2 releases
0.1.1 | Jun 20, 2023 |
---|---|
0.1.0 | Jun 20, 2023 |
#16 in #bug-bounty
380KB
360 lines
goblin_book_gobbler
A little tool to give you a bunch of information on disclosed bug bounty reports! Currently only supports HackerOne.
Installation
You can install from crates.io using cargo:
cargo install goblin_book_gobbler
Or download a prebuilt binary from the releases.
You can also just clone the repo and build the tool with cargo:
git clone https://gitlab.com/bea_stung/goblin_book_gobbler.git
cd goblin_book_gobbler
cargo install --path=.
Usage
Basic usage
goblin_book_gobbler h1 --program yahoo
Example Output:
XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z
Show CSV style headers and reverse order
goblin_book_gobbler h1 --program yahoo --csv-headers --reverse
Example Output:
title,reporter,url,substate,severity,disclosed_at
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z
Get reports disclosed since 2022 ordered alphabetically by title
goblin_book_gobbler h1 --program rockstargames --disclosed-since "2022-01-01T00:00:00.000Z" --order-by title
--disclosed-since
flag must use the format that HackerOne's api uses for dates: "2022-01-01T00:00:00.000Z"
Options for --order-by
flag:
-o, --order-by <ORDER_BY>
What field to order the reports by, accepts:
id
created_at
submitted_at
latest_activity_at
timer_report_resolved_elapsed_time
timer_report_triage_elapsed_time
timer_bounty_awarded_elapsed_time
timer_first_program_response_elapsed_time
substate
severity_rating
title
jira_status
swag_awarded_at
bounty_awarded_at
last_reporter_activity_at
first_program_activity_at
last_program_activity_at
last_public_activity_at
last_activity_at
triaged_at
closed_at
disclosed_at
Custom output format
Inspired by tomnomnom's unfurl, you can specify a custom output format:
-f, --format <FORMAT>
Format string, replaces:
"%dd": 'disclosed at' date
"%u" : The report url
"%U" : The reporter username
"%s" : The report substate (e.g. Resolved)
"%S" : The report severity rating (e.g. Critical)
"%t" : The report title
Defaults to:
"%t,%U,%u,%s,%S"
Which gives e.g.:
Reflected XSS in reddeadredemption site,nahamsec,https://hackerone.com/reports/149673,resolved,medium
Ignores any other characters and leaves them unchanged
Get all new reports this week
Good for automation or a cron job that could notify you via slack/discord etc.
goblin_book_gobbler h1 --program security --disclosed-since $(date +%Y-%m-%dT00:00:00.000Z -d "1 week ago")
Example Output:
Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone,medmahmoudi,https://hackerone.com/reports/1727221,resolved,high,2023-06-19T20:15:24.936Z
Dependencies
~9–25MB
~392K SLoC