Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update README.md #62

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update README.md #62

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
154 changes: 96 additions & 58 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,104 +1,142 @@
# bbscope
The ultimate scope gathering tool for [HackerOne](https://hackerone.com/), [Bugcrowd](https://bugcrowd.com/), [Intigriti](https://intigriti.com), [Immunefi](https://immunefi.com/) and [YesWeHack](https://yeswehack.com/) by sw33tLie.
# 🌐 **bbscope**
### The ultimate tool to gather scope details from:
- [HackerOne](https://hackerone.com/) 🕵️‍♂️
- [Bugcrowd](https://bugcrowd.com/) 🛡️
- [Intigriti](https://intigriti.com) 🔍
- [Immunefi](https://immunefi.com/) 🐛
- [YesWeHack](https://yeswehack.com/) 💡

Need to grep all the large scope domains that you've got on your bug bounty platforms? This is the right tool for the job.
What about getting a list of android apps that you are allowed to test? We've got you covered as well.
Developed by **sw33tLie** to simplify your bug bounty workflows. 🎯

Reverse engineering god? No worries, you can get a list of binaries to analyze too :)
---

## Installation
Make sure you've a recent version of the Go compiler installed on your system.
Then just run:
```
## 🚀 **Overview**
Are you tired of manually gathering scope information from bug bounty platforms?
Look no further! **bbscope** is designed to help you:

- 📜 **List domains** in scope for your programs.
- 📱 **Find Android APKs** you’re allowed to test.
- 🛠️ **Grab binaries** for reverse engineering.

No matter what your focus is, **bbscope** has you covered.

---

## ⚙️ **Installation**
To get started, ensure you have a recent version of the Go compiler installed.
Then, run the following command to install **bbscope**:

```bash
GO111MODULE=on go install github.com/sw33tLie/bbscope@latest
```

## Usage
```
---

## 🧰 **Usage**
The basic syntax for using **bbscope** is:

```bash
bbscope (h1|bc|it|ywh|immunefi) -t <YOUR_TOKEN> <other-flags>
```
How to get the session token:
- HackerOne: login, then grab your API token [here](https://hackerone.com/settings/api_token/edit)
- Bugcrowd: login, then grab the `_bugcrowd_session` cookie. NOTE: This has changed, it's not the `_crowdcontrol_session` cookie anymore.
- Intigriti: Get your researcher API token [here](https://app.intigriti.com/researcher/personal-access-tokens)
- YesWeHack: login, then intercept a request to api.yeswehack.com and look for the `Authorization: Bearer XXX` header. XXX is your token
- Immunefi: no token required

When using bbscope for HackerOne, the username flag (`-u`) is mandatory.
### 🔑 **How to Get Your Session Token**
Here’s how to retrieve your session token for each platform:
- **HackerOne**:
Log in and grab your API token from your [API settings page](https://hackerone.com/settings/api_token/edit).
*(Required: `-u` flag for your username)*

Remember that you can use the --help flag to get a description for all flags.
- **Bugcrowd**:
Log in and fetch the `_bugcrowd_session` cookie.
*(Note: This has replaced `_crowdcontrol_session`.)*

## Examples
Below you'll find some example commands.
Keep in mind that all of them work with Bugcrowd, Intigriti and YesWeHack subcommands (`bc`, `it` and `ywh`) as well, not just with `h1`.
- **Intigriti**:
Get your researcher API token from the [Personal Access Tokens page](https://app.intigriti.com/researcher/personal-access-tokens).

### Print all in-scope targets from all your HackerOne programs that offer rewards
```
- **YesWeHack**:
Intercept a request to `api.yeswehack.com` and find the `Authorization: Bearer XXX` header. `XXX` is your token.

- **Immunefi**:
No token is required for this platform!

> 📝 **Tip:** Use the `--help` flag to view all available options and flags.

---

## 💡 **Examples**

Here are some common use cases for **bbscope**:

### 1️⃣ **Print all in-scope targets from HackerOne programs offering rewards**
```bash
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -b -o t
```
The output will look like this:
```
Output:
```plaintext
app.example.com
*.user.example.com
*.demo.com
www.something.com
```

### Print all in-scope targets from all your private Bugcrowd programs that offer rewards
```
### 2️⃣ **List in-scope targets from private Bugcrowd programs with rewards**
```bash
bbscope bc -t <YOUR_TOKEN> -b -p -o t
```

### Print all in-scope targets+program page URL from all Intigriti programs, including OOS elements
```
### 3️⃣ **Show in-scope targets + program URLs from Intigriti**
```bash
bbscope it -t <YOUR_TOKEN> -o tu --oos
```

### Print all in-scope Android APKs from all your HackerOne programs
```
### 4️⃣ **Print all Android APKs in scope from HackerOne**
```bash
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o t -c android
```

### Print all in-scope targets from all your HackerOne programs with extra data

```
### 5️⃣ **Get detailed in-scope targets with descriptions and program URLs (HackerOne)**
```bash
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o tdu -d ", "
```

This will print a list of in-scope targets from all your HackerOne programs (including public ones and VDPs) but, on the same line, it will also print the target description (when available) and the program's URL.
It might look like this:
```
Output:
```plaintext
something.com, Something's main website, https://hackerone.com/something
*.demo.com, All assets owned by Demo are in scope, https://hackerone.com/demo
```
### Get program URLs for your HackerOne private programs

```
### 6️⃣ **Fetch program URLs for private HackerOne programs**
```bash
bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -o u -p | sort -u
```
You'll get a list like this:
```
Output:
```plaintext
https://hackerone.com/demo
https://hackerone.com/something
```

### Get all immunefi scope

```
### 7️⃣ **Get the entire Immunefi scope**
```bash
bbscope immunefi
```

## Beware of scope oddities
In an ideal world, all programs use the in-scope table in the same way to clearly show what's in scope, and make parsing easy.
Unfortunately, that's not always the case.
---

## ⚠️ **Beware of Scope Oddities**
While most programs clearly outline their in-scope elements, some may have inconsistencies:
- Assets might be categorized incorrectly.
- For example, if you’re targeting URLs using `-c url`, consider cross-checking with `-c all` to avoid missing anything important.

---

## 🙏 **Thanks**
Special thanks to the amazing contributors and supporters:
- [0xatul](https://github.com/0xatul)
- [JoeMilian](https://github.com/JoeMilian)
- [ByteOven](https://github.com/ByteOven)
- [dee-see](https://gitlab.com/dee-see)
- [jub0bs](https://jub0bs.com)
- [0xbeefed](https://github.com/0xbeefed)


Sometimes assets are assigned the wrong category.
For example, if you're going after URLs using the `-c url`, double checking using `-c all` is often a good idea.

## Thanks
- [0xatul](https://github.com/0xatul)
- [JoeMilian](https://github.com/JoeMilian)
- [ByteOven](https://github.com/ByteOven)
- [dee-see](https://gitlab.com/dee-see)
- [jub0bs](https://jub0bs.com)
- [0xbeefed](https://github.com/0xbeefed)
### 🎉 **Enjoy using bbscope!**
Let **bbscope** simplify your bug bounty research and help you focus on what matters most. Happy hacking! 🐛💻