SEO service service now!

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers – I think I have a problem. I’m sick of making fake money automatically. I have now built a complete virtual currency automation framework from scratch three times. It gets better every time, but I’m not happy. I’m about to start building my fourth iteration.

Every time I make something, I adjust the process. In this article, I will take you through all the attempts I have made to create a virtual currency automation framework, including successes and failures. So I’ll tell you exactly how I made my next episode.

Table of Contents

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

This is how many of my tools will start. I get an idea that seems simple in theory, really underestimate the work involved, and then try to implement it in a bash script. My virtual currency automation program has not changed.

How To Host A Bug Bounty Program On Bugbase

I ran the script all night and had trouble sleeping. I was excited to wake up and see the results! I was really hoping that I would be done in a week, maybe two, because the pile of money was waiting for me the next morning in the vulns.txt file. When the big bucks came in, I was finally able to spend all my waking hours eating ramen and munching on Antique Roadshow with my cats.

In fact, I woke up the next morning to find that my bash script had gone wrong somewhere along the line, and I couldn’t find an error. I quickly realized that this approach was problematic.

To solve the problems I had with the bash script, I decided to start over with a proper framework. So far the framework I liked the most was Laravel PHP, but I ended up going with Django because most of the hacking tools I was using at the time were written in Python.

The first problem to solve is how to organize data storage. I ended up storing everything in a relational database (PostgreSQL) and using the Django ORM. I set up relationships between objects to simulate how they work in real life. It looks like this:

Announcing The Public Launch Of Cloudflare’s Bug Bounty Program

With such a connection set up, it is easy to ask the database to answer questions such as:

By default, Django’s ORM stores the created and modified dates for each instance persisted in the database, so you can ask questions like this:

Django is generally considered a web framework. My initial intention was to create a front-end web application for running automation projects, but I found that Django works very well as a framework for command line applications using Django’s command line. Instead of writing an entire website, I ended up writing each step of the automation in custom commands so it can be easily done from the command line, scheduled with cron, wrapped in a bash script, etc.

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

For example, I wrote an executive command called “search bottom”, which takes all the root domains from the database, runs a “search-database” program searching on them, and saves the subdomains appearing in the database. To run it, I can write something like this to the terminal:

Bug Bounty Vs Pentesting For Saas: Which One Should You Choose?

I wrote a few small sections like this, but I quickly realized that the real value was in developing a large set of sections to discover many different vulnerabilities. Keep in mind that this was a year before Project Discovery’s Nuclei tool was released, so at the time not many people were finding bugs at scale, and there wasn’t an awesome database of vulnerability signatures to know about . I said.

That’s when I started working with codingo_ and sml555_ to make a stack of fragile parts. We are finally starting to see the stores come in!

The problem is that we need to do many scans on millions of subdomains. Let’s say for each subdomain I want to run some scans that will take 1 minute. This scan is very small per host, but it takes 1 minute per host. With 2 million subdomains, it will take almost 4 years to complete. We really wanted to get it under 1 hour.

The first thing we tried was using multiple threads. For example, instead of just running this command, run the cleaner on each root domain in sequence:

Research Defines 7 Step Roadmap For Hacker Powered Security Success

We can use something like GNU-parallel, which allows us to run the converter on multiple domains at the same time. For example:

This is where the idea for Interlace was born. Multithreading in this way greatly reduced the time it took to complete a task, but it introduced a new problem. Now we run 20 instances of subfinder at the same time, the VPS we used runs without RAM and CPU. We could have solved this in a short time by using a more powerful VPS (vertical scaling), but even a very powerful VPS was not strong enough to do all the work we needed in a short period of time.

This is when we came up with the idea of ​​turning a number of sub-components into one task, and all reporting their results to a central data source. This is called a horizontal scale, although I didn’t know it at the time.

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

In our first attempt to implement this, we (simply) created a “Job” object that resides in the PostgreSQL database. So we create a task client that holds the tasks, executes the task, and then returns the output to the database. When we started, we knew that every place is a competitive place. Most of the workers performed the same tasks at the same time and each task was performed 10+ times. To avoid this, we tried to implement database locking, but this slowed down the process so much that we reverted to our vertical scaling.

