# goblin_book_gobbler [![Crates.io](https://img.shields.io/crates/v/goblin_book_gobbler.svg)](https://crates.io/crates/goblin_book_gobbler) A little tool to give you a bunch of information on disclosed bug bounty reports! Currently only supports HackerOne. ![Goblin book gobbler icon, which is a goblin eating a book labelled "Hacker One"](docs/book-gobbler-quarter.png) ![Terminal recording of the output of the command "goblin_book_gobbler h1 --program yahoo --format %u" which is many urls in the format of "hackerone.com/reports/xxxxxxx"](docs/just_url_usage.gif) [Gif made with vhs](https://github.com/charmbracelet/vhs) ## Installation You can install from crates.io using cargo: ``` cargo install goblin_book_gobbler ``` Or download a [prebuilt binary from the releases.](https://gitlab.com/bea_stung/goblin_book_gobbler/-/releases) You can also just clone the repo and build the tool with cargo: ``` git clone https://gitlab.com/bea_stung/goblin_book_gobbler.git cd goblin_book_gobbler cargo install --path=. ``` ## Usage ### Basic usage ``` goblin_book_gobbler h1 --program yahoo ``` Example Output: ``` XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z ``` ### Show CSV style headers and reverse order ``` goblin_book_gobbler h1 --program yahoo --csv-headers --reverse ``` Example Output: ``` title,reporter,url,substate,severity,disclosed_at HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z ``` ### Get reports disclosed since 2022 ordered alphabetically by title ``` goblin_book_gobbler h1 --program rockstargames --disclosed-since "2022-01-01T00:00:00.000Z" --order-by title ``` `--disclosed-since` flag must use the format that HackerOne's api uses for dates: "2022-01-01T00:00:00.000Z" Options for `--order-by` flag: ``` -o, --order-by What field to order the reports by, accepts: id created_at submitted_at latest_activity_at timer_report_resolved_elapsed_time timer_report_triage_elapsed_time timer_bounty_awarded_elapsed_time timer_first_program_response_elapsed_time substate severity_rating title jira_status swag_awarded_at bounty_awarded_at last_reporter_activity_at first_program_activity_at last_program_activity_at last_public_activity_at last_activity_at triaged_at closed_at disclosed_at ``` ### Custom output format Inspired by [tomnomnom's unfurl](https://github.com/tomnomnom/unfurl), you can specify a custom output format: ``` -f, --format Format string, replaces: "%dd": 'disclosed at' date "%u" : The report url "%U" : The reporter username "%s" : The report substate (e.g. Resolved) "%S" : The report severity rating (e.g. Critical) "%t" : The report title Defaults to: "%t,%U,%u,%s,%S" Which gives e.g.: Reflected XSS in reddeadredemption site,nahamsec,https://hackerone.com/reports/149673,resolved,medium Ignores any other characters and leaves them unchanged ``` ### Get all new reports this week Good for automation or a cron job that could notify you via slack/discord etc. ``` goblin_book_gobbler h1 --program security --disclosed-since $(date +%Y-%m-%dT00:00:00.000Z -d "1 week ago") ``` Example Output: ``` Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone,medmahmoudi,https://hackerone.com/reports/1727221,resolved,high,2023-06-19T20:15:24.936Z ```