{"id":13610177,"url":"https://github.com/codingo/bbr","last_synced_at":"2025-08-27T01:45:15.168Z","repository":{"id":49950814,"uuid":"192831189","full_name":"codingo/bbr","owner":"codingo","description":"An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates.","archived":false,"fork":false,"pushed_at":"2020-11-03T20:18:42.000Z","size":4812,"stargazers_count":211,"open_issues_count":0,"forks_count":35,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-07-03T16:44:09.142Z","etag":null,"topics":["bug-bounty","bug-bounty-hunters","bugbounty","bugbounty-tool","reporting","reporting-tool","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codingo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-20T02:00:43.000Z","updated_at":"2025-06-24T05:39:29.000Z","dependencies_parsed_at":"2022-09-26T16:31:14.813Z","dependency_job_id":null,"html_url":"https://github.com/codingo/bbr","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/codingo/bbr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codingo%2Fbbr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codingo%2Fbbr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codingo%2Fbbr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codingo%2Fbbr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codingo","download_url":"https://codeload.github.com/codingo/bbr/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codingo%2Fbbr/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272277560,"owners_count":24905520,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-26T02:00:07.904Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","bug-bounty-hunters","bugbounty","bugbounty-tool","reporting","reporting-tool","security-tools"],"created_at":"2024-08-01T19:01:42.156Z","updated_at":"2025-08-27T01:45:15.033Z","avatar_url":"https://github.com/codingo.png","language":"Go","funding_links":[],"categories":["Go","Go (531)"],"sub_categories":[],"readme":"# bbr\nAn open source tool to aid in command line driven generation of bug bounty reports based on user provided templates. Useful for piping reporting from one application to another (such as an automatic submission tool).\n\n[![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)\n\n# Arguments\n| Argument | Description                      |\n|----------|----------------------------------|\n| -h       | Display help message and exit   |\n| -r       | Path to template file to use    |\n| -t       | Variable to replace \\_target\\_ with and to use for `dig` and `whois` commands. |\n| -u       | Username to replace \\_username\\_ with |\n| -o       | Output file name. (optional)       |\n| -p | Variable to replace \\_program\\_ (optional) |\n| -re | Variable to replace \\_researcher\\_ (optional) |\n\nBBR will then process the text file, and make the following replacements (not all fields may be present, some will be present more than once):\n\n| Argument      | Description                                               |\n|---------------|-----------------------------------------------------------|\n| \\_target\\_      | Replace with the value of the -t argument                |\n| \\_username\\_    | Replace with the value of the -u argument                |\n| \\_program\\_      | Replace with the value of the -p argument                |\n| \\_researcher\\_ | Replace with the value of the -re argument |\n| \\_sha\\_         | Replace with the SHA256 encoded value of the -u argument |\n| \\_nameservers\\_ | Replace with the output of \"dig NS @8.8.8.8 _target_\"     |\n| \\_dig\\_         | Replace with the value of \"dig @8.8.8.8 _target_\"         |\n| \\_whois\\_       | Replace with the whois output of the target parameter    |\n| \\_wayback\\_ | Replace with an automatic wayback link of the -t argument |\n| \\_sha\\_ | Replace with the SHA256 value of the username parameter |\n| \\_dig-txt\\_ | Replace with the value of DNS TXT records |\n| \\_curl\\_ | Replace with the request response of the -t argument |\n| \\_joke\\_ | Replace with a joke |\n| \\_punchline\\_ | Replace with the punchline for said joke |\n\n# Functionality\nBBR takes a provided template file and makes replacements throughout that file with provided arguments. For example, the following template file (stored in this repository as `template.txt`:\n\n```\n # Summary\nThe domain _target_ was found to have a CNAME that was pointing to an unregistered domain.\n\nIt was possible to register this domain, and to host content on the _target_ website. Given this domain is attributed to _program_(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).\n\nThis can be verified by using the following in the terminal:\n\n\\```\necho \"_username_\" | sha256sum\n\\```\nWhich should present the resulting string:\n\\```\n_sha_\n\\```\nWhich matches what I placed on _target_ for verification.\n\nThis has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: _wayback_\n\n# Attribution\nA whois of the domain _target_ shows a direct match to other domains relating to _program_, showing this as beloning to _program_:\n\n\\```\n_whois_\n\\```\n\n# Recommendation\nRemove the CNAME associated with _target_, or decomission the domain entirely with a redirection to other domains of _program_. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.\n\n# Joke\nTriage is a tough gig, here's a joke to lighten the load!\n\n_joke_\n\n... _punchline_\n```\n\nWhen used with the following:\n\n```\n➜  ./bbr -t example.com -p Example -u codingo -r ./template.txt | tee  \n```\nOutputs the following report:\n```\n # Summary\nThe domain example.com was found to have a CNAME that was pointing to an unregistered domain.