Ransomware Gang Offers Bug Bounty, Promises Payouts Up To $1 Million

In my frustration, I joined an online Django community and explained the problem to a group of strangers. One of them introduced me to the idea of ​​queues and message brokers and said that RabbitMQ could solve our problem.

I implemented the same queuing concept using RabbitMQ instead of PostgreSQL, and it worked! We grew to 100 employees and were able to perform audits and vulnerability assessments of all critical assets in a fraction of the time. We found a lot of bugs this way because we were one of the first to implement bug headhunting on a large scale. Even finding low-hanging fruit is beneficial, as we are often one of the first to notice when hosts are vulnerable. All employees have a $5 VPS and we only have a few active servers for core work. It ended up like this.

All three of us eventually stopped working at Bugcrowd, so our bug hunting and automation took a backseat, eventually being pulled offline when we didn’t have time to focus on it.

Today, automatically finding low-hanging fruit has become a common practice among treasure hunters. Suddenly every man and his dog were automatically followed into the jungle. Because of this, I turned my attention to manual hacking or monitoring of popular services to discover misconfigurations that could lead to widespread vulnerabilities. After that, a scalable system is always good enough to see that all hosts run a technology. For example, let’s say you find a simple configuration in a WordPress plugin – automation is good because:

Hackgate: Bug Bounty Program On Steroids

I couldn’t find more low-hanging fruit, but I still found automation very useful for testing custom pricing and tracking goals, including open ports, applied technology, etc. The problem is that the current Django setup is too busy, especially when I want to do something custom and fast. Instead of many specialized tools to perform custom tasks quickly, I had a great tool that did everything and didn’t integrate well with other tools.

I often go back to using manual tools that follow the Unix theme like httpx and kernel. This made it easy to create custom workflows by simply piping the tools into each other. However, the hacking process meant I lost the ability to organize my data into a cross-connect database and span multiple hosts.

This is when I started making plans for the new bug engine installation. I wanted to combine the power of a Unix program with the power of horizontal scaling and a database. The new system has four distinct components. Each component can be used independently or as part of a larger system by connecting devices together.

Automated Brilliance: Essential Bug Bounty Tools For Ethical Hackers

Fortunately, there are already good solutions for numbers 3 and 4 (Project Discovery’s Nuclei and Notify).

