Hacking/Security
Published in

Hacking/Security

How to install (and use) BBRF

First, you need to Install Couch DB with SSL.

Next step is creating the database and an user/password pair. You need to set your domain, admin password and the user (bbrf) password in this script.

Careful using special characters in the password value.

Download the config script using the following command:

2. Open configbbrf.sh and edit PASS_ADMIN and USER_ADMIN values.

3. Set execution privileges to script

4. Run the script and pray to your God/s or Goddess/es.

The output should be (if all outputs are true you are very lucky):

Test the Dashboard

To test the dashboard you need to go to this URL, fill the values:

If it doesn't load check the browsers console, you might get a CORS error. Also try doing a F5 on the dashboard.

Installing the client

Test that it worked

In some occasions you might find this error:

The error is due to the path $HOME/.local/bin not correctly added to the PATH variable. Try:

If the problem persists just add this line to the end of your .bashrc file. (Don't forget to source .bashrc)

Configure the client

Now we need to create the config file:

cat > ~/.bbrf/config.json << EOF
{
"username": "bbrf",
"password": "your_password",
"couchdb": "https://<your-bbrf-server>/bbrf",
"slack_token": "<a slack token to receive notifications>",
"discord_webhook": "<your discord webhook if you want one>",
"ignore_ssl_errors": true
}
EOF

Testing it

Let's see if everything is working correctly, run this command:

If everything is OK you will receive an empty message.

Let's create a program (using tags with the -t flag)

The tags will help me to categorize the programs according to reward type, type of program [hackerOne, BugCrowd, Self hosted, etc], if the program has mobile apps and with the URL tag is easy to go to the program definition to find information to send the report or program details.

Now let's define the IN Scope and OUT Scope:

Similarly

Let's check the program now:

{"_id":"Fintual","_rev":"3-1e23e3fbd2c7bfce9aae56e9c8b4b9c7","type":"program","disabled":false,"passive_only":false,"inscope":["*.fintual.com","*.fintual.cl","*.fintual.co"],"outscope":["*.fintualist.com"],"tags":{"reward":"money","site":"self","url":"https://fintual.com/security-policy.txt","android":"true","recon":"true"}}

But still we don't have any domains nor URLs. Let's add them:

For the first step you new subfinder installed and configured:

For the second method you need assetfinder:

Notice that I'm using the -s flag to store the 'source' of the domains.

Now, let's add some URLs.

You need httpx installed:

For this one you need httprobe installed:

Let's count the data we gather for this program:

# of domains

# of URLs

That's the basic use of BBRF.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store