rescope icon indicating copy to clipboard operation
rescope copied to clipboard

Published 20 hours ago verified publisher icon root4loot

Error while fetching scope from hackerone programs

Open matanber opened this issue 3 years ago • 2 comments 

#command
rescope -u hackerone.com/hackerone -o burpscope.json

#output
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/root4loot/rescope/internal/bbaas/hackerone.Scrape({0x7ffcb7bd6f7d, 0x17})
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/[email protected]/internal/bbaas/hackerone/hackerone.go:57 +0x645
github.com/root4loot/rescope/internal/url.BBaas({0xc000110f10?, 0x1?, 0x9ca7c8?}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/[email protected]/internal/url/url.go:60 +0x4a2
main.main()
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/[email protected]/main.go:80 +0xcb

Other BBaaS providers are working for me.

matanber avatar Sep 17 '22 09:09 matanber

Hi and thank you for reporting this issue. Looks like H1 has implemented CSRF protection on graphql endpoints, preventing rescope from calling them directly. Will look into this

root4loot avatar Oct 05 '22 10:10 root4loot

https://github.com/root4loot/rescope/commit/6f7a73ef70107bd74d4af5d56e2a9bbc641ed1ef should resolve the issue for now. @EnemyTurret can you confirm the fix?

go install github.com/root4loot/rescope@latest

PS: The correct HackerOne scope is hackerone.com/security, not hackerone.com/hackerone

rescope -u hackerone.com/security -o burpscope.json

root4loot avatar Oct 06 '22 17:10 root4loot

The fix is working for me:

rescope -u hackerone.com/security -o burpscope.json

[-] Grabbing targets from hackerone.com/security
 +  https://hackerone.com
 +  https://api.hackerone.com
 +  https://www.hackerone.com
 +  app.pullrequest.com
 +  reviewer.pullrequest.com
 +  ctf.hacker101.com
 +  hackerone-us-west-2-production-attachments.s3-us-west-2.amazonaws.com
 +  a5s.hackerone-ext-content.com
 +  b5s.hackerone-ext-content.com
 +  hackerone-ext-content.com
 +  hackathon-photos.hackerone-user-content.com
 +  cover-photos.hackerone-user-content.com
 +  hackathon-photos-us-east-2.hackerone-user-content.com
 +  profile-photos.hackerone-user-content.com
 +  hackerone-user-content.com
 +  profile-photos-us-east-2.hackerone-user-content.com
 +  cover-photos-us-east-2.hackerone-user-content.com
 +  https://errors.hackerone.net
 +  https://*.hackerone-ext-content.com
 +  https://*.hackerone-user-content.com/
 +  66.232.20.0/23
 +  206.166.248.0/23
 -  https://support.hackerone.com
 -  www.hackeronestatus.com
 -  go.hacker.one
 -  info.hacker.one
 -  ma.hacker.one

[-] Parsing to JSON (Burp Suite)
[✓] Done. Wrote 193247 bytes to burpscope.json

matanber avatar Oct 08 '22 14:10 matanber