root4loot/rescope

Error while fetching scope from hackerone programs

matanber opened this issue · 3 comments

matanber commented 
#command
rescope -u hackerone.com/hackerone -o burpscope.json

#output
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/root4loot/rescope/internal/bbaas/hackerone.Scrape({0x7ffcb7bd6f7d, 0x17})
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/rescope@v0.0.0-20220215192950-f8a75c01e347/internal/bbaas/hackerone/hackerone.go:57 +0x645
github.com/root4loot/rescope/internal/url.BBaas({0xc000110f10?, 0x1?, 0x9ca7c8?}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/rescope@v0.0.0-20220215192950-f8a75c01e347/internal/url/url.go:60 +0x4a2
main.main()
        /home/hood/.local/share/go/pkg/mod/github.com/root4loot/rescope@v0.0.0-20220215192950-f8a75c01e347/main.go:80 +0xcb

Other BBaaS providers are working for me.

root4loot commented

Hi and thank you for reporting this issue. Looks like H1 has implemented CSRF protection on graphql endpoints, preventing rescope from calling them directly. Will look into this

root4loot commented

6f7a73e should resolve the issue for now. @EnemyTurret can you confirm the fix?

go install github.com/root4loot/rescope@latest

PS: The correct HackerOne scope is hackerone.com/security, not hackerone.com/hackerone

rescope -u hackerone.com/security -o burpscope.json
matanber commented

The fix is working for me:

rescope -u hackerone.com/security -o burpscope.json

[-] Grabbing targets from hackerone.com/security
 +  https://hackerone.com
 +  https://api.hackerone.com
 +  https://www.hackerone.com
 +  app.pullrequest.com
 +  reviewer.pullrequest.com
 +  ctf.hacker101.com
 +  hackerone-us-west-2-production-attachments.s3-us-west-2.amazonaws.com
 +  a5s.hackerone-ext-content.com
 +  b5s.hackerone-ext-content.com
 +  hackerone-ext-content.com
 +  hackathon-photos.hackerone-user-content.com
 +  cover-photos.hackerone-user-content.com
 +  hackathon-photos-us-east-2.hackerone-user-content.com
 +  profile-photos.hackerone-user-content.com
 +  hackerone-user-content.com
 +  profile-photos-us-east-2.hackerone-user-content.com
 +  cover-photos-us-east-2.hackerone-user-content.com
 +  https://errors.hackerone.net
 +  https://*.hackerone-ext-content.com
 +  https://*.hackerone-user-content.com/
 +  66.232.20.0/23
 +  206.166.248.0/23
 -  https://support.hackerone.com
 -  www.hackeronestatus.com
 -  go.hacker.one
 -  info.hacker.one
 -  ma.hacker.one

[-] Parsing to JSON (Burp Suite)
[✓] Done. Wrote 193247 bytes to burpscope.json
  • 👍1