Learn Cybersecurity
Bug Bounty Automation with Rust (2026 Guide)
Build Rust automation for bug bounty recon: dir busting, screenshots, and fast port sweeps—plus how platforms detect abuse.
bug bounty automation rust recon rate limiting
Use Rust to automate recon without breaking program rules. This step-by-step lab builds a small, rate-aware directory brute-forcer against a safe local target, with validation, safety gates, and cleanup.
Architecture (ASCII)
┌────────────────────┐
│ wordlist.txt │
└─────────┬──────────┘
│
┌─────────▼──────────┐
│ dirbuster-rs (Rust)│
│ concurrency + delay│
└─────────┬──────────┘
│ HTTP GETs
┌─────────▼──────────┐
│ Mock Target (Py) │
└─────────┬──────────┘
│ Responses
┌─────────▼──────────┐
│ results.csv │
└────────────────────┘What You’ll Build
- A local mock target served by Python.
- A Rust async dir-buster with concurrency limits, custom User-Agent, and CSV logging.
- Validation checks after each phase plus quick defenses to avoid bans.
Prerequisites
- macOS or Linux with Rust 1.80+ (
rustc --versionto confirm). - Python 3.10+ for the mock target.
- Cargo, Git, and 200 MB free disk.
- Run only against assets you own or have written permission to test.
Safety and Legal
- Stay inside authorized scopes. Do not aim scanners at third-party hosts without written approval.
- Keep concurrency conservative; stop on HTTP 429/403 storms.
- Tag your traffic (User-Agent + contact email) for transparency.
Step 1) Set up a safe mock target
Click to view commands
python3 --version
mkdir -p mock_target/{admin,reports,uploads}
echo "ok" > mock_target/index.html
echo "secret" > mock_target/admin/panel.html
echo "report list" > mock_target/reports/list.html
python3 -m http.server 8000 --directory mock_target > mock_target/server.log 2>&1 &Common fix: If the server fails to start, ensure port 8000 is free or change to 8001 in both server and scanner configs.
Step 2) Scaffold the Rust project
Click to view commands
rustc --version
cargo new dirbuster-rs
cd dirbuster-rsStep 3) Add dependencies and wordlist
Cargo.toml (replace contents):
Click to view toml code
[package]
name = "dirbuster-rs"
version = "0.1.0"
edition = "2021"
[dependencies]
tokio = { version = "1.40", features = ["full"] }
reqwest = { version = "0.12", features = ["json", "gzip", "brotli", "stream", "rustls-tls"] }
futures = "0.3"
clap = { version = "4.5", features = ["derive"] }
csv = "1.3"
indicatif = "0.17"
anyhow = "1.0"Add a minimal wordlist:
Click to view commands
cat > wordlist.txt <<'LIST'
/
/admin
/admin/panel.html
/reports
/reports/list.html
/uploads
/doesnotexist
LISTStep 4) Implement the scanner
Replace src/main.rs with:
Click to view Rust code
use clap::Parser;
use futures::stream::{self, StreamExt};
use indicatif::{ProgressBar, ProgressStyle};
use reqwest::{Client, StatusCode};
use std::{fs::File, time::Duration};
#[derive(Parser, Debug)]
#[command(author, version, about)]
struct Args {
/// Base URL (e.g., http://127.0.0.1:8000)
#[arg(long)]
base: String,
/// Wordlist file
#[arg(long, default_value = "wordlist.txt")]
wordlist: String,
/// Max concurrent requests
#[arg(long, default_value_t = 5)]
concurrency: usize,
/// Delay in ms between batches
#[arg(long, default_value_t = 50)]
delay_ms: u64,
/// Output CSV
#[arg(long, default_value = "results.csv")]
out: String,
}
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let args = Args::parse();
let paths = std::fs::read_to_string(&args.wordlist)?;
let targets: Vec<String> = paths
.lines()
.filter(|l| !l.trim().is_empty())
.map(|p| format!("{}{}", args.base.trim_end_matches('/'), p))
.collect();
let client = Client::builder()
.user_agent("dirbuster-rs (+you@example.com)")
.timeout(Duration::from_secs(10))
.build()?;
let pb = ProgressBar::new(targets.len() as u64);
pb.set_style(
ProgressStyle::with_template(
"{spinner:.green} [{elapsed_precise}] [{wide_bar}] {pos}/{len} ({per_sec})",
)?
