So I wrote another tool...
Get even more from wayback machine, with 𝘄𝗮𝘆𝗺𝗼𝗿𝗲🤘
🗸 Get more URLs than other tools
🗸 More filtering flexibility
🗸 Download archived responses to search for even more!!
Please read the README 🤘🧐
A Chrome Extension that will:
✅ Show alerts for any query param reflections
✅ Show any hidden elements
✅ Enable any disabled elements
Inspired by
@ctbbpodcast
recent tweets about bookmarks, and
@renniepak
comment on the pod about an extension
🤘
As promised, here's an in depth look at the GAP Burp extension...
If you like the tool, or it helps find you a nice bounty, please share it, shout about it, like it on github, or even buy me a coffee! 🙂
🤘
#bugbountytips
Some hackers don't take notes. But, they'd do even better if they did! 💯
It can be hard to make yourself take notes when you're really into doing something, but do it! You won't regret it! Make it a habit. Having good notes on everything can be a super power! 🤘
#BugBounty
xnLinkFinder (featured in
@jhaddix
"The Bug Hunter’s Methodology: Application Analysis v1") now accepts a directory as input. Search through JS files, HTTP responses, etc. for more endpoints and files.
#bugbounty
My
#BugBounty
tools:
👉xnLinkFinder - get endpoints, params & target specific wordlist
👉waymore - get URLs & archived responses
👉GAP - Burp ext. like xnLinkFinder
👉urless - de-clutter list of URLs
👉knoxnl - wrapper for KNOXSS API
Always RTFMs! 🤘🧐
gau and waybackurls are great tools, BUT...
Below are more or less equivalent, just getting links from wayback machine, and also not filtering (so returning images, css, etc. as gau does by default)...
Yes they are faster than waymore, but waymore gets... well... more! 🤘😉
Btw, waymore gets URLs from the following sources:
👉Wayback Machine
👉Common Crawl
👉Alien Vault OTX
👉URLScan
So it does the same as tools like Gau and waybackurls but actually get's more.
Plus it also get's archived responses from wayback machine! 🤘
GAP is now the
@Burp_Suite
BApp store 🤘
Go give it a go, give some feedback, give it a rating, and go get all those links, parameters and custom wordlists!
#BugBounty
My
#BugBounty
tools:
👉xnLinkFinder - discover endpoints & params
👉waymore - get URLs & archived responses
👉GAP - Burp ext. like xnLinkFinder
👉urless - de-clutter a list of URLs
👉knoxnl - wrapper for KNOXSS API
For max benefit, READ the READMEs! 🤘🧐
If you have a huge number of URLs that you need reduce but still cover everything you need, try urless.
It's not just de-deuping obviosuly, it does a lot more, so take a look at the README...
#bugbountytips
🤘
Need to upload an image of a specific size and format to a target website? Use 𝗶𝗺𝗮𝗴𝗲𝗺𝗮𝗴𝗶𝗰𝗸 and 𝗲𝘅𝗶𝗳𝘁𝗼𝗼𝗹 to generate one quickly instead of trying to randomly pick one from your machine that fits the requirements!
#bugbountytips
The GAP Burp extension, which then progressed to xnLinKFinder, was inspired by
@zseano
and his methodology which is where I started by bug bounty journey, on
@BugBountyHunt3r
🤘
If you're still using
@Burp_Suite
Extension 𝗚𝗔𝗣 1.𝘅, or haven't tried 𝗚𝗔𝗣 before, go get 𝗚𝗔𝗣 𝘃2.4 now and find potential parameters, links and a custom wordlist for your target 🤘
#BugBounty
Here's a modified version of
@TomNomNom
's amazing tool with various minor improvements... just because I love it and I could :)❤️
✅ Auto save to file
✅ Unique and sorted by default
✅ Includes Google and Bing snippets
✅ See the README!
#BugBounty
🤘
You can do so much with the Burp Piper extension:
Why not send a JS file straight to the new JSluice tool using Piper extension and a small bit of bash script?...
🤘
#bugbountytips
Here's a new tool... xnldorker:
✅ Search sources: duckduckgo, bing, yahoo, startpage, google
✅ Please read all the README to understand the different options and see recommendations
#BugBounty
🤘
Burp Scope...
I've seen a number of blogs, videos, etc. that tell you to use 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 and then add \.𝙩𝙖𝙧𝙜𝙚𝙩\.𝙘𝙤𝙢 for example.
