For those who don't know me I am Gerben Janssen van Doorn (online known as: "gerben_javado"). Im a 21-year-old bug bounty hunter mainly working on HackerOne and a business student. I felt it was time to give back to the community, because up until now I have been fairly silent. Thus, to change this I setup this blog to share information about some of my findings. Let's get to it!
- Full URLs (https://example.com/*)
- Absolute URLs or dotted URLs (/* or ../*)
- Relative URLs with atleast one slash (text/test.php)
- Relative URLs without a slash (test.php)
Further details plus the source code can be found on https://github.com/GerbenJavado/LinkFinder, for the rest of this blog post I would like to focus on one of the results it has brought me.
Output of LinkFinder
$ linkfinder.py -i https://www.company.com/static/js/file.js -o 1.html
Got me among other stuff the following code snippet:
This example also points out that while LinkFinder automates a big part of the process, it is still up to the user to go through the results and inspect them carefully. A lot of the times parameters are not on the same line as the endpoint and should be looked for in the orginal file. Finally, I hope the tool will be a nice addition to your arsenal and will help you in discovering a larger part of an application. Good luck!
*Endpoints have been modified to keep the company private, while keeping the data as close to the original as possible.