goblinbookgobbler

A little tool to give you a bunch of information on disclosed bug bounty reports! Currently only supports HackerOne.

Goblin book gobbler icon, which is a goblin eating a book labelled "Hacker One"

Terminal recording of the output of the command "goblin<em>book</em>gobbler h1 --program yahoo --format %u" which is many urls in the format of "hackerone.com/reports/xxxxxxx" _{^{Gif made with vhs}}

Installation

You can install from crates.io using cargo: cargo install goblin_book_gobbler Or download a prebuilt binary from the releases.

You can also just clone the repo and build the tool with cargo: git clone https://gitlab.com/bea_stung/goblin_book_gobbler.git cd goblin_book_gobbler cargo install --path=.

Usage

Basic usage

goblin_book_gobbler h1 --program yahoo

Example Output: XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z

Show CSV style headers and reverse order

goblin_book_gobbler h1 --program yahoo --csv-headers --reverse Example Output: title,reporter,url,substate,severity,disclosed_at HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z

Get reports disclosed since 2022 ordered alphabetically by title

goblin_book_gobbler h1 --program rockstargames --disclosed-since "2022-01-01T00:00:00.000Z" --order-by title --disclosed-since flag must use the format that HackerOne's api uses for dates: "2022-01-01T00:00:00.000Z"

Options for --order-by flag: -o, --order-by <ORDER_BY> What field to order the reports by, accepts: id created_at submitted_at latest_activity_at timer_report_resolved_elapsed_time timer_report_triage_elapsed_time timer_bounty_awarded_elapsed_time timer_first_program_response_elapsed_time substate severity_rating title jira_status swag_awarded_at bounty_awarded_at last_reporter_activity_at first_program_activity_at last_program_activity_at last_public_activity_at last_activity_at triaged_at closed_at disclosed_at

Custom output format

Inspired by tomnomnom's unfurl, you can specify a custom output format: -f, --format <FORMAT> Format string, replaces: "%dd": 'disclosed at' date "%u" : The report url "%U" : The reporter username "%s" : The report substate (e.g. Resolved) "%S" : The report severity rating (e.g. Critical) "%t" : The report title Defaults to: "%t,%U,%u,%s,%S" Which gives e.g.: Reflected XSS in reddeadredemption site,nahamsec,https://hackerone.com/reports/149673,resolved,medium Ignores any other characters and leaves them unchanged

Get all new reports this week

Good for automation or a cron job that could notify you via slack/discord etc. goblin_book_gobbler h1 --program security --disclosed-since $(date +%Y-%m-%dT00:00:00.000Z -d "1 week ago")

Example Output: Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone,medmahmoudi,https://hackerone.com/reports/1727221,resolved,high,2023-06-19T20:15:24.936Z