But that would exclude 𝗵𝘁𝘁𝗽𝘀://𝘁𝗮𝗿𝗴𝗲𝘁.𝗰𝗼𝗺 right?
I always use this to make sure: (\/|\.)target\.com
🤘
#bugbountytips
Here's my bambda filter for
@Burp_Suite
to check for potentially interesting 302's.
If a 302 response has a large body, it could have something useful in there and also potentially be bypassed by match and replacing "302 Found" with "200 OK" and removing "Location" header 🤘
TIL (thanks to
@GodfatherOrwa
slides from
@bsidesahmedabad
) that you can intercept the response to a specific request in Burp! How did I not know that?! 🤘
Do you need a
@Burp_Suite
extension to:
- Find all potential endpoints
- Find all potential parameters
- Generate a target specific word list
If so, and you haven't used it yet, check out GAP on Github () or find GAP in the BApp Store.
#BugBounty
🤘
Thanks to
@xssdoctor
for pointing me in the direction of this great Burp extension that will make testing graphql endpoints a lot easier, and to give clairvoyance a helping hand to generate a schema 🤘
If you want to track a bug bounty target with a Mind Map "
@Jhaddix
style" but don't want to pay for XMind, the "Obsidian markmind" plugin for
@obsdmd
is a really great alternative (use the "Rich" mode)!
🤘
#BugBounty
I must have opened XSSHunter a million times to cut and paste the first payload when testing blind xss 😬
Now I've just added Burp match and replace rule so it replaces 𝙭𝙣𝙡𝙭𝙨𝙨 to the payload for me. Why didn't I do that sooner?! 🤘
#bugbountytip
Thanks to
@DanaEpp
newsletter for this tip...
When configuring a Burp Intruder attack, loading a huge wordlist or payload database directly in the UI using "simple list" can consume a lot of memory.
But you can use "Runtime file" instead, bypassing preload & memory constraints!
If you've used waymore () to download archived responses from the Wayback Machine, why not check them for secrets with
@trufflesec
's TruffleHog?...
#bugbountytips
I just noticed waymore has 957 stars on Github!
If you use waymore and find it useful, please go and ⭐️it if you haven't already because it'd be nice to get it to 1000! Thank you🤘🙂
GAP v2.0 is here:
✅ Generate target specific wordlist
✅ Provide prefix for links
✅ LOTS of improvements and bug fixes
✅ Read CHANGELOG for details
✅ Follow instructions on README for installing dependencies
🤘
#BugBounty
I really liked the idea of the AutoRepeater Burp extension, but I had problems getting it working properly. So I forked a version to get it to work for me, and also changed for Dark Mode. If you had issues and love the dark too...
Thank you
@Jhaddix
for mentioning my 𝘄𝗮𝘆𝗺𝗼𝗿𝗲, 𝘅𝗻𝗟𝗶𝗻𝗸𝗙𝗶𝗻𝗱𝗲𝗿 and 𝗚𝗔𝗣 tools in the keynote talk for
#HacktivityCon2022
: "The Bug Hunting Methodology - Application Hacking v1.5"
Check it out 👇
🤘
If you want to find EVERYTHING for a domain from waymore, just pass the root domain.
DON'T pass all sub domains, it will take a lot longer and you have a chance of missing things.
🤘
#bugbountytip
#bugbountytips
I've done many updates to the
#BugBounty
tools recently, so make sure you do have an up to date version if you use them 🤘
👉waymore - v1.9 (2 days ago)
👉urless - v0.9 (2 days ago)
👉GAP Burp ext -v2.4 (last week)
👉xnLinkFinder - v3.8 (last week)
👉knoxnl - v1.1 (3 months ago)
Common Crawl (CC) is a source for archived URLs. There are currently 95 CC indexes going back to 2008.
- Gau checks 1 index; the newest
- Waybackurls checks 1 index; 2018-22
- Waymore check ALL 95 indexes
This is why waymore takes longer. But you can limit with -lcc argument 🤘
All set up. Now all I have to do is stop making excuses to myself, stop worrying about perfection, stop worrying about all the other things that keep stopping me, and just sort it out and do it! 😬
So, some videos soon... hopefully... maybe 😂
🤘
After seeing the tweet below from
@ctbbpodcast
and taking inspiration from the example from
@joaxcar
, here is a bookmark that will show most variations of hidden and disabled fields clearer, in a similar way to Burp. Just add this as the URL of a browser bookmark and click 🤘
A couple of you have mentioned that Burp has a functionality that will automatically unhide hidden fields in HTML.
