We’re proud to announce release of our Chaos Bug bounty recon data API today. This API will allow hackers to get instant data on targets of their choice without running any additional tools at just single hit of request.

Goals behind the project

Reconnaissance is complex, it requires a proper setup and not everyone is equally good at it. People are skilled differently, some are amazing at looking at Web Attack Surfaces, some prefer to dive deep into logic bugs. Being good at recon requires some development skills and not everyone is a developer.

This project is aimed at people who are just getting started or would like a quick overview of the targets without having to spend much time gathering information and would like to quickly start hacking stuff without much worry. The Chaos API is a single network call which returns large and detailed information on the targets so you can quickly start hacking.

Scope of the data

Data is collected only for targets which have either a public Bug Bounty program or Vulnerability disclosure programs. The list is available on Github project public bugbounty programs. If you want recon data of public programs which is not in the list, please make a PR to the project and recon data will pushed in automated way on next run.

Recon data

The recon data gathered and provided consists of the following things -

  • Passive Subdomain data.
  • Active Subdomain data.
  • Wildcard subdomains and data.
  • DNS Records (A,AAAA,CNAME,NS)
  • DNS Status code (NOERROR,NXDOMAIN,SERVFAIL,REFUSED)
  • HTTP Records (URL, Title, Status code, Content length)

Advantages of the new APIs

The new API makes it really easy for hackers to start hacking right away at a program. All the data is just one click away and can be easily retrieved through the APIs.

The data is updated on a per-weekly basis. This is a showcase of the capabilities of the projectdiscovery recon platform which will be used in further to enhance the chaos API even further providing much more data.

How to access the API?

Currently, the API is Invite Only and is also available to old users of Chaos Project. It is however very simple to get an invite, just create a PR and we will invite you as soon as possible. Check https://chaos.projectdiscovery.io for getting access to the Chaos APIs.

How to use the API?

We have updated the Chaos Client to access the new APIs. Given below are a few examples on how to work with the new APIs.

Here is raw API request to pull all the recon information of the target domain.

GET /dns/{domain}/public-recon-data HTTP/1.1
Host: dns.projectdiscovery.io
Authorization: CHAOS_API_KEY
Connection: close
Content-Length: 6
{
   "domain":"hackerone.com",
   "subdomain":"api",
   "timestamp":"0001-01-01T00:00:00Z",
   "id":"api.hackerone.com",
   "dns-status-code":"NOERROR",
   "a":[
      "104.16.99.52",
      "104.16.100.52"
   ],
   "aaaa":[
      "2606:4700::6810:6434",
      "2606:4700::6810:6334",
      "2606:4700::6810:6334"
   ],
   "wildcard":false,
   "http_url":"https://api.hackerone.com",
   "http_status_code":200,
   "http_content_length":7781,
   "http_title":"HackerOne API"
}{
   "domain":"hackerone.com",
   "subdomain":"b.ns",
   "timestamp":"0001-01-01T00:00:00Z",
   "id":"b.ns.hackerone.com",
   "dns-status-code":"NOERROR",
   "a":[
      "162.159.1.31"
   ],
   "aaaa":[
      "2400:cb00:2049:1::a29f:11f",
      "2400:cb00:2049:1::a29f:11f"
   ],
   "wildcard":false
}

We have added client side filters in Chaos Client to pull the data in a way which can be used automation pipelines, few examples are as follows –

HTTP URLs of the uber.com

chaos -d uber.com -bbq -http-url -filter-wildcard

Example output:-

https://www.blog.uber.com
https://lantern-experiment.uber.com
https://cn-staging.uber.com
https://assets-share.uber.com
https://ohmylog.uber.com
https://blogapi.uber.com
https://careersinfo.uber.com
https://pages.et.uber.com
https://frontends-dca1.uber.com
http://cn-dc1.uber.com

HTTP URLs with Titles, Status codes, and content-lengths of the uber.com

chaos -d uber.com -bbq -http-url -filter-wildcard -http-title -http-status-code -http-content-length

Example output:-

http://get.uber.com [301] [166] [301 Moved Permanently]
https://riders-staging.uber.com [302] [142] [302 Found]
https://partners-platform.uber.com [404] [2783] [Page Not Found - Uber]
https://airwatch.uber.com [301] [0] []
https://kirim.uber.com [200] [493] [yellow-river]
https://frontends-all.uber.com [302] [142] [302 Found]
https://cn-staging-phx2.cfe.uber.com [405] [36] []
http://rush.uber.com [301] [166] [301 Moved Permanently]
https://advantage.uber.com [403] [150] [403 Forbidden]

HTTP URLs having cname as DNS record

chaos -d uber.com -bbq -http-url -filter-wildcard -dns-record-type cname

Example output:-

https://groove.uber.com
https://ukvideo.uber.com
https://event.uber.com
https://postmaster.uber.com
https://video.uber.com
https://unsubscribe.uber.com
https://works.uber.com
https://freight-support.uber.com
https://m.uber.com

Subdomains with associated A record in the response

chaos -d uber.com -bbq -filter-wildcard -dns-record-type a -resp

Example output:-

o24.email.uber.com 167.89.42.88
logs2.uber.com 10.6.0.1
o8.email.uber.com 167.89.17.53
brandarchive.uber.com 104.130.42.190
o19.email.uber.com 167.89.42.142
rush.uber.com 104.36.195.130

CNAMEs associated with subdomains of uber.com

chaos -d uber.com -bbq -filter-wildcard -dns-record-type cname -resp-only
frontends-primary.uber.com
akamai-san8.exacttarget.com.edgekey.net
frontends-primary.uber.com
mkto-ab190087.com
cn-slow2-630950453.us-west-2.elb.amazonaws.com
frontends-all.uber.com
frontends-all.uber.com
frontends-primary.uber.com

What are we doing in the backend?

Passive subdomain data is collected from the Chaos DNS dataset APIs which gathers subdomains continuously from multiple sources.

Resolution of subdomains takes place using shuffledns and dnsprobe which also provides the DNS records as needed. HTTP data is gathered using httpx. Using all these tools and services, you can easily create your very own Bug Bounty recon process.

Questions?

Like this project or have any feedback or questions? tweet us at @pdiscoveryio. You can also email us at [email protected] and follow @pdchaos for updates.