How We Made $120k Bug Bounty In A Year With Good Automation

About the Author

0 Comments

    Your email address will not be published. Required fields are marked *

    1. Automated Brilliance: Essential Bug Bounty Tools For Ethical HackersThis is how many of my tools will start. I get an idea that seems simple in theory, really underestimate the work involved, and then try to implement it in a bash script. My virtual currency automation program has not changed.How To Host A Bug Bounty Program On BugbaseI ran the script all night and had trouble sleeping. I was excited to wake up and see the results! I was really hoping that I would be done in a week, maybe two, because the pile of money was waiting for me the next morning in the vulns.txt file. When the big bucks came in, I was finally able to spend all my waking hours eating ramen and munching on Antique Roadshow with my cats.In fact, I woke up the next morning to find that my bash script had gone wrong somewhere along the line, and I couldn't find an error. I quickly realized that this approach was problematic.To solve the problems I had with the bash script, I decided to start over with a proper framework. So far the framework I liked the most was Laravel PHP, but I ended up going with Django because most of the hacking tools I was using at the time were written in Python.The first problem to solve is how to organize data storage. I ended up storing everything in a relational database (PostgreSQL) and using the Django ORM. I set up relationships between objects to simulate how they work in real life. It looks like this:Announcing The Public Launch Of Cloudflare's Bug Bounty ProgramWith such a connection set up, it is easy to ask the database to answer questions such as:By default, Django's ORM stores the created and modified dates for each instance persisted in the database, so you can ask questions like this:Django is generally considered a web framework. My initial intention was to create a front-end web application for running automation projects, but I found that Django works very well as a framework for command line applications using Django's command line. Instead of writing an entire website, I ended up writing each step of the automation in custom commands so it can be easily done from the command line, scheduled with cron, wrapped in a bash script, etc.For example, I wrote an executive command called "search bottom", which takes all the root domains from the database, runs a "search-database" program searching on them, and saves the subdomains appearing in the database. To run it, I can write something like this to the terminal:Bug Bounty Vs Pentesting For Saas: Which One Should You Choose?I wrote a few small sections like this, but I quickly realized that the real value was in developing a large set of sections to discover many different vulnerabilities. Keep in mind that this was a year before Project Discovery's Nuclei tool was released, so at the time not many people were finding bugs at scale, and there wasn't an awesome database of vulnerability signatures to know about . I said.That's when I started working with codingo_ and sml555_ to make a stack of fragile parts. We are finally starting to see the stores come in!The problem is that we need to do many scans on millions of subdomains. Let's say for each subdomain I want to run some scans that will take 1 minute. This scan is very small per host, but it takes 1 minute per host. With 2 million subdomains, it will take almost 4 years to complete. We really wanted to get it under 1 hour.The first thing we tried was using multiple threads. For example, instead of just running this command, run the cleaner on each root domain in sequence:Research Defines 7 Step Roadmap For Hacker Powered Security SuccessWe can use something like GNU-parallel, which allows us to run the converter on multiple domains at the same time. For example:This is where the idea for Interlace was born. Multithreading in this way greatly reduced the time it took to complete a task, but it introduced a new problem. Now we run 20 instances of subfinder at the same time, the VPS we used runs without RAM and CPU. We could have solved this in a short time by using a more powerful VPS (vertical scaling), but even a very powerful VPS was not strong enough to do all the work we needed in a short period of time.This is when we came up with the idea of ​​turning a number of sub-components into one task, and all reporting their results to a central data source. This is called a horizontal scale, although I didn't know it at the time.In our first attempt to implement this, we (simply) created a "Job" object that resides in the PostgreSQL database. So we create a task client that holds the tasks, executes the task, and then returns the output to the database. When we started, we knew that every place is a competitive place. Most of the workers performed the same tasks at the same time and each task was performed 10+ times. To avoid this, we tried to implement database locking, but this slowed down the process so much that we reverted to our vertical scaling.Ransomware Gang Offers Bug Bounty, Promises Payouts Up To $1 MillionIn my frustration, I joined an online Django community and explained the problem to a group of strangers. One of them introduced me to the idea of ​​queues and message brokers and said that RabbitMQ could solve our problem.I implemented the same queuing concept using RabbitMQ instead of PostgreSQL, and it worked! We grew to 100 employees and were able to perform audits and vulnerability assessments of all critical assets in a fraction of the time. We found a lot of bugs this way because we were one of the first to implement bug headhunting on a large scale. Even finding low-hanging fruit is beneficial, as we are often one of the first to notice when hosts are vulnerable. All employees have a $5 VPS and we only have a few active servers for core work. It ended up like this.All three of us eventually stopped working at Bugcrowd, so our bug hunting and automation took a backseat, eventually being pulled offline when we didn't have time to focus on it.Today, automatically finding low-hanging fruit has become a common practice among treasure hunters. Suddenly every man and his dog were automatically followed into the jungle. Because of this, I turned my attention to manual hacking or monitoring of popular services to discover misconfigurations that could lead to widespread vulnerabilities. After that, a scalable system is always good enough to see that all hosts run a technology. For example, let's say you find a simple configuration in a WordPress plugin - automation is good because:Hackgate: Bug Bounty Program On SteroidsI couldn't find more low-hanging fruit, but I still found automation very useful for testing custom pricing and tracking goals, including open ports, applied technology, etc. The problem is that the current Django setup is too busy, especially when I want to do something custom and fast. Instead of many specialized tools to perform custom tasks quickly, I had a great tool that did everything and didn't integrate well with other tools.I often go back to using manual tools that follow the Unix theme like httpx and kernel. This made it easy to create custom workflows by simply piping the tools into each other. However, the hacking process meant I lost the ability to organize my data into a cross-connect database and span multiple hosts.This is when I started making plans for the new bug engine installation. I wanted to combine the power of a Unix program with the power of horizontal scaling and a database. The new system has four distinct components. Each component can be used independently or as part of a larger system by connecting devices together.Fortunately, there are already good solutions for numbers 3 and 4 (Project Discovery's Nuclei and Notify).How We Made $120k Bug Bounty In A Year With Good Automation
    Cookie Consent
    We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
    Oops!
    It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.