#bug-bounty #security #hacking

app goblin_book_gobbler

A little tool to give you a bunch of information on disclosed bug bounty reports

2 releases

0.1.1 Jun 20, 2023
0.1.0 Jun 20, 2023

#14 in #bug-bounty

MIT/Apache

380KB
360 lines

goblin_book_gobbler

Crates.io

A little tool to give you a bunch of information on disclosed bug bounty reports! Currently only supports HackerOne.

Goblin book gobbler icon, which is a goblin eating a book labelled "Hacker One"

Terminal recording of the output of the command "goblin_book_gobbler h1 --program yahoo --format %u" which is many urls in the format of "hackerone.com/reports/xxxxxxx" Gif made with vhs

Installation

You can install from crates.io using cargo:

cargo install goblin_book_gobbler

Or download a prebuilt binary from the releases.

You can also just clone the repo and build the tool with cargo:

git clone https://gitlab.com/bea_stung/goblin_book_gobbler.git
cd goblin_book_gobbler
cargo install --path=.

Usage

Basic usage

goblin_book_gobbler h1 --program yahoo

Example Output:

XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z

Show CSV style headers and reverse order

goblin_book_gobbler h1 --program yahoo --csv-headers --reverse

Example Output:

title,reporter,url,substate,severity,disclosed_at
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z

Get reports disclosed since 2022 ordered alphabetically by title

goblin_book_gobbler h1 --program rockstargames --disclosed-since "2022-01-01T00:00:00.000Z" --order-by title

--disclosed-since flag must use the format that HackerOne's api uses for dates: "2022-01-01T00:00:00.000Z"

Options for --order-by flag:

-o, --order-by <ORDER_BY>
          What field to order the reports by, accepts:
          id
          created_at
          submitted_at
          latest_activity_at
          timer_report_resolved_elapsed_time
          timer_report_triage_elapsed_time
          timer_bounty_awarded_elapsed_time
          timer_first_program_response_elapsed_time
          substate
          severity_rating
          title
          jira_status
          swag_awarded_at
          bounty_awarded_at
          last_reporter_activity_at
          first_program_activity_at
          last_program_activity_at
          last_public_activity_at
          last_activity_at
          triaged_at
          closed_at
          disclosed_at

Custom output format

Inspired by tomnomnom's unfurl, you can specify a custom output format:

-f, --format <FORMAT>
          Format string, replaces:
          "%dd": 'disclosed at' date
          "%u" : The report url
          "%U" : The reporter username
          "%s" : The report substate (e.g. Resolved)
          "%S" : The report severity rating (e.g. Critical)
          "%t" : The report title
          Defaults to:
          "%t,%U,%u,%s,%S"
          Which gives e.g.:
          Reflected XSS in reddeadredemption site,nahamsec,https://hackerone.com/reports/149673,resolved,medium
          Ignores any other characters and leaves them unchanged

Get all new reports this week

Good for automation or a cron job that could notify you via slack/discord etc.

goblin_book_gobbler h1 --program security --disclosed-since $(date +%Y-%m-%dT00:00:00.000Z -d "1 week ago")

Example Output:

Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone,medmahmoudi,https://hackerone.com/reports/1727221,resolved,high,2023-06-19T20:15:24.936Z

Dependencies

~8–24MB
~389K SLoC