Saturday Morning Bugs

A really short guide to bug bounty enumeration

So lets find a large group of potentially vulnerable assets that we can investigate later for bug bounty submissions. We build a large list that I can spend the next week investigating.

First we setup a tunnel through GCloud:

gcloud init
gcloud compute instances create --zone us-west1-a tunnel
gcloud compute ssh --zone us-west1-a tunnel -- -N -p 22 -D localhost:9999

Then we setup burp to go through the tunnel, in user options:

We then do a shodan search for springboot:

http.favicon.hash:116323821

Now for some bash-fu:

shodan parse — fields ip_str,port — separator : springboot.json.gz | sed ‘s|^|https://|g' | tee springboot_urls.txt
ffuf -w springboot_urls.txt -u FUZZ/env -mc 200 -x http://127.0.0.1:8080

We then look through Burp’s logger and see if there’s anything to report. Will this work? Possibly Is this worth the ten minutes of setup time? Maybe