Weapons in my quiver: Tools and extension I use in bounties
As this blog already describes, I will be putting some info about tools and extensions which I use daily in my bounties. For an early reminder, there is no new or self-created tool mentioned here and all the tools/extensions are well known. Only thing is these helped me to get better bounties and also, by the end of the day your creative mindset matters:)
Welcome people! This year was fantastic and I got MORE THAN ALL THE THINGS I WISHED FOR this year. In my success, these tools/extensions played a huge role and also, since I got a lot of questions on this topic from people over twitter/LinkedIn, I thought of putting words together for this one.
Well, let’s divide it in two parts, Part-1: Tools & Part-2: Burp extensions. So we will be starting from tools part. Please note that I will not be mentioning burp/browsers/dorkings since it is known worldwide. Also, I don’t use any VPS anymore so won’t cover that as well. Some of my opinions could vary with others so kindly cope with it. With that, let’s move ahead.
First tool I love to use is subfinder by projectdiscovery. This tool is awesome in gathering subdomains and it helps you a lot in targets with huge scope for example Google. Also, it is pretty faster and works like charm since it is written in Go. You can also use assetfinder as an alternate option which is great as well.
Then, second tool is httpx and this helps you to filter live URLS(or the status-code) within your subdomain list. If you are crazy energetic and want to check 20k subdomains one by one(I doubt you would be able to do it), then great! But if you want to save a lot of time and do some automation, this works awesome. You can go for httprobe as well.
Now, for some visual recon, I love aquatone. This is a tool I have been using since 2 years now, and it works great every single time. This helps me to find all the screenshots from web pages and check which domain I should work on, and in this way I can save a lot of time of mine.
Once I have these tools done, I use a tool called gau and this fetches all the urls from a domain. This tool is really awesome and I have found many bugs with the help of it. There are many alternatives but I love this one a lot. Also, you can have a lot of endpoints along and you can do a lot of things going further.
Sometimes, I use nuclei which doesn’t need any intro and this is a well-known tool. I had 2–3 bounties from nuclei, and I will still highly recommend nuclei even if a lot of people are using it. If you know how to use it, then its an awesome tool I tell you.
Also, I use meg, anew, qsreplace and fff, all from TomNomNom and these tools help a lot. But since I use them quite a few times, I didn’t mention them.
We are half way down and now it’s time for Burpsuite extensions!
Okay, so I use a few extensions in burp which helps me to do better while hacking. First one is, my favorite, Autorize. This one has helped me in getting almost 50% of my whole bounty. Works great, if you configure it properly. Along with it, very satisfying when you see the results appearing in the dashboard ❤ .
Another extension is called JSlinkfinder. This gives you a lot of JS files along with endpoints which will help you to apply your hacking knowledge over them. A great extension for finding juicy endpoints.
Another one is called active scan++. This one is an add-on to your active scans and it finds great bugs as well. Also, it will help you to find some low hanging fruits.
Almost everyone uses Turbo Intruder and I use it as well. This one is far better than anything if you want to do some fuzzing on an endpoint or something like this. Just provide a great wordlist and it will keep doing it’s job, pretty fast.
Also, I use InQL , hackbar sometimes and these are good as well. I just configure these all things in a way inside burp that these extensions give me result what I look for.
I think I have mentioned almost everything which I have been using since months in bounties/pentests and I hope this will help you once you go there and start hacking. Everyone has a different mindset and by the end of the day it completely matters how deep you test an application and how curious you are. So tools or extensions are just an add-on to your efforts. Again, I don’t rely only on tools and I go as far as my knowledge allows me to do it manually.
This is pretty much of what I wanted to put in this blog. Let me know if it helps you and I wish you all the best in that! Since new year is coming, I hope whoever is going through this blog, gets everything they wish. Just focus on every output, put enough efforts, make good connections who help you to do better at hacking. Cheers, you got this! If you liked it, share with the community and I wish you all the best!
Keep learning, keep moving forward! A great new year is waiting:)
Ta Veo Pronto❤