.progress_chars("#>-"),
);
let file = File::create(&args.out)?;
let mut wtr = csv::Writer::from_writer(file);
wtr.write_record(["url", "status", "len_bytes"])?;
stream::iter(targets)
.map(|url| {
let client = client.clone();
async move {
let resp = client.get(&url).send().await;
match resp {
Ok(r) => {
let status = r.status();
let len = r.content_length().unwrap_or(0);
// Enhanced: Check for rate limiting
if status == StatusCode::TOO_MANY_REQUESTS {
eprintln!("Rate limited: {}", url);
}
Some((url, status, len))
}
Err(e) => {
// Enhanced: Log errors for debugging
eprintln!("Error fetching {}: {}", url, e);
None
}
}
}
})
.buffer_unordered(args.concurrency)
.for_each(|res| {
pb.inc(1);
if let Some((url, status, len)) = res {
// treat 200/301/302 as interesting
if matches!(status, StatusCode::OK | StatusCode::MOVED_PERMANENTLY | StatusCode::FOUND)
{
println!("{status} {len:>6} {url}");
}
// write all responses for audit
let _ = wtr.write_record([url, status.as_str().to_string(), len.to_string()]);
}
tokio::time::sleep(Duration::from_millis(args.delay_ms)).await;
futures::future::ready(())
})
.await;
wtr.flush()?;
pb.finish_with_message("done");
Ok(())
}Common fixes:
- TLS errors: use
http://127.0.0.1:8000(our mock is HTTP). If you must use HTTPS, ensure certs are valid or adddanger_accept_invalid_certsonly in local tests. - Linker errors on macOS: install Xcode Command Line Tools (
xcode-select --install).
Understanding Why Bug Bounty Automation Matters
Why Automation is Essential
Scale: Bug bounty programs test thousands of endpoints. Manual testing can’t scale to this volume.
Efficiency: Automation finds common vulnerabilities quickly, allowing researchers to focus on complex issues.
Coverage: Automated tools ensure comprehensive coverage of all endpoints and parameters.
Why Rust for Bug Bounty Tools
Performance: Rust’s performance enables fast scanning of large target sets.
Reliability: Rust’s memory safety prevents crashes that could disrupt testing.
Stealth: Rust tools can be configured for stealth, avoiding detection during authorized testing.
Step 5) Run the scanner against the mock target
Click to view commands
cargo run --release -- --base http://127.0.0.1:8000 --concurrency 4 --delay-ms 25Click to view code code
200 3 http://127.0.0.1:8000/
200 6 http://127.0.0.1:8000/admin/panel.html
200 12 http://127.0.0.1:8000/reports/list.htmlStep 6) Add safety controls for real targets
- Real-world safe defaults:
--concurrency 3-6,--delay-ms 50-200, random jitter ±25%, auto-stop after 15 consecutive 429s, and per-domain scope validation. - Default to low concurrency (
--concurrency 3-5) and add jitter (--delay-ms 25-100). - Stop if you see many 429/403 responses; back off or email the program’s abuse contact.
- Include contact info in User-Agent; keep CSV logs for disclosure reports.
- Respect scope: load your allowed domains into the tool and refuse out-of-scope hosts.
- Warning: do NOT add recursive enumeration against real targets without explicit permission—runaway recursion is a top cause of bans.
How Platforms Detect Automated Abuse
- Sustained spikes from the same IP or token.
- High-concurrency scans with no delay or jitter.
- Repeated 404/403 storms and failed probes.
- User-Agents matching known scanners or missing contact info.
- Requests outside declared scope or to many unrelated hosts.
- Correlated activity patterns across multiple researchers.
HTTP Status Quick Reference
| Status | Meaning | Log? | Action |
|---|---|---|---|
| 200 | Page exists | Yes | Human review |
| 301/302 | Redirect | Yes | Follow manually |
| 403 | Forbidden | Yes | Stop if too many |
| 404 | Not found | No | Normal noise |
| 429 | Rate limited | Critical | Back off immediately |
Advanced Scenarios
Scenario 1: Basic Bug Bounty Automation
Objective: Automate basic bug bounty reconnaissance. Steps: Set up automation, implement rate limiting, test against authorized targets. Expected: Basic automation operational.
Scenario 2: Intermediate Advanced Automation
Objective: Implement advanced bug bounty automation. Steps: Multi-tool automation + rate limiting + result aggregation + reporting. Expected: Advanced automation operational.
