PayloadsAllTheThings - https://lnkd.in/gjTPbtz
cujanovic - https://lnkd.in/gSTJQN4
Payload Box (cmdi , sqli , xss , lfi , rfi etc) - https://lnkd.in/g6B28dU
SecLists - https://lnkd.in/g6ucAZQ
import poe, sys | |
client = poe.Client("<POE_API_KEY_HERE>") | |
title=sys.argv[1] | |
path=sys.argv[2] | |
more="" | |
if len(sys.argv) > 3: | |
more="\" and here is more information: "+sys.argv[3] | |
message="""generate a bug bounty report for me (hackerone.com), the title of the bug is """+title+""" and the vulnerability path is \""""+path+more+""" |
PayloadsAllTheThings - https://lnkd.in/gjTPbtz
cujanovic - https://lnkd.in/gSTJQN4
Payload Box (cmdi , sqli , xss , lfi , rfi etc) - https://lnkd.in/g6B28dU
SecLists - https://lnkd.in/g6ucAZQ
Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
# Copyright 2017-2020 Jeff Foley. All rights reserved. | |
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. | |
# Should results only be collected passively and without DNS resolution? Not recommended. | |
#mode = passive | |
mode = active | |
# The directory that stores the Cayley graph database and other output files | |
# The default for Linux systems is: $HOME/.config/amass | |
#output_directory = amass |
#!/usr/bin/env python3 | |
# @ih3bski | |
from flask import Flask | |
from flask_sqlalchemy import SQLAlchemy | |
import uuid | |
from loguru import logger | |
import sys | |
app = Flask(__name__) |
inurl /bug bounty | |
inurl : / security | |
inurl:security.txt | |
inurl:security "reward" | |
inurl : /responsible disclosure | |
inurl : /responsible-disclosure/ reward | |
inurl : / responsible-disclosure/ swag | |
inurl : / responsible-disclosure/ bounty | |
inurl:'/responsible disclosure' hoodie | |
responsible disclosure swag r=h:com |
GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.
You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.
$ python githubcloner.py --org organization -o /tmp/output