.

Bug bounty platforms

boba config credentials --service hackerone    # prompts username + token
boba config credentials --service bugcrowd
boba config credentials --service intigriti

Arbitrary key-value storage

Store any secret under a <service>/<key> path in the same encrypted store:

# Write
boba config set myapp token abc123
boba config set myapp webhook_url https://hooks.example.com/xyz

# Read
boba config get myapp token

# Delete
boba config delete myapp token

# List all services with stored credentials
boba config list-credentials

Configuration

# Create config directory and copy the example config
mkdir -p ~/.boba
cp config.example.yaml ~/.boba/config.yaml

Requirements

  • Python 3.11+
  • Optional: nuclei, httpx, subfinder, nmap, ffuf

Development

# Clone and install in development mode
git clone https://github.com/bobabot/bobabot.git
cd bobabot
pip install -e ".[dev]"

# Set up pre-commit hooks
pre-commit install

# Run linters manually
black boba/ tests/         # Format code
ruff check boba/ tests/    # Lint code
mypy boba/                 # Type check

# Run tests
pytest tests/ -v

See CLAUDE.md for development context and openspec/ for specifications.

License

MIT

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages