Announcements

Bhlast server configuration is replaced with the form-based one

New DNS configuration replacing the old way of configuring bhlast servers using YAML file with the form-based configuration.

This configuration is much more user-friendly, and it is much easier to use. It is familiar to people who already purchased domains and had to configure DNS records in various domain registrars.

Currently, only DNS configuration is supported, but in the future, multiple configuration options will be added for HTTP(s) routes, etc.

Runner version 0.5.0 is released 🎉

New runner has been released and it comes with a very nice feature!

The runner can now be upgraded using the upgrade command. This command will fetch the latest release, and upgrade the runner to the latest version, replacing the current runner binary with the new one.

Another big feature released is that you can specify the environment variables inside the workflow, that are local to the scan. This way, you can easily pass the BOUNTYHUB_TOKEN to the scan, or rotate it without having to restart the runner.

The important thing to note is that I decided against the auto-upgrade. The reason for it is that the runner is that the releases are increasingly more stable, and if auto-upgrade is enabled and it breaks, you will stop getting scans executed. If you don't upgrade, the worst case scenario is that you can't use the shiny new feature without the upgrade. If you update the scan that depends on that feature, and the scan fails, you get the notification.

On the other hand, if the self upgrade fails, the runner goes offline, and you don't get any notification. This is much worse than not having the feature available.

Blob storage can now have directories

New feature has been added to the blob storage. You can now have directories in the blob storage. This is especially useful when you use folders to logically separate files uploaded for jobs. Let's say you want to keep the list of active subdomains in one file, and the list of inactive subdomains in another file. But you also have multiple projects. Now, you can logically separate the files by using directories. Handy, right?

Check it out, and let me know if you have any issues!

Cron spec has been updated to UNIX cron format

The cron spec has been updated to the UNIX cron format. The reason behind it is that using seconds would put too much pressure on the scheduler, and would make it harder to schedule the jobs, increasing latency. There would be almost no use of having seconds in the cron spec, and it is unintuitive to people writing the cron who previously used the UNIX cron format.

The new spec has been migrated, along with workflows. If you have any issues, please report them on the GitHub issues.

As always, feel free to reach out or ask questions on the support page.

Introducing Blob Storage and bh CLI 0.3.0 Release

We are excited to announce the new blob storage feature and the release of bh CLI version 0.3.0!

Blob Storage

Blob storage allows you to store assets on the platform without tying them to a specific job. This is particularly useful for continuous scans on assets like subdomains, active links, and pages.

Example Use-Case: Continuous Subdomain Scanning

1. Daily Scan: Run subfinder daily.
2. Store Results: Keep results of the last scan invocation inside the job (uploads field).
3. Download Last Scan: Download the last invocation of the subfinder scan.
4. Compute Differences: Compare the last scan results with the current results.
5. Check Differences: If there are no differences, do nothing.
6. Manage Files:
   • Download {projectname}-live-subdomains.txt and {projectname}-dead-subdomains.txt from blob storage.
   • Update {projectname}-live-subdomains.txt with new subdomains and remove inactive ones.
   • Update {projectname}-dead-subdomains.txt with inactive subdomains and remove active ones.
7. Upload Updated Files: Upload the updated files back to blob storage.
8. Utilize Files: Use the updated files as needed.

bh CLI 0.3.0 Features

The new bh CLI version 0.3.0 includes the following commands:

• bh blob download: Download a blob from the server.
• bh blob upload: Upload a blob to the server.

Important Note

New permissions have been added to the Personal Access Token (PAT). Please update your PATs to include the blob permission.

We hope you find these new features useful. Happy hunting!

Runner version 0.4.0 is released 🎉

New runner has been released, and it comes with a very nice feature!

The job config environment variables are exposed through so that bh commands frequently used are simpler and reduce boilerplate.

For example, you can now use the following command to download the job:

bh job download -j ${{ scans.subfinder[0].id }} -o output.zip

Previously, you had to use all of the following flags:

bh job download -p ${{ project.id }} -w ${{ workflow.id }} -r ${{ revision.id }} -j ${{ scans.subfinder[0].id }} -o output.zip

Next big thing will probably be auto updates. Having auto updates will allow seamless way to keep the runner up to date with the latest features and fixes on the server.

Since the platform is still in beta, the APIs can change in order to improve performance, answer to the user feedback, or to fix the bugs. There should be a proper way to keep your runners alive, while the APIs are changing. This is the first step to that direction.

Heads-up, analytics will be added to improve user experience

With many sign-ups stopping right after creating a project, I started wondering what might be causing users to stop before they can fully leverage the platform. Since everyone is already on a free tier, you can start using automation without paying anything.

To better understand user interactions and improve the platform, I'm taking the following steps:

• Introduce GDPR-compliant analytics: Implement analytics that adhere to privacy laws, ensuring only the minimal necessary data is collected to analyze trends. This is a platform for hackers, after all, and privacy must be respected completely.
• Launch the BountyHub YouTube channel: Create a YouTube channel featuring tutorials to help you create and optimize your workflows.
• Enhance the workflow UI and tools: After reviewing feedback, I'll prioritize improving the user interface and tools to make workflow creation more intuitive and efficient.
• Simplify the runner installation process: Streamline the installation process for the runner, making it easier for you to get started.

As always, please use the links provided on the support page if you have any concerns!

You'll be informed with an announcement and a change in the platform's policy as soon as the analytics are done. This work won't start for at least 2 weeks, giving you enough time to raise questions and concerns.

Good luck with your hunting! 🎯

Announcing new Personal Access Token UI along with bh 0.2.0 release

New addition of dispatch inputs to the workflow must go hand in hand with the ability to dispatch inputs using the bh CLI. However, implementing this feature I noticed that handling personal access tokens is suboptimal, and the interface was quite bad. So I decided to rework the current PAT token implementation, along with the newest addition to this release.

New PAT is in the same format, it is completely backwards compatible, and you shouldn't see any disruptions with your old PAT. But the UI is much simpler, and allows now re-generation of the same token, along with token expiry dates.

New scopes are added, but are not yet part of the bh tool since I'm not yet sure how to properly output it.

If you have any ideas, please submit a feature request, submit feedback, or let me know via an e-mail.

It never hurts to mention that support page is built, so you can easily find links that you need.

Important thing to mention is that new bh release comes with the env fallback. All envs are prefixed with BOUNTYHUB_ which serves as a namespace, so they don't override your common environment variables.

Having said that, new runner will be released soon, and will expose these environment variables for each step. This would massively simplify download steps where mostly, you would just have to specify the -j flag and the -o flag.

Preview:

# Old usage
bh job download -p ${{ project.id }} -w ${{ workflow.id }} -r ${{ revision.id }} -j ${{ scans.subfinder[0].id }} -o output.zip
# New and shiny use
bh job download -j ${{ scans.subfinder[0].id }} -o output.zip

As always, happy hunting!

Runner version 0.3.0 is released

Along with the Major back-end release, new runner release is created.

Packages are updated, inputs are well understood, and logs are correctly propagated!

Try it out!

Major back-end release 🔥

After few weeks of hacking of trying out different approaches to scan attack surface, I noticed that if scans last too long, logs won't be propagated properly. This is also true if the network connectivity is interrupted, causing issues to continue streaming logs to the back-end.

Therefore, entire new way of log streaming has been created. Log lines are now periodically propagated from the runner as JSON array, and slowly appended to the logs. This way, it is much easier to add retries, cover failure cases, or simply, continue to build up log until back-end flushes it to the storage.

Another HUGE feature is having dispatch inputs finally available. Now, you should be able to define on-demand scans that accept inputs. This feature is intended to be used both from the UI, and from the bh tool once it is released.

Runner version 0.2.2 is released

New runner has been released 🎉!

This release comes with the fix to is_available, and the fix to the cellang package that fixed something like scans.subfinder.filter(x, x.state == 'succeeded')[0].id.

This fix includes updates to internal packages to its latest version. To be honest, is_available and cellang update is enough for the new release 😊.

In the future, auto-update should be implemented. However, workflow validation is prioritized at this time, and the fixes related to the UI experience. Having said that, it doesn't hurt to re-mention the feedback form you can fill here.

Improved performance of Bhlast DNS servers

While using the server, a 5-second delay was noticed that could potentially be the duration between you finding a bug and request timing out. That wouldn't be a too much of an issue since the DNS interactions are recorded regardless of the cancelation. However, if the DNS lookup was made so HTTP(s) request could be issued, some clients might time out before the request is completely done.

Therefore, the DNS server is completely refactored to improve performance. Few additional handlers are added for IPv6, and ANY lookup is completely disabled.

Please submit an issue if you find that ANY lookup is needed. It is deprecated for quite some time now, and it is usually used by adversaries for DNS amplification attack. Therefore, this query type is completely removed.

There is more room for improvement that I know of right now, however, current performance seems perfectly good. To avoid introducing complexity to the service, and to prioritize more important things, I decided not to go further with optimizations. If you disagree, I'm always here to chat!

Feedback form is live and ready for your feedback!

Feedback form is live and ready for your feedback! You can find it here.

Please fill it out, so I can improve the platform and make it more useful for you!

Runner version 0.2.1 is released

New runner has been released 🎉!

After publishing the cellang crate which is an interpreter for the CEL language, the runner is now using it to evaluate the expressions. The purpose of this is to expose lower level primitives associated with CEL language, so they can later be used to validate the workflow or provide an LSP.

This change is not a breaking change, since the library is simply a drop-in replacement for the previous one. If you encounter any issues, please report them on the GitHub issues. You can also revert to the previous version since the change is not breaking.

Runner version 0.2.0 is released

New runner has been released 🎉!

This release contains major refactor on client to be able to refresh the session. The session token is switched from JWT to random UUID v4. There are two session tokens used by the runner:

1. Runner session token - Used by the runner to request jobs and keep it alive.
2. Worker session token - Used by the runner worker to resolve the job and execute it.

Since there are different use-cases for them, each session token have a different lifetime.

Runner session token lasts for 30 days. If your runner is kept offline for more than 30 days, you will have to re-register the runner.

Worker session token lasts for 4 hours. This should be enough time for the worker to finish the job. If job gets stuck, session token would expire which would cancel the job and release the runner to pick up other jobs in case there is a bug in a workflow.

Billing is almost done

I'm currently opening a company based in US. Until the bank account is opened, I cannot meaningfully implement any meaningful plans and charges. However, everyone is assigned a free plan. Plan management is implemented, so it is possible to reach out if you need a better plan before the billing is completely done.

Please do not shy away to ask for a better plan. Once bank account is opened and billing is done, there will be a period of 30 days before I connect the billing to the bank account, so you can always decide to downgrade your plan.

Runner is now open-sourced

It was always intention to open-source the runner, however, the design and the protocol between the runner and the server was not stable enough to open source it.

The design of the runner (code-wise) is stable enough now, so open-sourcing it is the next logical step.

This is not to say that the protocol cannot change in the future. But it is unlikely to be modified in the near future.

Take a look and leverage GitHub issues and discussions to help me and others improve the service.

SSE (Server-Sent Events) are available now

New SSE functionality is implemented to have live updates on the site.

This is especially important when you want to dispatch the workflow, or when you are waiting for some job to finish.

It also tracks live interactions with your bhlast server, so you can see interactions happening while you are on the page.

New bhlast servers instead of callback ones

For the purpose of replacing burp collaborator, new bhlast.com domain is purchased. The intention is to have server live all the time, to keep track of any blind payload executions, second-order calls caused in asynchronous back-end systems, DNS interactions and more.

This project is heavily influenced by an amazing work on interactsh.

Since the intention of the platform is to automate the boring stuff, provisioning your server can be done with a click of the button! And please where with me or with others if this new feature helped you find your bounty!

API changes

Since the platform is in beta stage, breaking changes are to be expected. To communicate that the API is still unstable, the version of the API is changed from /v1 to /v0.

Tooling for the API change is also updated to reflect this change.

Important thing to note is that bh tool is re-released under the 0.1.0 tag. The reason for it is that the tool is currently used only by me, so I wanted to eliminate confusion where the previously released versions 0.1.0 and 0.2.0 are deprecated. This won't happen in the future since the bh tool is now released in crates.io.

New bh tool has been released

The new tool officially supported has been released to talk to the BountyHub API.

The tool is open-sourced, and the code is available here.

It comes with installation instructions, and the future releases will be released under 0.x.x version. This will be true until the platform has the stable API (i.e. the platform is out of beta).

All examples in the docs are updated to use this tool. Looking forward to your feedback!

New workflow syntax has been released

The original workflow syntax was not powerful enough especially if you want to diff the previous invocations of the scan. You would have to workaround the issue, and the workaround was not pretty.

The new syntax is related to expressions:

• The workflow on.expr now accepts the CEL based syntax.
• The scans.[ID].steps[].if is also moved to accept CEL expressions.
• Template is much powerful now, where the template is also a CEL expression that evaluates to string.

Most importantly, the expression engine now accepts the context, which is passed by the server. This requires a new version of the runner. Since the change is the breaking one, the new runner is also released under the 0.1.0 tag.

Since the service was not yet officially announced, the change was overwritten to avoid having newcomers running the old, outdated version.

The most important thing is that syntax right now is much more stable and much more powerful. This change will allow further extensions on the workflow, such as continuing the run even if some steps are failing.

Along with the runner, new bh tool is about to be released. Currently, it only allows downloading the results, which is enough for the runner to do its job. I'm not yet sure how to best distribute it, and your feedback will be very valuable.

One of the reasons this service is not yet announced to the broad audience is, so we can figure out the pain points with the smaller audience, and based on your feedback, we can build stuff that is more stable.

I would encourage joining the weekly call. This is the best way to get to know each other and to communicate face-to-face the issues you are having.

Lastly, please keep an eye on announcements. The new tool will be released soon and unfortunately, until then, you won't be able to create dependencies between scans. But I can promise that you won't wait long! With the new tool, the runner documentation will also be improved, and more examples will be added to make it easier to maintain your runner installation.

Thank you for using this platform!

Callback servers and payloads

New features are added to help find blind vulnerabilities. You can now register the server and listen to interactions to catch blind vulnerabilities. Server is listening on HTTP and HTTPS ports and is basically always live! Read more about this feature here.

Also, payloads are added to have a single place where you store payloads. Variables are also added, so you can replace and copy them quickly. Read more about payloads here.

Check it out! And please, do not hesitate to provide feedback 😊!

BountyHub is in Alpha

BountyHub is now in alpha version. There are a lot of missing pieces and likely bugs, but hopefully, you will stick with it, and it is going to be awesome! For any feature requests, please submit a support ticket or e-mail me at nikola.jokic@bountyhub.org.

There is also a weekly call. Feel free to join!