github blacklanternsecurity/bbot v3.0.0
3.0.0

latest release: v3.0.0.6rc
5 hours ago

BBOT 3.0.0

Warning

Upgrading from 2.x is not drop-in. The CLI, flags, preset syntax, event API, config keys, and module set all changed in backwards-incompatible ways. Read the 2.x to 3.0 migration guide before upgrading. The changes most likely to bite:

  • -s now means --seeds, not --silent (silent moved to -S). A script passing -s for quiet output will now add a seed instead, with no error.
  • --whitelist was retired: -t/--targets now defines scope, and -s/--seeds drives the scan.
  • --allow-deadly was removed, and several flags were renamed (e.g. noisy to loud).
  • Module options are now pydantic-validated; the legacy options dict hard-fails.
  • Some event types, event attributes, and config keys were renamed or removed.

Highlights

  • New HTTP engine (blasthttp): in-process, rate-limited HTTP replacing the httpx subprocess (#2992, #3021)
  • New DNS engine (BlastDNS) (#3042)
  • Pydantic config + preset validation: typos and type errors are caught before a scan starts (#2486, #3058)
  • Scope rework: clean split between target (scope) and seeds (drivers); --whitelist retired (#2789)
  • Findings and Vulnerabilities unified, with Severity and Confidence (#2436, #2740)
  • asndb: faster ASN enrichment, plus ASNs usable as scan targets (#2957, #2741)
  • Lightfuzz overhaul: new SSRF and ESI submodules, far fewer false positives (#2967)
  • Major performance work: memory and CPU optimizations, bounded DNS caches, HTTP body stripping, string interning (#2953, #3085, #3088)
  • Preset naming / tag standardization across flags, presets, and event tags (#2986)
  • New modules: MongoDB / Elastic / Kafka / RabbitMQ / ZeroMQ / NATS outputs, legba, trajan, virtualhost, waf_bypass, dnsspf, Hetzner bucket
  • Modules removed: wappalyzer, smuggler, digitorus, sitedossier, passivetotal, wpscan

Core & Packaging

  • Packaging moved from Poetry to uv + hatchling, and supported Python is now 3.10 - 3.14 (#2900, #2731).
  • Config values and presets are validated with pydantic before a scan runs, so typos and wrong types fail fast instead of silently doing nothing. The legacy per-module options dict is no longer accepted (#2486, #3058, #3119).
  • Malformed YAML in a config or preset now produces a readable error instead of a stack trace (#3159).
  • New --reset-config / --reset-secrets to regenerate stale config files (#3240).

Scope & Targeting

  • Scope was reworked around a target/seeds split: -t/--targets defines scope, -s/--seeds supplies the starting events, --whitelist is gone, and --strict-scope now means "this exact host only" (#2789).
  • ASNs can be used directly as scan targets (#2741).
  • Files can be passed as targets, seeds, or blacklist entries inside presets, and target lists may contain comments (#2996, #3031).

HTTP & Web

  • All web traffic now runs in-process through one shared, rate-limited client (blasthttp) instead of a separate httpx subprocess (#2992, #3021).
  • HTTP wildcard/catch-all host detection cuts false positives on servers that answer every request (#3164).
  • 429 Too Many Requests responses are now honored for rate limiting (#3145).
  • HTTP timeout settings were consolidated into one place (#3222).
  • SSL verification was split so BBOT verifies its own infrastructure calls by default while still not verifying untrusted target traffic (#3186).

DNS

  • New DNS resolution engine, BlastDNS (#3042).
  • Fixed the DNS brute-force canary check, which was silently non-functional (#3005).
  • SPF records now yield the IPs and CIDRs they authorize (#3144).
  • Better graph fidelity for shared infrastructure, and noisy PTR floods are collapsed / filtered by default (#3141, #3115, #3039).

Findings & Output

  • Findings and Vulnerabilities are now a single event type carrying Severity and Confidence (#2436, #2740).
  • Human-readable stdout for every event type, improved URL display, and a finding-severity breakdown in the status line (#3035, #3023, #3024).
  • Output modules are additive: enabling one keeps the defaults, with a new exclude_output_modules to opt out (#3221).
  • Findings are de-duplicated in output, and --no-color is supported (#3074).

Modules

New:

  • Output modules: MongoDB, Elastic, Kafka, RabbitMQ, ZeroMQ, and NATS.
  • legba - credential brute-forcing across many services.
  • trajan - scans GitHub, GitLab, Azure DevOps, Jenkins, and JFrog for misconfigurations.
  • virtualhost - virtual-host fuzzing.
  • waf_bypass - WAF-bypass detection.
  • shodan_enterprise - Shodan Enterprise API integration.
  • Hetzner object-storage bucket enumeration.

Removed: wappalyzer, smuggler, digitorus, sitedossier, passivetotal, wpscan.

Notable improvements:

  • Lightfuzz overhaul: new SSRF and ESI submodules, "try POST as GET," a default WAF filter, and a large false-positive reduction across padding-oracle, deserialization, and SQLi detection (#2967, #2950, #2784).
  • webbrute reworked around HttpCompare baselines; paramminer dedup and wordlist cleanup; gowitness reliability fixes; concurrent probing in aspnet_bin_exposure (#3166, #3067, #3180).
  • shodan_idb now enriches CVE findings with severity and CVSS (#3082).
  • Bundled scanners and signatures updated (nuclei, trufflehog, baddns, badsecrets).

Performance

  • Broad memory and CPU pass: bounded (LRU) DNS caches, HTTP response bodies stripped after processing, repeated strings interned, and reduced event-loop saturation and allocation pressure - meaningfully lower memory footprint on large scans (#2953, #3085, #3088, #3003, #3002).

Security

  • Hardened pickle handling in webbrute_shortnames plus additional input-validation patches (#3200, #3196, #3201).

Documentation

  • New 2.x to 3.0 migration guide and a full documentation refresh (#3128).

Don't miss a new bbot release

NewReleases is sending notifications on new releases.