xyele/hackerone_wordlist
The wordlists that have been compiled using disclosed reports at HackerOne bug bounty platform
| repo name | xyele/hackerone_wordlist |
| repo link | https://github.com/xyele/hackerone_wordlist |
| homepage | |
| language | Python |
| size (curr.) | 60 kB |
| stars (curr.) | 158 |
| created | 2020-05-29 |
| license | GNU General Public License v3.0 |
Match Cases
Here is the match cases how it extracts all these data.
URLs
I’ve used urlextract library for extracting URLs based on TLDs. Eventhough it works awesome, there might be false matches rarely.
Raw HTTP Requests
It extracts the raw http requests which is in three backticks (```). Her are the example:
Hey team! I've found an SQL Injection issue with your website.
## Request
```
POST /xyele/hackerone_wordlist HTTP/1.1
Host: github.com
star_repo=true'
```
So it extracts the request and parsing it.
POST /xyele/hackerone_wordlist HTTP/1.1
Host: github.com
star_repo=true'
Parameter names
Besides the getting parameters from requests and URLs, it gets parameter names with regex again. Here are the examples:
LFI throught the filename parameter --> filename
SQL Injection on blabla domain via userid parameter --> userid
<?php echo $_GET['makesense']; ?> --> makesense
To Do
- Develop own URL extracting library
- Extract json and parse parameters from markdown code block.
- Extract json and parse parameters from raw http response.
Known Issues
- It downloads reports each by each but nothing to do for getting it faster because HackerOne has rate-limit.
Support Me
Reach out to me at one of the following places!