A couple thoughts on why this may not be the best method for dealing with hidden fields:
1. You will miss dynamically generated hidden fields
I've had a loooong bounty drought, and have found it hard (mentally) getting back into it, but I finally ended my drought with a HIGH! $1000 🤘
Basically when a non admin user updated settings there was a PUT request including "is_admin":false
I completed the amazing API course from
@apisecu
and
@hAPI_hacker
I'm still amazed it's a FREE course! I learnt some new tricks, and now understand why people use Postman!
If you haven't already, check it out...
🤘
I've updated the 𝗚𝗔𝗣 𝗕𝘂𝗿𝗽 𝗲𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻 to v1.3:
✅ Updated the regex and a few other tweaks to be in line with 𝘅𝗻𝗟i𝗻𝗸𝗙𝗶𝗻𝗱𝗲𝗿 (i.e. you find more links!)
✅ Fix the Help display (sorry, I didn't realise it was broken!)
🤘
v1.18 of waymore is available:
✅ Changes to reduce load on Common Crawls API servers, and to also try and reduce errors and maximise the number of URLs retrieved from that source
🤘
#BugBounty
v1.3 of 𝘅𝗻𝗟𝗶𝗻𝗸𝗙𝗶𝗻𝗱𝗲𝗿 is now available:
➡️ IT NOW ALSO GETS POTENTIAL PARAMETERS!🔥
✅ Fixed an issue with v1.2 that stopped it getting output for Burp and Zap files😅
As always, read the README file (the clue's in the name!)
🤘
#BugBounty
Thanks to
@Jhaddix
for looking at my tools and mentioning them in the
#NahamCon2022
keynote talk, "The Bug Hunter’s Methodology: Application Analysis v1"!! 🤘
I'll work on further improvements soon, but anyone feel free to throw ideas at me! :)
#BugBounty
Just in case you still use gau...
it no longer gets any links back from Wayback Machine because of a change to their API.
I would obviously advise using :)
#bugbountytips
🤘
I've just noticed that xnLinkFinder has reached 1k ⭐️'s on github 🙂
Thanks for all who use it and took the time to star it. I hope it helps your hunting 🪲
#bugbounty
🤘
v4.0 of GAP is here:
✅ Identify "sus" params, and raise Issues (or write to ext output for Burp Community) - from research from
@Jhaddix
and
@G0LDEN_infosec
✅ LOTS of bug fixes and changes. See CHANGELOG for more
🤘
#BugBounty
One month ago today I submitted my first bug on
@BugBountyHunt3r
BARKER platform. I'm now
#15
and Level 3. I had never expected to increase my skills (and confidence) as quickly as I have in that short time, but it's thanks to
@zseano
, BBH and it's awesome community ❤️
I find creating the UI for Burp extensions is a painful experience :/ Sorry if it's not pretty or all visible for some people.
Check out GAP v2.0 though...
Despite gau & waybackurls being amazng, if you're still using them instead of waymore to get archived urls, you're potentially missing out on valuable data & won't have as much control over the data you get.
If you have any waymore issues, give me a shout (after reading README!)
gau and waybackurls are great tools, BUT...
Below are more or less equivalent, just getting links from wayback machine, and also not filtering (so returning images, css, etc. as gau does by default)...
Yes they are faster than waymore, but waymore gets... well... more! 🤘😉
v1.0 of XnlReveal is here:
✅ Now available for Chrome AND Firefox
👋 Feel free to raise a Github issue for any suggestions or problems you have
☕️ And if you like it, consider buying me a coffee! - thank you 😃
#BugBounty
🤘
I've only just discovered the joys of IIS hacking and shortname scanning today after watching great talks by
@infosec_au
and
@irsdl
and using the great shortscan tool from
@bitquark
🤘
v2.0 of waymore is here:
✅ Added new source of URLs: VirusTotal. Get your FREE Api key and add it to the config.yml file to get even more URLs!
✅ IMPORTANT: Have a very Merry Christmas! Festive wishes to you all 🎅🫶
#BugBounty
🤘
v0.2 of waymore is available:
- Gets more URLs from (the same as gau now, but faster)
- Don't forget to try downloading archived responses where you can fine even more links using xnLinkFinder for example 🤘
My VPS was starting to run low on disk space.
