Post

HackerOne Automated Target Enumeration

Posted Updated
Building security research and bug bounty hunting tools in Go
Building security research and bug bounty hunting tools in Go
By Sam Burns 4 min read

The HackerOne bug bounty platform is the largest one to have its own researcher API. The ability to retrieve a list of in-scope targets creates the possibility for large scale vulnerability scanning. A tool is provided which

HackerOne Researcher API - Introduction

The HackerOne researcher API can be used to retrieve ‘Program’ objects, and what it terms their ‘Structured Scope’. The structured scope contains in-scope assets. For some programmes, many of these will be websites.

Project Overview

The problem I was trying to solve is as follows. There is a security vulnerability, which is already in the public domain, in a popular website technology. While research is ongoing, I won’t name it, but I want to find open bug bounty programmes where this vuln is exploitable.

The first step was to extend an existing HackerOne API client. The second was to use it to retrieve a big list of in-scope assets with open bug bounty programmes. Next, I wrote a scanning tool that could find a fingerprint of the vulnerable technology I was looking for on websites. The final step, in progress at time of writing, is to manually test the resulting websites to look for the vulnerability I am hunting.

Building Bug Bounty Tools in Go

HackerOne API Client Written in Go

The first step is to enumerate a list of all websites with a bug bounty on HackerOne. Building on the excellent contributions of Liam Galvin (https://lia.mg/), who wrote an initial HackerOne researcher API client, I have built an extended HackerOne API client with support for the Structured Scope endpoint, essential for finding actual target assets.

Automating Target Retrieval on HackerOne in Go

The next step was to build another tool: the HackerOne Target Retrieval Tool (github). This tool uses the API client to enumerate a massive list of all websites that are in scope in any HackerOne bug bounty programme. Because some of these are not relevant, or relate to programmes which are closed, the tool provides a filtering mechanism. It can be used like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

	// Only show HackerOne Programmes which are open
	programmeIsRelevant := func (prog h1.Programme) bool {
		return prog.SubmissionState == "open"
	}

	// Only show Targets (within a Programme) which are websites where a bug bounty is available
	targetIsRelevant := func (target h1.Target) bool {
		return target.AssetType == "URL" && target.EligibleForBounty
	}

	// Now you have a bug bounty Programme filter and a Target filter
	filter := h1.NewFilter(programmeIsRelevant, targetIsRelevant)

	// Get all the relevant targets from the API
	targetRetriever := h1.NewTargetRetriever("username", "api-token", output, filter)
	targetRetriever.RetrieveTargets()

At time of writing, there are around 2,000 web applications which have an open, remunerated bug bounty programme in HackerOne.

Because this project is written in Go, I was able to use goroutines to parallelise the processing. A single thread hits the HackerOne API, and gets a list of all the Programs. A workerpool of multiple (~100) workers using the API client then request the Structured Scope for each of the Programs. There were about 450 open programmes, and 2k websites in scope and eligible for financial reward if hacked.

Desktop View

Fingerprinting Vulnerabe Technologies

The vulnerable technology I’m hunting for leaves a fingerprint - a sign on the web application that it is being used. Another Go tool (which for the time being needs to stay private, but I’ll publish it when I can) can scan a website to detect this fingerprint. Out of 2,000 websites with active bug bounties, a very small number are using the potentially vulnerable technology.

This part of the project in particular has been a wonderful learning opportunity. A person who is an engineering manager at Google kindly volunteered to do a code review with me, and I now have a much better understanding of practical approaches to Go concurrency.

The overall architecture is a fan-out/fan-in approach, where a single goroutine reads from the input .csv file of potential targets, and another goroutine writes to the output file. In the middle, there are about 100 HTTP workers querying the potential target web applications, and using a message queue to pass HTTP status codes and HTML to the fingerprint checker component.

Manual Testing of Potentially Vulnerable Assets

Manual testing for the actual vuln is still in progress. As it is one which has been publicly known about for a while (albeit without a patch), it’s possible that some sites have already been monkey-patched without a new deployment of the underlying library. Time and hard work will tell.

Further Steps

This is only the beginning of what can be done in the area of bug bounty automation. Ideas for further work include:

  • Significantly expanding the detection of fingerprinting of different frameworks and programming languages
  • Notifications when new in-scope assets become available to be hacked
  • Automating the actual detection of vulnerabilities

The author hopes Go bug bounty hacking tools that have been published will be of use to other security researchers, and wishes you happy hacking!

infosec, hacking-tools
security hacking bug-bounty go
This post is licensed under CC BY 4.0 by the author.