You may have found a vulnerability on a host but the said host/org does not have an active program on HackerOne or BugCrowd. If this is the case this workflow is for you! Broadly it will crawl the website and look for any security related emails from which you can submit your findings.
This workflow will do the following:
- Crawl the target host using Katana
- The output from Katana will be parsed through to Nuclei
- The nuclei template will run and fetch emails based on the below regex:
extractors:
- type: regex
part: body
regex:
- "(security|responsible-disclosure|responsibledisclosure|sec|csirt|cert|irt|vulnerability)@[A-Za-z0-9_-]+[.](com|org|net|io|gov|co|co.uk|com.mx|com.br|com.sv|co.cr|com.gt|com.hn|com.ni|com.au|com.cn)"Note:
- Crawling is scoped to root domain name and all subdomains with the use of the
-fs rdnflag
echo domain.com | katana -fd rdn -silent | nuclei -t rd-extractor.yaml -stats -silentCreate a new input.txt file with a list of domains - 1 per line
Then run the following:
cat input.txt | katana -fd rdn -silent | nuclei -t rd-extractor.yaml -stats -silent -o output.txt