/
hackerone.html
167 lines (158 loc) · 7.12 KB
/
hackerone.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
{# DO NOT AUTO INDENT #}
{% extends 'base/base.html' %}
{% load static %}
{% load custom_tags %}
{% block title %}
Hackerone Settings
{% endblock title %}
{% block custom_js_css_link %}
<link href="{% static 'plugins/markdown/simplemde.min.css' %}" rel="stylesheet" type="text/css" />
{% endblock custom_js_css_link %}
{% block breadcrumb_title %}
<li class="breadcrumb-item"><a href="#">Settings</a></li>
<li class="breadcrumb-item active">Hackerone Settings</li>
{% endblock breadcrumb_title %}
{% block page_title %}
HackerOne Settings
{% endblock page_title %}
{% block main_content %}
<div class="row">
<div class="col-12">
<div class="card">
<div class="card-body">
<h4 class="header-title">Hackerone Automatic Vulnerability Report Settings</h4>
<img src="https://www.hackerone.com/assets/images/logo.png" alt="" height="30px">
<div class="alert alert-danger border-0 mb-3 mt-3" role="alert">
Use this feature with caution! Please do not spam triagers!
<br>We do not allow sending vulnerability report for low severity and informational vulnerabilities to avoid spamming triagers!
You can send them manually from Vulnerability Section inside reNgine.
</div>
<p class="mt-3">
reNgine Automatically Reports vulnerabilities to your bug bounty programs on Hackerone, if any vulnerabilities are identified.
<br>
<span class="text-danger">A valid Hackerone API token and username is required.</span>
<br>
More details on how to generate your hackerone api token is provided by <a href="https://api.hackerone.com/getting-started-hacker-api/#getting-started-hacker-api" class="text-primary" target="_blank">Hackerone Documentation <i class="fe-external-link"></i></a>
</p>
<form method="post">
{% csrf_token %}
<div class="row">
<div class="col-xl-6 col-lg-6 col-md-6 col-sm-12 col-12">
<label for="hackerone_username" class="form-label">Your Hackerone Username (Not email)</label>
{{form.username}}
</div>
<div class="col-xl-6 col-lg-6 col-md-6 col-sm-12 col-12">
<label for="hackerone_api_token" class="form-label">Generate your <a href="https://hackerone.com/settings/api_token/edit" target="_blank">API Token from here <i class="fe-external-link"></i></a></label>
{{form.api_key}}
</div>
</div>
<a class="btn btn-primary float-end mt-3" href="javascript:test_hackerone()" role="button">
Test my hackerone api key
</a>
<h4 class="header-title text-danger mt-3">Report Vulnerability to hackerone when</h4>
<table>
<tr>
<td>Critical Severity is found. (Default)</td>
<td><span class="ms-3">{{form.send_critical}}</span></td>
</tr>
<tr>
<td>High Severity is found. (Default)</td>
<td><span class="ms-3">{{form.send_high}}</span></td>
</tr>
<tr>
<td>Medium Severity is found.</td>
<td><span class="ms-3">{{form.send_medium}}</span></td>
</tr>
</table>
<h4 class="header-title mt-3">Vulnerability Report Template</h4>
<div class="alert alert-info border-0 mb-3 mt-3" role="alert">
You can customize the vulnerability report template using markdown language. Replace the below syntax wherever you require. Curly braces are must!
</div>
<ul>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerability_name}</span> Vulnerability Title/Name.</li>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerable_url}</span> Vulnerable URL.</li>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerability_severity}</span> Vulnerability Severity.</li>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerability_description}</span> Description of vulnerability generated by Nuclei.</li>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerability_extracted_results}</span> Vulnerabty Results extracted by Nuclei.</li>
<li class="text-dark"><span class="badge bg-dark mt-2">{vulnerability_reference}</span> Additional Reference to vulnerability.</li>
</ul>
<!-- Default Template: https://raw.githubusercontent.com/ZephrFish/BugBountyTemplates/master/Blank.md -->
{{form.report_template}}
<input type="submit" value="Save" class="btn btn-primary float-end">
</form>
</div>
</div>
</div>
</div>
{% endblock main_content %}
{% block page_level_script %}
<script src="{% static 'plugins/markdown/simplemde.min.js' %}"></script>
<script src="{% static 'custom/custom.js' %}"></script>
<script type="text/javascript">
var simplemde = new SimpleMDE({
element: document.getElementById("vulnerability-report-template"),
toolbar: ["preview", "bold", "italic", "heading", "heading-2", "unordered-list", "link" ,"|", "code" ,"|", "quote", "|", "guide"],
spellChecker: false,
});
simplemde.options.previewRender = function(plainText) {
return DOMPurify.sanitize(simplemde.markdown(plainText));
};
function test_hackerone() {
if ($("#username").val().length == 0 || $("#api_key").val().length == 0) {
if ($("#username").val().length == 0) {
$("#username").addClass("is-invalid");
}
if ($("#api_key").val().length == 0) {
$("#api_key").addClass("is-invalid");
}
}
else{
const hackerone_api = 'testHackerone/';
var username = $("#username").val();
var api_key = $("#api_key").val();
swal.queue([{
title: 'Hackerone Configuration',
confirmButtonText: 'Test my hackerone API Key',
text:
'This will test if your hackerone API keys are working.',
showLoaderOnConfirm: true,
preConfirm: function() {
return fetch(hackerone_api, {
method: 'POST',
headers: {
"X-CSRFToken": getCookie("csrftoken"),
"Content-Type": "application/json"
},
body: JSON.stringify({'username': username, 'api_key': api_key}),
},
).then(function (response) {
return response.json();
})
.then(function(data) {
if (data.status == 200) {
$("#username").addClass("is-valid");
$("#api_key").addClass("is-valid");
$("#username").removeClass("is-invalid");
$("#api_key").removeClass("is-invalid");
return swal.insertQueueStep("Your hackerone Credentials are working.")
}
else{
$("#username").addClass("is-invalid");
$("#api_key").addClass("is-invalid");
$("#username").removeClass("is-valid");
$("#api_key").removeClass("is-valid");
return swal.insertQueueStep("Oops! Your hackerone Credentials are not working, check your username and/or api_key.")
}
})
.catch(function() {
swal.insertQueueStep({
type: 'error',
title: 'Unable to get your public IP'
})
})
}
}]);
}
}
</script>
{% endblock page_level_script %}