Why is recon so very important? API key exposure by only recon

1 month ago 27
BOOK THIS SPACE FOR AD
ARTICLE AD

Karim Mohamed

Hello guys, I am learning bug bounty And I want to tell you why recon is so so so important
and how I got a bug from recon only.

1. I gathered a lot of subdomains using various tools like **subfinder**, sublist3r and amass

subfinder -d example.com -all --==recursive== >> subs.txt

2. then I removed the duplicate subdomains using anew

cat subdomains.txt | anew >> unique_subdomains.txt

3. Then I filtered only the working websites using httpx

cat unique_subdomains.txt | httpx -o httpx

4. check Request smuggling vulnerability with smuggler.py but I did not find any vulnerabilites, it’s ok ill continue

5. I gather all urls with three ways “waybackurls” , “gospider “, “katana”

gospider -S httpx -o gospider_output
katana -list httpx -o katana.txt
cat httpx | waybackurls >> allurls.txt

6. I now have alot of urls containing javascript and php files so I get all the files on seperate txt file

# cat allurls.txt | grep -E "\.js" >> js.txt
# cat allurls.txt | grep -E "\.php" >> php.txt

7. I then used mantra which is a tool to find leaked API keys in javascript files

cat js.txt | mantra

I kept finding non working api keys until I found a bugsnag API key and It has no real use except for attacker spamming fake error reports making the company lose alot of money

anyway I submitted it but got a duplicate :(

it’s okay I will get them the next time

I hope you learned anything new

and if you want to support me you can but me a coffee here

Read Entire Article