Hi there,

In this article I will discuss how my automation machine found a bug in one of the HackerOne program.

Since the program is public and the report is also disclosed, I will here are basic info:-

Program name: 8x8 (and yes, they have VDP + BBP as well)

Scope: *.8x8.com

If you don’t know, I am a high school student (when the bug was found + at the time of writing this article), so it becomes difficult to manage hacking and my school. So the only one option I had was to set up an automation machine that would do some basic things. So the basic concept was to gather subdomains as much as possible, and run nuclei on them. This was done on a regular basis, on a Raspberry Pi.

The simple algorithm is to collect as many as subdomains/hosts as possible, and then run nuclei on them.

Note that since this is an automation, and I don’t have to wait for it to finish so it can take as much time as it will. Means you can run subdomain enumeration, generate a permutations list, and then brute-force them. Port scan is also a thing.

I’ve built it in whatever time I got, and now it has more than 5000 URLs to scan and more are being added daily with the help of subdomain enumeration.

Also, all these are interdependent on each other, means the output of one can be the input for other.

One day, when I saw the updates of the bot in the morning, I noticed that my bot has detected a directory listing bug from the custom nuclei template I made. The template was very simple, it will simply detect “Index of /” in the response. Also, it had multiple URL paths, which I gathered by manually visiting disclosed reports, write-ups, etc.

If you want to read the disclosed report, you can read at https://hackerone.com/reports/1825472

I simply verified it, all with the help of my smart phone, and even reported it with the help of a mobile.

After a few days, the bug was simply resolved and disclosed :)

• Getting bugs from default templates is also possible if there’s a good list of URL (though mine is custom template, but I guess many people must be using the same)
• Enumerating tools daily on a large scale helps.
• Time matters. The long you’ll run the automation, the higher are the chances to get a bug.

But still after all, remaining totally dependent is not good. I saw one of the video of Nahamsec (I quit recon), and got a few bugs.

Though automation can make lengthy tasks easier, but it can’t 100% replace manual testing

I’ve already written a few articles on building your own automation, which you can read:-

• The subdomain monitoring bot — Setting up your bug bounty scripts with Python and Bash
• Monitoring your targets for bug bounties