Bug Bounty Toolkit
Last updated: 15th April 2019
Bug bounty platforms and programs
Free capture the flag virtual machines to download, run, and practice against.
Free downloadable VMs and paid for online training and labs. Certainly worth checking out.
“Tiredful API is intentionally designed broken app. The aim of this web app is to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice.”
My Tips and Tricks
My tips and guides:
Mastering Modern Web Penetration Testing, Prakhar Prasad, Oct 2016
The Web Application Hacker’s Handbook (Second Edition), Dafydd Stuttard & Marcus Pinto, Oct 2011
The Bug Hunters Methodology, Jason Haddix, 2017+ (github)
IoT Pentesting Guide, Aditya Gupta, 2017+ (gitbook)
How To Shot Web — Jason Haddix, 2015
Bug Bounty Hunting Methodology v2 — Jason Haddix, 2017
Hunting for Top Bounties — Nicolas Grégoire, 2014
The Secret life of a Bug Bounty Hunter — Frans Rosén, 2016
Finding Bugs with Burp Plugins & Bug Bounty 101 — Bugcrowd, 2014
How to hack all the bug bounty things automagically reap the rewards profit — Mike Baker, 2016
Common vulnerability guides
OWASP Top 10
OWASP Top 10, 2017 RC2 [PDF]
SSRF Bible Cheetsheet
File upload Stored XSS
Bug Bounty Writeups
Awesome Bug Bounty
Wordlists, Patterns, Payloads, etc.
Jason Haddix’s enormous list of subdomain strings. Built from publicly seen subdomains, folders, filenames, etc. Grab it and add your own findings if they’re missing.
A great collection of common filenames, payloads, and more. Have a look through yourself to understand the full scope of this excellent collection.
Passive reconnaissance tools provide information without actually touching your target while also doing a lot of the hard work for you.
The search engine for things connected to the internet. IP, port, application, banners, etc.
“Find out what websites are Built With”
Takes screenshots of sites running on ports 80 and 443 for you to quickly view what is running without waiting for your browser.
Censys continually monitors every reachable server and device on the Internet, so you can search for and analyze them in real time. Understand your network attack surface”. Check for open ports and applications on a specific IP without running a portscan yourself.
Lots of passive reconnaissance tools in here and too many to repeat again.
SSL Certificate allocation based DNS enumeration using the public record of SSL certificates.
Facebook Certificate Transparency Monitoring
“Certificate Transparency is an open framework to log, audit and monitor all publicly-trusted TLS certificates on the Internet. This tool lets you search for certificates issued for a given domain. Subscribe to email updates to be alerted when new certificates are issued.”
Find subdomains for *.example.com bounty scopes via SSL certificate registration information. You can also subscribe to find out when new certificates are issused for your target.
Google Certificate Transparency Monitoring
Similar to that from Facebook and cert.sh, but from Google.
Forward DNS (FDNS)
A 20+GB compressed, 300+GB uncompressed JSON dataset containing the ANY and A/AAAA record query results for a huge number of domains. Download and search through it for a given list of names using a JSON parser or simply using zgrep.
If DNS records are being protected by a firewall such as Cloudflare or Akamai use this to see the DNS record history of a domain. Also useful for non-firewalled DNS entries to see where they pointed in the past in case services are still live or if IP addresses are running new services.
Source Code Analysis
Tool for advanced mining for content on Github. Usernames, passwords, ssh keys, etc.
Link and domain takeovers
Find broken links in websites. Run with:
blc -rfoi --exclude linkedin.com --exclude youtube.com --filter-level 3 https://example.com/
“CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.
The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target’s domain name.”
A high performance DNS subdomain enumeration tool. Combine with ALL.txt via the included subbrute.py
./subbrute.py ALL.txt example.com | ./bin/massdns -r resolvers.txt -t A -a -o -w results.txt -
Virtual Host Discovery
Similar to massdns, use this tool to brute force virtualhosts for a given domain on a specified IP address
A high performance directory enumeration tool written in Go. Lightening fast. Combine with ALL.txt
Teh S3 Bucketeers
The replacement for Sandcastle S3, the S3 bucket enumeration and permission check tool. Use with common_bucket_prefixes.txt instead of the default list. There’s a lot of scope here to customise the prefix and target list but the foundations of the tool are sound. Combine with the output from massdns for better results.
A similar tool to The S3 Bucketeers. Combine with the output from massdns for better results.
A few active reconnaissance tools in here and again too many to repeat.
IoT Reading Materials
IoT Firmware Analysis
A quick start guide to analysing and dissecting firmware binaries.
Firmware Analysis Basics
A similar guide to the OWASP publication with a bit more detail on how to obtain firmware and analyse it. A good accompaniment.
Bug Hunting Drilling Into the Internet of Things (IoT)
A very good guide on IoT hardware/app security analysis. The appendix contains a proven process for bypassing certificate pinning on android devices.
IoT Hacking Tools
Firmware Analysis Toolkit
A bundle containing:
Abusing Firefox Extensions — Roberto Suggi Liverani & Nick Freeman, 2017