yogeshojha / rengine

reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.
https://yogeshojha.github.io/rengine/
GNU General Public License v3.0
7.48k stars 1.13k forks source link

bug: Rengine not able to display hackerone scope properly. #1437

Open r3dpars3c opened 1 month ago

r3dpars3c commented 1 month ago

Is there an existing issue for this?

Current Behavior

  1. When we head to Bounty-Hub and hackerone and then Program dash board
    1. Select any program and check the scope
  2. Many scopes are missing on rengine while being correctly displayed on hackerone.
  3. This leads to miss many scopes.

Expected Behavior

All scopes on hackerone and scopes must be visible across both platform.

Steps To Reproduce

As describe above

Environment

Latest

Anything else?

No response

github-actions[bot] commented 1 month ago

Hey @r3dpars3c! πŸ‘‹ Thanks for flagging this bug! πŸ›πŸ”

You're our superhero bug hunter! πŸ¦Έβ€β™‚οΈπŸ¦Έβ€β™€οΈ Before we suit up to squash this bug, could you please:

πŸ“š Double-check our documentation: https://rengine.wiki πŸ•΅οΈ Make sure it's not a known issue πŸ“ Provide all the juicy details about this sneaky bug

Once again - thanks for your vigilance! πŸ› οΈπŸš€

yogeshojha commented 1 month ago

Hi @r3dpars3c

The scopes are provided by hackeone API, we do filtering though for the scope we support. But can you give some program name that scopes don't match, I will verify

r3dpars3c commented 1 month ago

I mainly checks for private hackerone programs. I found the issue but i can't fix it myself. What has happened is that. Some program display valid inscope assets as other rather than pre classified [domain or wildcard]. As the way rengine been developed, it checks hackerone response for distinguishing whether the assets or scope is wildcard or domain. This leads to missing many assets because sometime that inscope valid assets are classified as other. This needs to be fixed urgently as we might me missing many potential targets.

Hope this get fixed sooner as i am running expensive VPS. Can't lose more money waiting for updates.

Thanks Best Regards

yogeshojha commented 1 month ago

Hi @r3dpars3c we do consider OTHER assets as well. Probably the response format is different than that I expected.

If you have, time can you please use postman and send request to hackerone api https://api.hackerone.com/v1/hackers/programs/{program_handle}, check hackerone docs to see how to send api key as auth param

Please redact any sensitive information but I would like to see the response and asset format.

You can mail me yogesh.ojha11@gmail.com if you wish not to share here as its private program.

r3dpars3c commented 1 month ago

I checked the rengine code but couldn't find Other asset. Check these files. https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/api/views.py#L67 https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/static/custom/bountyhub.js#L460 https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/reNgine/definitions.py#L565

I think the proper fixed would be to add Other entries as well.

r3dpars3c commented 1 month ago

You can try on this program. https://hackerone.com/capital-one-bounty/policy_scopes

as My private program has similar one to this public program one

yogeshojha commented 1 month ago

Aaahah thank you for pointing out, my mistake I missed the OTHERS, sending a PR and please test it out.

yogeshojha commented 1 month ago

@r3dpars3c please test this out if you have time

https://github.com/yogeshojha/rengine/pull/1440

make down
git fetch
git checkout 1437-bug-rengine-not-able-to-display-hackerone-scope-properly
make build && make up

Since I have introduced a new util function to check the aseet is supported by reNgine or not using regex, please test it out against different targets to see if importing works better.

On UI as well you should be able to see the assets under OTHER section

For example

image

If everything looks give, let me know and I will merge the changes.

r3dpars3c commented 1 month ago

Hi @yogeshojha I found the following behavior even after git fetch.

  1. The other scopes are working properly.
  2. But the wildcard and domain aren't working properly.
  3. In instruction assets still get missed, check this program https://hackerone.com/spotify/policy_scopes

Suggestion.

  1. Import whatever scopes [asset_identifier and instruction sections ] are eligible for bounty
  2. Check whether that contains domain or not.
  3. If it contains the data , Classify them as Wildcard[if * character is detected.] else if not such character is detected let it be in domain category.
  4. Finally after getting all those either wildcard or just domain or just URL, Distinguish as wildcard and domain. after that in wildcard section, Create some more wildcard like [beta.example.com, alpha.example.com], consider them as *.example.com
  5. Do not go after Other category as in Hackerone.

More Suggestion.

  1. Never use dalfox, more of vulnerable endpoints get blocked because of WAF.
  2. I would suggest Sudomy https://github.com/screetsec/Sudomy this gets me more domain than anyone.
  3. Allow more filters on endpoint tab, [Contains parameter, other ]

Thanks Best Regards r3dpars3c