Summary

The article discusses the use of GauPlus for efficient URL enumeration in bug bounty reconnaissance, highlighting its speed and passive reconnaissance capabilities, and provides various one-liner commands to uncover sensitive files, low hanging fruits, and high hanging fruits in security testing.

Abstract

The article "Comprehensive Url Enumeration for Bug Bounty — The potential of GAU" emphasizes the importance of GauPlus, an enhanced version of GAU, for passive URL enumeration in the context of bug bounty programs. It introduces the tool as a significant improvement over its predecessor, boasting an 8.9x speed increase, which is crucial for handling large scopes. The author provides practical one-liner commands to detect sensitive files such as XLSX, SQL, LOG, and BAK files, which may lead to critical information disclosure. Additionally, the article covers methods for finding low hanging fruits like XSS vulnerabilities, path traversal bugs, SSRF vulnerabilities, and JavaScript secrets, as well as high hanging fruits such as bypassing 403 and 401 responses and discovering admin panels. The author advocates for the strategic use of these commands over attractive but impractical one-liners and underscores the potential of GauPlus in identifying both easy and complex security bugs.

Opinions

The author believes that GauPlus is a superior tool for reconnaissance due to its speed and efficiency, especially when dealing with extensive target scopes.
There is an emphasis on the importance of passive reconnaissance techniques, which avoid direct interaction with the target systems.
The article suggests that while low hanging fruits are easily found and may be considered less skillful, they can still have a significant impact and should not be overlooked.
The author promotes the idea that high hanging fruits, which require more skill and manual inspection, are valuable targets for security researchers.
The author encourages the use of their Medium membership referral link to support their work, indicating a preference for community support and engagement.
A disclaimer is provided to remind readers to only perform enumeration on targets for which they have explicit permission, highlighting the ethical considerations of security testing.
The author expresses a goal of reaching a viewership milestone and seeks reader support through sharing the article, reflecting a desire for broader impact and recognition within the cybersecurity community.

Comprehensive Url Enumeration for Bug Bounty — The potential of GAU.

Url Enumeration — Subset of Content Discovery: finding existing endpoints.

Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)

Originally, this article was going to be on GAU but upon research I have found a more efficient replacement, introducing GauPlus. Which boasts to be 8.9x faster. When working with large scopes, lowering time spent on automated tools is crucial to effective recon.

If you haven’t heard of Gau or GauPlus (I may use these interchangeably, despite referring to GauPlus), it is a tool that Gets All Urls, it does this passively (never interacting with the target), and by using third party existing databases, such as Common Crawl, Waybackmachine and AlienVault’s OTX.

Now for why you clicked on this article, the one liner:

Disclaimer: although this will work, you shouldn’t use it. It was made for novelty and there’s a lot of flaws with using it, but there’s still a lot we can learn from it, which I will demonstrate below with less clickbait-y one liners you should actually use.

Sensitive Files

Sensitive files get leaked all the time, and if they get picked up in public databases we can find them with Gau. For this section, I will assume you already have the subdomains you can find (if you need help with this, I have an article on subdomain enumeration).

XLSX Files, are interesting finds. Spreadsheets can often contain internal information which can lead to easy information disclosure P1 bugs.

SQL Files, should never be exposed to the public, so if you can find them they may contain important information, such as database information, or even credentials. You may however run into example sql files as false positives.

LOG Files, can be a mixed bag. Sometimes it’s pretty normal to publish these, but sometimes it can leak sensitive information like command execution results or verbose server info.

BAK Files, why would you leave a backup file exposed to the internet? Because you made a mistake. These files often contain information which is not supposed to be in your hands.

Lastly I should mention, you aren’t limited to the file extensions I’ve mentioned, and you can repeat with any files you think might be useful. Also, I’ve written these as independent one liners, but you can replace the first two commands with cat allUrls.txt once you've run gauplus once, and piped it into the file.

Low Hanging Fruit oneliners

Before I show you how to get low hanging fruits (LHF) with Gau, I should define what I mean when I say LHF because I hear the term used in different ways. “A low hanging fruit is vulnerability that can be found with automated tools with little or no skill from the hacker”, although I’ve said LHFs dont need skill from the hacker, this doesnt mean they arent important or worth hunting; LHFs can often have the most impact and cause the most damage to a company.

XSS with Gau, Gau can be used to really easily find reflected XSS, it’s probably the easiest (and usually lowest impact) bug to find, especially with this tool chain. Gxss is a tool which shows you which characters can be reflected on a page using a get parameter.

Once you find a url which reflects the <, " and >, manually go to this domain, open the source and see where these characters are reflected, then do the necessary tag escaping to get an XSS.

Path Traversal with Gau, once we get urls from Gau, we can filter it to get parameters using grep "=", and then use httpx to check if the "///////../../../../../../etc/passwd" is found, by checking the source code for "root:".

SSRF with Gau, interactsh is an open source and free version of burp collaborator. Run the interactsh client and replace the string below with the domain (or you can use burp collaborator if you have it). qsreplace will replace all of the get parameter values with the domain, and if SSRF is present, httpx will execute it and it will make a callback to your client.

Finding JS Secrets with Gau, we can filter javascript files from other urls with grep "\.js$" the $ is important as it stops us from filtering files like .jsp, etc. then we loop through the file with bash commands and feed each url to SecretFinder.py

High Hanging Fruits oneliners?

People often talk about low hanging fruits, but what about the not so spoken about High Hanging Fruits (HHFs). I am going to be defining a HHF as “A high hanging fruit is a vulnerability that requires manual inspection and skills from the hacker; a bug that can only be found with the so called hacker’s mindset”. HHF are harder to find than LHF, but this means they rely less on luck and more on the talent of the hacker.

403s and 401s with Gau, 403s and 401s indicate that a resource is not supposed to be for the public, so if you can bypass it, you are almost guaranteed a high priority bug. You can use any type of 403 bypasser you like, but I use this one. 401s can be visited and weak credentials can be attempted if a prompt is offered.

Admin Panels with Gau, There are lots of ways to locate admin panels, but by far the most passive, is to use gau to locate all urls, then filter for common admin paths. These can then be inspected for flaws, bad credentials, bypasses, etc.

I’ve listed three keywords in this command, but you can add any you like, or if the list grows too long, consider using gf

Takeaways

Big oneliners may look attractive or good for Twitter, but it’s usually better if you take them apart and use tools in a more appropriate way.
Gau (specifically GauPlus) is an incredibly important tool which has the advantage of passive recon.
Gau can be the driving force for finding easy Low Hanging Fruits.
Gau can even be used to find more complex bugs.

If you thought any of this information was useful, tweeting this article would be a free and easy way to support me 💙, my goal is to reach 20k views over all my articles, and we’re already 41.15% of the way there!

I look forward to posting more informational content.

Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)

DISCLAIMER: I take no responsibility for any actions committed by readers. Only perform enumeration on targets you have permission for. Always read and check the scope of a program for guidance.