I was trying to work out what I could get rid of, and found out about:
➡️go clean -modcache
Freed up 20G ! 😶
I've been getting a number of DM's from people starting their Bug Bounty journey, asking for help where to start. My journey started here:
Read it. Apply it. Do it 🤘
Thanks to
@zseano
and
@BugBountyHunt3r
!
#bugbountytip
My first python command line utility... an improvement on the classic LinkFinder, and based on the link finding capabilities of my Burp extension GAP.
Give it a try and let me know how I can make it even better...
🤘
v3.7 of xnLinkFinder is available:
✅ The link prefix value was previously prefixed to links found that didn't start with "http". This has been changed to not prefix if the link starts with any kind of schema already
🤘
#BugBounty
v3.0 of xnLinKFinder is available:
✅ Lots of bug fixes and some small improvements, mainly around the new wordlist option.
👉 Don't forget to generate your target specific wordlist, e.g. "-owl wordlist.txt"
✅ Read the CHANGELOG for details
#BugBounty
v2.4 of waymore is available:
🩹 Fix issue where waymore freezes if Common Crawl return certain errors.
✅ Add new default keywords for when -ko / --keywords-only is used.
#bugbounty
🤘
v0.2 of XnlReveal is here:
✅ Include new setting to write Wayback Archive endpoints to the browser console for each page visited (only once for each, unless local storage cleared)
✅ A new option to only write Wayback JS endpoints if required
🤘
v1.1 of xnldorker is here:
✅ Add Yandex (it shows antibot screen a lot, so I'd advise only using with -sb)
✅ If antibot screen is shown and you respond, you can resume quicker by typing the name of the source
✅ See CHANGELOG for details
#BugBounty
🤘
v1.1 of XnlReveal is here:
✅ Improved UI
✅ Replace Wayback JS checkbox with Wayback RegEx textbox. Leave blank to get everything, or add your own RegEx to filter what's written to the console.
✅ Remove Run Now buttons, as you can use context menu.
🤘
Although xnLinkFinder is often mentioned in regards to getting links from JS files, it does a lot more than that. It can find links from any response, from inline JS, comments, JSON, etc. so don't just pass it a file of JS endpoints if you want to get the most out of it 🤘
Just over 9 weeks ago, I submitted my first bug on
@BugBountyHunt3r
's BARKER, and I didn't really know my XSS from my elbow! Thanks to
@zseano
and the amazing community on BBH discord, I have learnt LOTS and I've reached Level 4 and rank
#5
. Time to hack everything!
v1.2 of 𝘅𝗻𝗟𝗶𝗻𝗸𝗙𝗶𝗻𝗱𝗲𝗿 is now available:
✅ If you search a Directory, all files in sub directories will also be searched.
✅ You can pass -𝙢𝙛𝙨 with a value of 0 to process all files, regardless of the size.
🤘
#BugBounty
If you missed the
#NahamCon2024
workshops yesterday, then you NEED to check them out below.
Some seriously 🔥🔥🔥 content!
Thanks to
@NahamSec
for the hard work putting all this together, and all the speakers obviously.
Can't wait for Day 2 🤘
⚠️IMPORTANT: PLEASE UPDATE WAYMORE ⚠️
v1.33 of waymore is available:
🩹BUG FIX: Not all links were returned from Wayback archive if the target only has one page of links from their API. Huge apologies for the issue!!
#BugBounty
🤘
v2.7 of xnLinkFinder is available:
✅ Use --output-wordlist to get your target specific wordlist for fuzzing! 🤘
✅ Many other new arguments to tailor the creation of the wordlist. See v2.7 CHANGELOG for more details.
🤘
v4.6 of GAP is available:
🩹 Resolve issue of new Burp footer covering some of GAP controls
✅ Include new MIME types to exclude
✅ See CHANGELOG
#BugBounty
🤘
Although I understand taking a period away from hacking/coding is a good thing when you're feeling burnt out or something, but getting my brain back into things is sooooooooo hard! 😰
I really like the Highlight and Extractor Burp extension, but there's a few things I wanted to change.
So I forked the repo and did some changes I needed for myself.
Feel free to make use of it too though!
🤘
v1.0 of waymore is now here:
👉 The big difference between this and other tools: it can download archived responses for URLs on wayback so you can search these for even more links, extra params, etc.
✅Now uses all same sources as gau
✅See change log...
v1.37 of waymore is here:
✅ Add arg -co / --check-only: You can add this arg to check before you run waymore, to see how many requests you're actually making, and (very) roughly how long that could take. Some targets are NEED restricting!
#BugBounty
🤘