Scenario 3: Advanced Comprehensive Bug Bounty Program
Objective: Complete bug bounty automation program. Steps: All automation + monitoring + reporting + optimization + compliance. Expected: Comprehensive bug bounty program.
Theory and “Why” Bug Bounty Automation Works
Why Automation Improves Efficiency
- Faster reconnaissance
- Consistent execution
- Scales efforts
- Comprehensive coverage
Why Rate Limiting is Critical
- Respects target resources
- Prevents bans
- Maintains access
- Ethical practice
Comprehensive Troubleshooting
Issue: Rate Limiting Triggers
Diagnosis: Check request rate, review delay settings, analyze rate limit responses. Solutions: Reduce concurrency, increase delays, implement backoff.
Issue: Automation Detected
Diagnosis: Review User-Agent, check request patterns, analyze detection methods. Solutions: Use realistic User-Agents, randomize patterns, implement human-like behavior.
Issue: False Positives
Diagnosis: Review results, verify findings, check validation logic. Solutions: Improve validation, verify findings manually, refine automation.
Troubleshooting Guide
Problem: Rate Limiting Issues
Symptoms: HTTP 429 errors, IP blocked, requests throttled
Solutions:
- Reduce concurrency: Lower
--concurrencyparameter (try 2-3) - Increase delays: Add more delay between requests (
--delay-ms 200-500) - Implement exponential backoff: Retry with increasing delays
- Use proxies: Rotate through multiple IP addresses
- Respect rate limit headers: Parse
Retry-Afterheaders
Problem: Automation Detected
Symptoms: Requests blocked, CAPTCHA challenges, 403 errors
Solutions:
- Use realistic User-Agent strings: Mimic real browsers
- Randomize request patterns: Vary timing and order
- Add request headers: Include Accept, Accept-Language, etc.
- Implement jitter: Random delays (±25%)
- Use session cookies: Maintain sessions across requests
Problem: False Positives
Symptoms: Many results that aren’t actual vulnerabilities
Solutions:
- Improve validation logic: Better heuristics for detection
- Verify findings manually: Review suspicious results
- Tune detection thresholds: Adjust sensitivity
- Filter known false positives: Maintain blacklist
- Cross-reference with other tools: Validate with multiple sources
Problem: High Memory Usage
Symptoms: Process using excessive memory, system slowdown
Solutions:
- Limit concurrent tasks: Reduce parallelism
- Stream results: Don’t store all results in memory
- Use efficient data structures: Optimize wordlist handling
- Process in batches: Process smaller chunks
Problem: Slow Performance
Symptoms: Scanning takes too long, low throughput
Solutions:
- Increase concurrency carefully: Balance with rate limits
- Optimize network code: Use async I/O efficiently
- Profile the code: Identify bottlenecks
- Use connection pooling: Reuse connections
- Parallelize where safe: Concurrent scanning when allowed
Code Review Checklist for Bug Bounty Automation
Rate Limiting & Ethics
- Rate limiting implemented and configurable
- Respects target server rate limits
- Exponential backoff on errors
- Only scans authorized targets
Input Validation
- URLs validated before scanning
- Wordlist validated and sanitized
- Port numbers validated
- Configuration parameters validated
Error Handling
- Network errors handled gracefully
- Rate limit errors detected and handled
- Timeout errors don’t crash the tool
- Proper logging of errors
Security
- No sensitive data in logs
- Results stored securely
- Credentials managed securely
- User-Agent configured appropriately
Testing
- Unit tests for core logic
- Integration tests with mock servers
- Test rate limiting behavior
- Test error conditions
Cleanup
Click to view commands
cd ..
pkill -f "http.server 8000" || true
rm -rf dirbuster-rs mock_targetQuick Reference
- Always get written scope approval before scanning.
- Keep concurrency low; stop on rate-limit signals.
- Log everything (CSV) to prove responsible testing.
- Tag traffic with contact info to reduce blocks and ease triage.
Next Steps
- Add HTML size heuristics to flag likely login pages.
- Add screenshot automation (e.g., chromiumoxide) for visual diffs.
- Implement retry/backoff logic and random jitter.
- Export results to JSON + a simple HTML dashboard.
- Add proxy support (Burp/TLS interception) for manual follow-up.
- Integrate CSV with HackerOne/Jira report templates.