4 min read
Introducing Chaos Bug bounty recon data API
We’re proud to announce release of our Chaos Bug bounty recon data API today. This API will allow hackers to get instant data on targets of their choice without running any additional tools at just single hit of request.
Goals behind the project
Reconnaissance is complex, it requires a proper setup and not everyone is equally good at it. People are skilled differently, some are amazing at looking at Web Attack Surfaces, some prefer to dive deep into logic bugs. Being good at recon requires some development skills and not everyone is a developer.
This project is aimed at people who are just getting started or would like a quick overview of the targets without having to spend much time gathering information and would like to quickly start hacking stuff without much worry. The Chaos API is a single network call which returns large and detailed information on the targets so you can quickly start hacking.
Scope of the data
Data is collected only for targets which have either a public Bug Bounty program or Vulnerability disclosure programs. The list is available on Github project public bugbounty programs. If you want recon data of public programs which is not in the list, please make a PR to the project and recon data will pushed in automated way on next run.
Recon data
The recon data gathered and provided consists of the following things -
- Passive Subdomain data.
- Active Subdomain data.
- Wildcard subdomains and data.
- DNS Records (A,AAAA,CNAME,NS)
- DNS Status code (NOERROR,NXDOMAIN,SERVFAIL,REFUSED)
- HTTP Records (URL, Title, Status code, Content length)
Advantages of the new APIs
The new API makes it really easy for hackers to start hacking right away at a program. All the data is just one click away and can be easily retrieved through the APIs.
The data is updated on a per-weekly basis. This is a showcase of the capabilities of the projectdiscovery recon platform which will be used in further to enhance the chaos API even further providing much more data.
How to access the API?
Currently, the API is Invite Only and is also available to old users of Chaos Project. It is however very simple to get an invite, just create a PR and we will invite you as soon as possible. Check https://chaos.projectdiscovery.io for getting access to the Chaos APIs.
How to use the API?
We have updated the Chaos Client to access the new APIs. Given below are a few examples on how to work with the new APIs.
Here is raw API request to pull all the recon information of the target domain.
bash
1GET /dns/{domain}/public-recon-data HTTP/1.12Host: dns.projectdiscovery.io3Authorization: CHAOS_API_KEY4Connection: close5Content-Length: 6
bash
1{2"domain":"hackerone.com",3"subdomain":"api",4"timestamp":"0001-01-01T00:00:00Z",5"id":"api.hackerone.com",6"dns-status-code":"NOERROR",7"a":[8"104.16.99.52",9"104.16.100.52"10],11"aaaa":[12"2606:4700::6810:6434",13"2606:4700::6810:6334",14"2606:4700::6810:6334"15],16"wildcard":false,17"http_url":"https://api.hackerone.com",18"http_status_code":200,19"http_content_length":7781,20"http_title":"HackerOne API"21}{22"domain":"hackerone.com",23"subdomain":"b.ns",24"timestamp":"0001-01-01T00:00:00Z",25"id":"b.ns.hackerone.com",26"dns-status-code":"NOERROR",27"a":[28"162.159.1.31"29],30"aaaa":[31"2400:cb00:2049:1::a29f:11f",32"2400:cb00:2049:1::a29f:11f"33],34"wildcard":false35}
We have added client side filters in Chaos Client to pull the data in a way which can be used automation pipelines, few examples are as follows –
HTTP URLs of the uber.com
bash
1chaos -d uber.com -bbq -http-url -filter-wildcard
Example output:-
bash
1https://www.blog.uber.com2https://lantern-experiment.uber.com3https://cn-staging.uber.com4https://assets-share.uber.com5https://ohmylog.uber.com6https://blogapi.uber.com7https://careersinfo.uber.com8https://pages.et.uber.com9https://frontends-dca1.uber.com10http://cn-dc1.uber.com
HTTP URLs with Titles, Status codes, and content-lengths of the uber.com
bash
1chaos -d uber.com -bbq -http-url -filter-wildcard -http-title -http-status-code -http-content-length
Example output:-
bash
1http://get.uber.com [301] [166] [301 Moved Permanently]2https://riders-staging.uber.com [302] [142] [302 Found]3https://partners-platform.uber.com [404] [2783] [Page Not Found - Uber]4https://airwatch.uber.com [301] [0] []5https://kirim.uber.com [200] [493] [yellow-river]6https://frontends-all.uber.com [302] [142] [302 Found]7https://cn-staging-phx2.cfe.uber.com [405] [36] []8http://rush.uber.com [301] [166] [301 Moved Permanently]9https://advantage.uber.com [403] [150] [403 Forbidden]
HTTP URLs having cname
as DNS record
bash
1chaos -d uber.com -bbq -http-url -filter-wildcard -dns-record-type cname
Example output:-
bash
1https://groove.uber.com2https://ukvideo.uber.com3https://event.uber.com4https://postmaster.uber.com5https://video.uber.com6https://unsubscribe.uber.com7https://works.uber.com8https://freight-support.uber.com9https://m.uber.com
Subdomains with associated A record in the response
bash
1chaos -d uber.com -bbq -filter-wildcard -dns-record-type a -resp
Example output:-
bash
1o24.email.uber.com 167.89.42.882logs2.uber.com 10.6.0.13o8.email.uber.com 167.89.17.534brandarchive.uber.com 104.130.42.1905o19.email.uber.com 167.89.42.1426rush.uber.com 104.36.195.130
CNAMEs associated with subdomains of uber.com
bash
1chaos -d uber.com -bbq -filter-wildcard -dns-record-type cname -resp-only
bash
1frontends-primary.uber.com2akamai-san8.exacttarget.com.edgekey.net3frontends-primary.uber.com4mkto-ab190087.com5cn-slow2-630950453.us-west-2.elb.amazonaws.com6frontends-all.uber.com7frontends-all.uber.com8frontends-primary.uber.com
What are we doing in the backend?
Passive subdomain data is collected from the Chaos DNS dataset APIs which gathers subdomains continuously from multiple sources.
Resolution of subdomains takes place using shuffledns and dnsx which also provides the DNS records as needed. HTTP data is gathered using httpx. Using all these tools and services, you can easily create your very own Bug Bounty recon process.
Questions?
Like this project or have any feedback or questions? tweet us at @pdiscoveryio. You can also email us at chaos@projectdiscovery.io and follow @pdchaos for updates.