bbr

An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates. Useful for piping reporting from one application to another (such as an automatic submission tool).

Arguments

| Argument | Description | |----------|----------------------------------| | -h | Display help message and exit | | -r | Path to template file to use | | -t | Variable to replace _target_ with and to use for

dig

whois

BBR will then process the text file, and make the following replacements (not all fields may be present, some will be present more than once):

| Argument | Description | |---------------|-----------------------------------------------------------| | _target_ | Replace with the value of the -t argument | | _username_ | Replace with the value of the -u argument | | _program_ | Replace with the value of the -p argument | | _researcher_ | Replace with the value of the -re argument | | _sha_ | Replace with the SHA256 encoded value of the -u argument | | _nameservers_ | Replace with the output of "dig NS @8.8.8.8 target" | | _dig_ | Replace with the value of "dig @8.8.8.8 target" | | _whois_ | Replace with the whois output of the target parameter | | _wayback_ | Replace with an automatic wayback link of the -t argument | | _sha_ | Replace with the SHA256 value of the username parameter | | _dig-txt_ | Replace with the value of DNS TXT records | | _curl_ | Replace with the request response of the -t argument | | _joke_ | Replace with a joke | | _punchline_ | Replace with the punchline for said joke |

Functionality

BBR takes a provided template file and makes replacements throughout that file with provided arguments. For example, the following template file (stored in this repository as

template.txt

 # Summary
The domain _target_ was found to have a CNAME that was pointing to an unregistered domain.

It was possible to register this domain, and to host content on the target website. Given this domain is attributed to program(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).
This can be verified by using the following in the terminal:
```
echo "_username_" | sha256sum
```
Which should present the resulting string:
```
_sha_
```
Which matches what I placed on target for verification.
This has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: wayback
Attribution
A whois of the domain target shows a direct match to other domains relating to program, showing this as beloning to program:
```
_whois_
```
Recommendation
Remove the CNAME associated with target, or decomission the domain entirely with a redirection to other domains of program. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.
Joke
Triage is a tough gig, here's a joke to lighten the load!
joke
... punchline

When used with the following:

➜  ./bbr -t example.com -p Example -u codingo -r ./template.txt | tee  

Outputs the following report: ``` # Summary The domain example.com was found to have a CNAME that was pointing to an unregistered domain.

It was possible to register this domain, and to host content on the example.com website. Given this domain is attributed to Example(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).

This can be verified by using the following in the terminal:

`

echo "codingo" | sha256sum
\

Which should present the resulting string:
\

10c989bbd4963c465e0941acd70833d5579ca846f5a68eadc8bcf63801b3993b
\

This has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: example.com

Attribution

A whois of the domain example.com shows a direct match to other domains relating to Example, showing this as beloning to Example:

``` Domain Name: EXAMPLE.COM Registry Domain ID: 2336799DOMAINCOM-VRSN Registrar WHOIS Server: whois.iana.org Registrar URL: http://res-dom.iana.org Updated Date: 2020-08-14T07:02:37Z Creation Date: 1995-08-14T04:00:00Z Registry Expiry Date: 2021-08-13T04:00:00Z Registrar: RESERVED-Internet Assigned Numbers Authority Registrar IANA ID: 376 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: A.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.NET DNSSEC: signedDelegation DNSSEC DS Data: 31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE DNSSEC DS Data: 31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03E576343C DNSSEC DS Data: 43547 8 1 B6225AB2CC613E0DCA7962BDC2342EA4F1B56083 DNSSEC DS Data: 43547 8 2 615A64233543F66F44D68933625B17497C89A70E858ED76A2145997EDF96A918 DNSSEC DS Data: 31406 8 1 189968811E6EBA862DD6C209F75623D8D9ED9142 DNSSEC DS Data: 31406 8 2 F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Last update of whois database: 2020-08-22T03:11:57Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object

domain: EXAMPLE.COM

organisation: Internet Assigned Numbers Authority

created: 1992-01-01 source: IANA

```

Recommendation

Remove the CNAME associated with example.com, or decomission the domain entirely with a redirection to other domains of Example. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.

Joke

Triage is a tough gig, here's a joke to lighten the load!

What was the pumpkin’s favorite sport?

... Squash. ```

This can then be submitted to your platform of choice, and is a repeatable template as you find similar vulnerablities of the same type.