\n\nIt was possible to register this domain, and to host content on the example.com website. Given this domain is attributed to Example(see: attribution) I hosted only a SHA256 string of my researcher account, _researcher).\n\nThis can be verified by using the following in the terminal:\n\n\\```\necho \"codingo\" | sha256sum\n\\```\nWhich should present the resulting string:\n\\```\n10c989bbd4963c465e0941acd70833d5579ca846f5a68eadc8bcf63801b3993b\n\\```\nWhich matches what I placed on example.com for verification.\n\nThis has also been stored on the Wayback engine, in case this is resolved before this submission is able to be triaged: example.com\n\n# Attribution\nA whois of the domain example.com shows a direct match to other domains relating to Example, showing this as beloning to Example:\n\n\\```\n   Domain Name: EXAMPLE.COM\n   Registry Domain ID: 2336799_DOMAIN_COM-VRSN\n   Registrar WHOIS Server: whois.iana.org\n   Registrar URL: http://res-dom.iana.org\n   Updated Date: 2020-08-14T07:02:37Z\n   Creation Date: 1995-08-14T04:00:00Z\n   Registry Expiry Date: 2021-08-13T04:00:00Z\n   Registrar: RESERVED-Internet Assigned Numbers Authority\n   Registrar IANA ID: 376\n   Registrar Abuse Contact Email:\n   Registrar Abuse Contact Phone:\n   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\n   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\n   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\n   Name Server: A.IANA-SERVERS.NET\n   Name Server: B.IANA-SERVERS.NET\n   DNSSEC: signedDelegation\n   DNSSEC DS Data: 31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE\n   DNSSEC DS Data: 31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03E576343C\n   DNSSEC DS Data: 43547 8 1 B6225AB2CC613E0DCA7962BDC2342EA4F1B56083\n   DNSSEC DS Data: 43547 8 2 615A64233543F66F44D68933625B17497C89A70E858ED76A2145997EDF96A918\n   DNSSEC DS Data: 31406 8 1 189968811E6EBA862DD6C209F75623D8D9ED9142\n   DNSSEC DS Data: 31406 8 2 F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D\n   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\n\u003e\u003e\u003e Last update of whois database: 2020-08-22T03:11:57Z \u003c\u003c\u003c\n\nFor more information on Whois status codes, please visit https://icann.org/epp\n\nNOTICE: The expiration date displayed in this record is the date the\nregistrar's sponsorship of the domain name registration in the registry is\ncurrently set to expire. This date does not necessarily reflect the expiration\ndate of the domain name registrant's agreement with the sponsoring\nregistrar.  Users may consult the sponsoring registrar's Whois database to\nview the registrar's reported date of expiration for this registration.\n\nTERMS OF USE: You are not authorized to access or query our Whois\ndatabase through the use of electronic processes that are high-volume and\nautomated except as reasonably necessary to register domain names or\nmodify existing registrations; the Data in VeriSign Global Registry\nServices' (\"VeriSign\") Whois database is provided by VeriSign for\ninformation purposes only, and to assist persons in obtaining information\nabout or related to a domain name registration record. VeriSign does not\nguarantee its accuracy. By submitting a Whois query, you agree to abide\nby the following terms of use: You agree that you may use this Data only\nfor lawful purposes and that under no circumstances will you use this Data\nto: (1) allow, enable, or otherwise support the transmission of mass\nunsolicited, commercial advertising or solicitations via e-mail, telephone,\nor facsimile; or (2) enable high volume, automated, electronic processes\nthat apply to VeriSign (or its computer systems). The compilation,\nrepackaging, dissemination or other use of this Data is expressly\nprohibited without the prior written consent of VeriSign. You agree not to\nuse electronic processes that are automated and high-volume to access or\nquery the Whois database except as reasonably necessary to register\ndomain names or modify existing registrations. VeriSign reserves the right\nto restrict your access to the Whois database in its sole discretion to ensure\noperational stability.  VeriSign may restrict or terminate your access to the\nWhois database for failure to abide by these terms of use. VeriSign\nreserves the right to modify these terms at any time.\n\nThe Registry database contains ONLY .COM, .NET, .EDU domains and\nRegistrars.\n% IANA WHOIS server\n% for more information on IANA, visit http://www.iana.org\n% This query returned 1 object\n\ndomain:       EXAMPLE.COM\n\norganisation: Internet Assigned Numbers Authority\n\ncreated:      1992-01-01\nsource:       IANA\n\n\n\\```\n\n# Recommendation\nRemove the CNAME associated with example.com, or decomission the domain entirely with a redirection to other domains of Example. If you would like the domain I've claimed to be transferred to you, please don't hestitate to request it within this submission.\n\n# Joke\nTriage is a tough gig, here's a joke to lighten the load!\n\nWhat was the pumpkin’s favorite sport?\n\n... Squash.\n```\n\nThis can then be submitted to your platform of choice, and is a repeatable template as you find similar vulnerablities of the same type.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodingo%2Fbbr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodingo%2Fbbr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodingo%2Fbbr/lists"}