Important tools i used to find bugbounty
Wpscan - find to scan wordpress website content
Joomscan - find to scan joomla website content
whatcms.org - detect the cms used by the website and version
CMSmap
scrapy - find the website and to crawl from search engine
Builtwith - find the website technology is based on
Wappalyzer - find the website technologies
cookie editor - extention for perform cookie authentication etc
nmap - find the open ports, servics, version no, contentdiscovery
Dirbuster - Bruteforce directories and file name on web application server, or misconfigured server, not able to public exposed or able to hold off.
Knockpy - find the subdomain enumeration using wordlist
Sublist3r - find the subdomain enumeration using searchengine
Wfuzz - pre install with(type) kali, fuzz and discovery tool, to discover web content using wordlist.
Striker - find the vulnerabilities and offensive information collection
Burp Suite - proxy swiss knife for hunt
Massdns
Dnsenum
Masscan
Sn1per
XSStrike - find the xss vulnearbilities from website
Sqlmap - find the sql injection vulnerabilities
wafw00f
https://gchq.github.io/CyberChef/ - used to perform coding and decoding algorithm tool.
google dork -
OWASP ZAP
-------------------Vulnearbilities exploitation--------------------
LFISuite - Find LFI with command line tool(kali only).
Sqlmap - find the sql injection vulnerabilities