Skip to content

TerminalsandCoffee/salvo-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
cmd
cmd
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
salvo.yaml.example
salvo.yaml.example
 
 
wordlist.txt
wordlist.txt
 
 

Repository files navigation

Salvo

Bug bounty CLI — recon, repeater, and fuzzer in one tool.

Salvo chains subdomain enumeration, HTTP probing, and vulnerability scanning into a single pipeline. It also includes a Burp-style repeater and an Intruder-style fuzzer, so you can go from recon to exploitation without switching tools.

Install

go build -o salvo .

Requires Go 1.24+. For recon, you also need subfinder and httpx on your PATH.

Quick Start

# Recon — enumerate subdomains and probe live hosts
salvo recon -d hackerone.com

# Repeater — send a single crafted request
salvo repeater -X POST -u https://api.example.com/v1/users \
  -H "Authorization: Bearer <token>" \
  -d '{"name": "test"}'

# Fuzz — replace FUZZ keyword with each line from a wordlist
salvo fuzz -u https://example.com/FUZZ -w wordlist.txt --mc 200,301,403

Commands

Command Description
recon Subdomain enumeration + HTTP probing + optional nuclei scan
repeater Send a single HTTP request (Burp Repeater style)
fuzz Intruder-style fuzzing with FUZZ keyword substitution
version Print version

Key Flags

recon

-d, --domain        Target domain (repeatable for multiple)
    --domain-list   File with target domains
    --scope         File with in-scope patterns
    --skip-subfinder  Skip subdomain enumeration
    --skip-httpx      Skip HTTP probing
    --rate-limit    Requests per second for httpx
    --threads       Concurrent workers per tool
    --output-dir    Output directory (default: output)
    --output-format json | jsonl | markdown
    --dry-run       Print commands without executing
    --resume        Resume from previous state

repeater

-X, --method    HTTP method (default: GET)
-u, --url       Target URL (required)
-H, --header    HTTP header, repeatable (format: "Key: Value")
-d, --data      Request body
-r, --raw       Path to raw HTTP request file
    --timeout   Request timeout in seconds (default: 10)

fuzz

-X, --method    HTTP method (default: GET)
-u, --url       Target URL with FUZZ marker (required)
-w, --wordlist  Path to wordlist file (required)
-H, --header    HTTP header with optional FUZZ marker
-d, --data      Request body with optional FUZZ marker
    --threads   Concurrent workers (default: 10)
    --mc        Match status codes (default: 200,204,301,302,307,401,403,405,500)

Global

    --config    Config file path (default: ./salvo.yaml)
-v, --verbose   Verbose output

Config

Salvo reads from ./salvo.yaml or $HOME/.config/salvo/salvo.yaml. See salvo.yaml.example for all options. CLI flags override config values. Environment variables with SALVO_ prefix are also supported.

Built by [Sigilo] a branch of Terminals and Coffee.

About

Bug bounty CLI — recon, repeater, and fuzzer in one tool.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages