A bug bounty program is a crowdsourcing initiative that is offered by a large number of organizations and websites all around the world. In this initiative, individuals are rewarded with recognition and compensation also called bug bounty for reporting critical flaws in software, especially those that can risk security exploits and vulnerabilities.
Bug bounty programs allow developers and white hat hackers to discover and report software vulnerabilities before the general public using the platform is aware of them. This prevents potential exploitation or widespread abuse of the system.
Today, most of the tech giants, including but not limited to Google, Mozilla, Microsoft, Facebook, Reddit, and Square, are implementing bug bounty programs.
So, now the primary problem is, how to get started with this for your own organization?
- URLs, domains, etc which can cause possible exploits.
- Sensitive information, like authentication credentials, secret keys to APIs, storage, etc
- Potential wildcard entries
- Any outdated or old frameworks with known vulnerabilities.
Fortunately, there are many free and open-source tools available to extract all the above information on your desired target.
ScriptHunter by Robre
This tool has a dependency on a couple of other tools, which are written in Go language. So before installing and configuring the following tools, you’ll have to install and configure Go properly. These tools are:
The output the whole process looks like following
Next, you take those words and sort them. Now, these words can be used with ffuf as shown below.
JSmon by Robre
It results to find any changed, you will be informed via telegram push notification. This script will calculate the changed file sizes and difference in the files so that you can inspect them easily.
The difference will be shown as follows.
- Google Closure Compiler
The above tools will minify/compress and analyze the code to find and remove unused code. These tools then rewrite for maximum minification.