-

4 min read

Introducing Chaos Bug bounty recon data API

Introducing Chaos Bug bounty recon data API

We’re proud to announce release of our Chaos Bug bounty recon data API today. This API will allow hackers to get instant data on targets of their choice without running any additional tools at just single hit of request.

Goals behind the project

Reconnaissance is complex, it requires a proper setup and not everyone is equally good at it. People are skilled differently, some are amazing at looking at Web Attack Surfaces, some prefer to dive deep into logic bugs. Being good at recon requires some development skills and not everyone is a developer.

This project is aimed at people who are just getting started or would like a quick overview of the targets without having to spend much time gathering information and would like to quickly start hacking stuff without much worry. The Chaos API is a single network call which returns large and detailed information on the targets so you can quickly start hacking.

Scope of the data

Data is collected only for targets which have either a public Bug Bounty program or Vulnerability disclosure programs. The list is available on Github project public bugbounty programs. If you want recon data of public programs which is not in the list, please make a PR to the project and recon data will pushed in automated way on next run.

Recon data

The recon data gathered and provided consists of the following things -

  • Passive Subdomain data.
  • Active Subdomain data.
  • Wildcard subdomains and data.
  • DNS Records (A,AAAA,CNAME,NS)
  • DNS Status code (NOERROR,NXDOMAIN,SERVFAIL,REFUSED)
  • HTTP Records (URL, Title, Status code, Content length)

Advantages of the new APIs

The new API makes it really easy for hackers to start hacking right away at a program. All the data is just one click away and can be easily retrieved through the APIs.

The data is updated on a per-weekly basis. This is a showcase of the capabilities of the projectdiscovery recon platform which will be used in further to enhance the chaos API even further providing much more data.

How to access the API?

Currently, the API is Invite Only and is also available to old users of Chaos Project. It is however very simple to get an invite, just create a PR and we will invite you as soon as possible. Check https://chaos.projectdiscovery.io for getting access to the Chaos APIs.

How to use the API?

We have updated the Chaos Client to access the new APIs. Given below are a few examples on how to work with the new APIs.

Here is raw API request to pull all the recon information of the target domain.

bash

1GET /dns/{domain}/public-recon-data HTTP/1.1
2Host: dns.projectdiscovery.io
3Authorization: CHAOS_API_KEY
4Connection: close
5Content-Length: 6

bash

1{
2   "domain":"hackerone.com",
3   "subdomain":"api",
4   "timestamp":"0001-01-01T00:00:00Z",
5   "id":"api.hackerone.com",
6   "dns-status-code":"NOERROR",
7   "a":[
8      "104.16.99.52",
9      "104.16.100.52"
10   ],
11   "aaaa":[
12      "2606:4700::6810:6434",
13      "2606:4700::6810:6334",
14      "2606:4700::6810:6334"
15   ],
16   "wildcard":false,
17   "http_url":"https://api.hackerone.com",
18   "http_status_code":200,
19   "http_content_length":7781,
20   "http_title":"HackerOne API"
21}{
22   "domain":"hackerone.com",
23   "subdomain":"b.ns",
24   "timestamp":"0001-01-01T00:00:00Z",
25   "id":"b.ns.hackerone.com",
26   "dns-status-code":"NOERROR",
27   "a":[
28      "162.159.1.31"
29   ],
30   "aaaa":[
31      "2400:cb00:2049:1::a29f:11f",
32      "2400:cb00:2049:1::a29f:11f"
33   ],
34   "wildcard":false
35}

We have added client side filters in Chaos Client to pull the data in a way which can be used automation pipelines, few examples are as follows –

HTTP URLs of the uber.com

bash

1chaos -d uber.com -bbq -http-url -filter-wildcard

Example output:-

bash

1https://www.blog.uber.com
2https://lantern-experiment.uber.com
3https://cn-staging.uber.com
4https://assets-share.uber.com
5https://ohmylog.uber.com
6https://blogapi.uber.com
7https://careersinfo.uber.com
8https://pages.et.uber.com
9https://frontends-dca1.uber.com
10http://cn-dc1.uber.com

HTTP URLs with Titles, Status codes, and content-lengths of the uber.com

bash

1chaos -d uber.com -bbq -http-url -filter-wildcard -http-title -http-status-code -http-content-length

Example output:-

bash

1http://get.uber.com [301] [166] [301 Moved Permanently]
2https://riders-staging.uber.com [302] [142] [302 Found]
3https://partners-platform.uber.com [404] [2783] [Page Not Found - Uber]
4https://airwatch.uber.com [301] [0] []
5https://kirim.uber.com [200] [493] [yellow-river]
6https://frontends-all.uber.com [302] [142] [302 Found]
7https://cn-staging-phx2.cfe.uber.com [405] [36] []
8http://rush.uber.com [301] [166] [301 Moved Permanently]
9https://advantage.uber.com [403] [150] [403 Forbidden]

HTTP URLs having cname as DNS record

bash

1chaos -d uber.com -bbq -http-url -filter-wildcard -dns-record-type cname

Example output:-

bash

1https://groove.uber.com
2https://ukvideo.uber.com
3https://event.uber.com
4https://postmaster.uber.com
5https://video.uber.com
6https://unsubscribe.uber.com
7https://works.uber.com
8https://freight-support.uber.com
9https://m.uber.com

Subdomains with associated A record in the response

bash

1chaos -d uber.com -bbq -filter-wildcard -dns-record-type a -resp

Example output:-

bash

1o24.email.uber.com 167.89.42.88
2logs2.uber.com 10.6.0.1
3o8.email.uber.com 167.89.17.53
4brandarchive.uber.com 104.130.42.190
5o19.email.uber.com 167.89.42.142
6rush.uber.com 104.36.195.130

CNAMEs associated with subdomains of uber.com

bash

1chaos -d uber.com -bbq -filter-wildcard -dns-record-type cname -resp-only

bash

1frontends-primary.uber.com
2akamai-san8.exacttarget.com.edgekey.net
3frontends-primary.uber.com
4mkto-ab190087.com
5cn-slow2-630950453.us-west-2.elb.amazonaws.com
6frontends-all.uber.com
7frontends-all.uber.com
8frontends-primary.uber.com

What are we doing in the backend?

Passive subdomain data is collected from the Chaos DNS dataset APIs which gathers subdomains continuously from multiple sources.

Resolution of subdomains takes place using shuffledns and dnsx which also provides the DNS records as needed. HTTP data is gathered using httpx. Using all these tools and services, you can easily create your very own Bug Bounty recon process.

Questions?

Like this project or have any feedback or questions? tweet us at @pdiscoveryio. You can also email us at chaos@projectdiscovery.io and follow @pdchaos for updates.

Related stories

View all