automating bug hunting
In the quest to get my first CVE, I’ve decided that Wordpress plugins are going to be my best target, just because they’re so close to my heart. My first attempts included finding a plugin off svn.plugins.wordpress.org, downloading it, scanning it with Snyk, and then moving on; then, like all good cyber students do, I realized I could automate it.
Here is the GitHub repo for the script. It takes in a list (a section copied from svn), tries to find the official plugin page for it on WP, downloads it, scans it with semgrep, and gives me a nice CSV with the output. As of writing this post, it’s not working, because I refactored it to only use one curl command instead of four so I don’t get rate-limited and apparently that broke something. Once that’s fixed, I’m going to make it only pay attention to plugins with 100+ downloads (we need that Wordfence bounty, it’s not called defcon-money for nothing) and make sure it gives the high- and med-sev vulns in the README.
I also worked on another bug bounty tool for subdomain enumeration a little while ago. It’s going to get expanded out into something that integrates EyeWitness to find higher-priority targets so I can finally get a non-Informational report on HackerOne.
Oh, and I reported my third real-life bug! I can’t say who or where since it hasn’t been resolved yet, but it’s a fun user email disclosure. Hooray. Stay warm, northern hemisphere.