Blog Posts

Bulk Bug Bounty Scanning With The Burp 2.0 API

The new rest API in Burp 2.0 it is going to be amazing but it will allow things like this 9 line shell script I wrote this morning that will grab all public bounty sites from  @arkadiyt’s  bounty-targets-data repo and kick off a full scan.

I almost didn’t post this blog because I *think* this script is, in general, a bad idea and will likely lead to frivolous bounty reports and excessive traffic to these sites but if there is going to be an API people will abuse use it. 

MacOS Security Baseline Script

I spend a lot of time working with MacOS and I have noticed that out of the box the operating system has some basic security settings that are not enabled by default so I have built a small script that automates configuring these.

It does the following:

MacOS-Security-Baseline is on GitHub here.  If you have any improvements or suggestions, please submit a GitHub issue or pull request.

I have also built three other tools in the past that compliments this tool:

MacOS-Config configures a new install of MacOS the way I like it.

MacOS-Maid cleans up MacOS by deleting unneeded files, wireless SSID’s and wiping free space.

Blackhat-MacOS-Config does most of what this script does and was the base for it but I wanted to present it to a more general audience.

Leaking Sensitive Data Through Google Groups

Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public.  In some cases it is just the name of the groups but in some extreme cases the content of the posts are public.

Testing for this misconfiguration on your domain is as easy as looking at:
https://groups.google.com/a/%yourdomain.tld%/forum/#!forumsearch/

Google has (not really clear) instructions here on how to lock down your groups so they are not public. I have notified as many of the domains that I can that they have a misconfiguration but I am not able to notify everyone and Google has seemed to file this under It's not a bug, it's a feature.

60 Second Kali Box

I am a fan of Kali Linux and AWS so I love the fact that they have an official AMI.  While spinning up a Kali instance in AWS is fairly easy, I had a long flight today so I wrote a script that will spin up a Kali instance in about 60 seconds.

The script does the following:

  • Builds a security group that only allows SSH access from your current public IP.
  • Writes a new SSH Key in ~/Documents/instantkali/
  • Creates a t2.medium EC2 instance.

Here is the output: 

 

Here is the code:

Dependency Check A Github Organization

Recently while working on a project I wanted to run OWSAP Dependency Check against a Github Organization to find any out of date frameworks but I couldn’t find an easy way to do it so I built a tool. Right now it will check Node and Ruby applications and put all the out of date frameworks in a single CSV.

As an example I ran the tool against the Netflix Open Source Project and here are the results from today.  They have 35 out of date frameworks in all their public projects.

Here is what it looks like running:

 

Here is the code:

#!/bin/bash
username="[email protected]"
passwordtoken="get from here: https://github.com/settings/tokens"
org="$1"
repos=$(curl -u $username:$passwordtoken -s https://api.github.com/orgs/$org/repos?per_page=200 | jq -r .[].name | sort )

mkdir results

for repo in $repos
do
#Find Default Branch
defaultbranch=$(curl -u $username:$passwordtoken -s https://api.github.com/repos/$org/$repo | jq -r .default_branch)
node=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json)
  if [ $node -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json > package.json
    dependency-check --scan ./package.json --project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  else
    ruby=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock)
    if [ $ruby -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock > Gemfile.lock
    dependency-check --scan ./Gemfile.lock ---project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  fi
  printf "%s is not a Node or Ruby Project. Unable to run dependency-check. \n\n" "$repo"
  fi
done

#Consulidate The Report
 cat results/*.csv > results/temp.csv
 awk '!x[$0]++' results/temp.csv > results/temp2.csv
 cut -d',' -f1-4,6- results/temp2.csv > githubvulns.csv
 rm results/*.csv

Some Quick Notes:

  • There was a bug that was just fixed that stopped me from releasing this earlier.
  • I will try to expand this to scan more types of code in the future.
  • Let me know on twitter if you have any questions.

Site Footer