Skip to content

Latest commit

 

History

History
191 lines (153 loc) · 8.91 KB

README.md

File metadata and controls

191 lines (153 loc) · 8.91 KB

bbr

An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates. Useful for piping reporting from one application to another (such as an automatic submission tool).

License Twitter

Arguments

Argument Description
-h Display help message and exit
-r Path to template file to use
-t Variable to replace _target_ with and to use for dig and whois commands.
-u Username to replace _username_ with
-o Output file name. (optional)
-p Variable to replace _program_ (optional)
-re Variable to replace _researcher_ (optional)

BBR will then process the text file, and make the following replacements (not all fields may be present, some will be present more than once):

Argument Description
_target_ Replace with the value of the -t argument
_username_ Replace with the value of the -u argument
_program_ Replace with the value of the -p argument
_researcher_ Replace with the value of the -re argument
_sha_ Replace with the SHA256 encoded value of the -u argument
_nameservers_ Replace with the output of "dig NS @8.8.8.8 target"
_dig_ Replace with the value of "dig @8.8.8.8 target"
_whois_ Replace with the whois output of the target parameter
_wayback_ Replace with an automatic wayback link of the -t argument
_sha_ Replace with the SHA256 value of the username parameter
_dig-txt_ Replace with the value of DNS TXT records
_curl_ Replace with the request response of the -t argument
_joke_ Replace with a joke
_punchline_ Replace with the punchline for said joke

Functionality

BBR takes a provided template file and makes replacements throughout that file with provided arguments. For example, the following template file (stored in this repository as template.txt:

 # Summary
The domain _target_ was found to have a CNAME that was pointing to an unregistered domain.

It was possible to register this domain, and to host content on the _target_ website. Given this domain is attributed to _program_(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).

This can be verified by using the following in the terminal:

\```
echo "_username_" | sha256sum
\```
Which should present the resulting string:
\```
_sha_
\```
Which matches what I placed on _target_ for verification.

This has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: _wayback_

# Attribution
A whois of the domain _target_ shows a direct match to other domains relating to _program_, showing this as beloning to _program_:

\```
_whois_
\```

# Recommendation
Remove the CNAME associated with _target_, or decomission the domain entirely with a redirection to other domains of _program_. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.

# Joke
Triage is a tough gig, here's a joke to lighten the load!

_joke_

... _punchline_

When used with the following:

➜  ./bbr -t example.com -p Example -u codingo -r ./template.txt | tee  

Outputs the following report:

 # Summary
The domain example.com was found to have a CNAME that was pointing to an unregistered domain.

It was possible to register this domain, and to host content on the example.com website. Given this domain is attributed to Example(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).

This can be verified by using the following in the terminal:

\```
echo "codingo" | sha256sum
\```
Which should present the resulting string:
\```
10c989bbd4963c465e0941acd70833d5579ca846f5a68eadc8bcf63801b3993b
\```
Which matches what I placed on example.com for verification.

This has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: example.com

# Attribution
A whois of the domain example.com shows a direct match to other domains relating to Example, showing this as beloning to Example:

\```
   Domain Name: EXAMPLE.COM
   Registry Domain ID: 2336799_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.iana.org
   Registrar URL: http://res-dom.iana.org
   Updated Date: 2020-08-14T07:02:37Z
   Creation Date: 1995-08-14T04:00:00Z
   Registry Expiry Date: 2021-08-13T04:00:00Z
   Registrar: RESERVED-Internet Assigned Numbers Authority
   Registrar IANA ID: 376
   Registrar Abuse Contact Email:
   Registrar Abuse Contact Phone:
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: A.IANA-SERVERS.NET
   Name Server: B.IANA-SERVERS.NET
   DNSSEC: signedDelegation
   DNSSEC DS Data: 31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE
   DNSSEC DS Data: 31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03E576343C
   DNSSEC DS Data: 43547 8 1 B6225AB2CC613E0DCA7962BDC2342EA4F1B56083
   DNSSEC DS Data: 43547 8 2 615A64233543F66F44D68933625B17497C89A70E858ED76A2145997EDF96A918
   DNSSEC DS Data: 31406 8 1 189968811E6EBA862DD6C209F75623D8D9ED9142
   DNSSEC DS Data: 31406 8 2 F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-08-22T03:11:57Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

domain:       EXAMPLE.COM

organisation: Internet Assigned Numbers Authority

created:      1992-01-01
source:       IANA


\```

# Recommendation
Remove the CNAME associated with example.com, or decomission the domain entirely with a redirection to other domains of Example. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.

# Joke
Triage is a tough gig, here's a joke to lighten the load!

What was the pumpkin’s favorite sport?

... Squash.

This can then be submitted to your platform of choice, and is a repeatable template as you find similar vulnerablities of the same type.