Automation using python in bug bounty’s (full practical explanation).

7 min readMay 16, 2021

CONTENT :
1. Introduction
2. why do we need automation in bug bounty’s?
3. python for bug bounty
4. python basics you need to know
5. Subdomain enumeration using automation script
6. Directory fuzzing with domain availability check
7. fuzzing
8. OSINT Automation using shodan
9. find Misconfigured jenkins
10. Automate finding login endpoint and parameters.

Introduction

hello guys !! today i will demonstrates the hands-on automation using python this might be help you in bug bounty’s for each topic mentioned in table of content.Also this blog gives you basic idea of how to automate something to reduce the repetitive tasks and perform automate in many ways.

why do we need automation in bug bounty’s?

Repetitive work may exhaust you away from doing whats really worth your time !! Automation can help test a theory quickly.Keep n eye out of changes or new assets.So we need to automate these repetitive tasks to save our time and energy to focus on other areas.Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren’t doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.

python

Python is very easy to learn for newcomers and beginners.

It has simplified syntax so anybody can easily read and understand the code. There are lots of tools and modules available for python to do our tasks by writing a few lines of code.

Python is an Interpreter language which means we don’t need to compile the entire program into machine code for running the program. Python interpreters translate the code line by line at runtime so we can run the python program directly without compilation. Python is already included with linux based operating systems. If you are a windows user you can download and install it from python official website — https://www.python.org/downloads/ . Support for python2 is no longer so we are going to use python3 only.

python basics

Before entering into bug bounty automation, We should learn the basics of python programming. We are not going to deep dive into the python but We will learn the basic fundamentals of python and necessary topics in the python programming.

Topics :

VARIABLES AND DATA TYPES

STRINGS

List-Tuple-Set-Dictionary

Basic Operators

Conditions and loops

Functions

Arbitrary arguments

Arbitrary keyword arguments

Default parameter value

File operations

Exception handling & Regular expression

Subdomain enumeration

We can write a subdomain enumeration tool but Reinventing the wheel does not make sense, already there are many numbers of the tools available in the open source community for subdomain enumeration.

Personally I am using the sublist3r tool written in python, github = https://github.com/aboul3la/Sublist3r.git

after installation is complete you can come back to directory where you have domain files list files.

lets do subdomain enumeration !!

**Subdomain enumeration automation script**

Subdomain enumeration is done, what we have to do next?.

Directory Fuzzing with domain availability check

Let’s fuzz the directory of the subdomain, You may have found something like an admin panel or backup files or anything sensitive. Let’s say if you got .git directory during directory fuzzing, You can download source code of the application using git dumper tool — https://github.com/arthaud/git-dumper

Before going to the fuzzing directory we need to check if the domain is alive or not, Because large number of requests to the dead domain is a waste of time and bandwidth.

script :

note : Save this code as checkdomains.py. Here what we did is sent a request to both port 80 and 443 for checking availability of the domain. Here we hit robots.txt endpoint because other than this endpoints are large in size. pass key word does nothing in python it is used to just fill up except block.

Fuzzing

we have to write a script to import the necessary modules and download the directory wordlist from dirsearch repository. We have to check whether the domain is live or not. If the domain is live then fuzzing starts otherwise go to next subdomain. The whole process takes a while because the number of domains and subdomains.

here we go lets code !

script :

OSINT Automation using shodan

Let’s install the shodan module by executing the following command.

“pip install shodan”

let’s automate !!

Now let’s check the IP address manually or you can automate that process also. Okay Let’s automate

here I passed a parameter verify=False that
means I tell the program to don’t verify the SSL certificate of the server. You
can use your own regex to match something else other than mongodb/redis URI.

“ what if we automate finding the spring boot server using shodan ? yes let automate that too!! “

script:

“lets Fuzz its IP” tool i am using here wfuzz tool

script :

Misconfigured jenkins

Jenkins is also the battlefield that every hacker would like to control. If someone takes control of the Jenkins server, he can gain amounts of source code and credential, or even control the Jenkins node!

If you get admin access, You can access repositories of the softwares they developed which may contain credentials, You can perform remote code execution via script console.

so let’s Automate the login with gitHub scenario ,

We have set headless mode false because sometimes github ask you to OTP that time you need browser to enter github OTP after that you can set headless to True this prevents opening browser.

We have created a webdriver object and passed the url to fetch the page.

we have set wait time 20 seconds because find_element_by_id throws an exception because it executes before the page load. So that we have set waiting time 20. You can reduce the time if your internet connection is fast. Once the page gets loaded it will find the username field id named login_field and password field to fill the credentials and automatically click the login button and then again page load one more button called authorize button it also clicked automatically once it is done it will redirect to jenkins instance.

Automate finding login endpoint and parameters

Let’s see how I found login endpoint and parameters that is very simple,open the url in browser and fill the username and password click login button and just intercept the request with burp suite you can see the request header and the request body as follows