Elevate Your Recon: Beyond the Basics with Custom GF Patterns
In the dynamic world of bug bounty hunting, efficient reconnaissance is paramount. We’re constantly sifting through vast amounts of data, looking for those subtle clues that hint at a vulnerability. One tool that has become a staple in many a hacker’s arsenal for this very purpose is gf.
What is GF?
At its core, gf is a powerful wrapper around grep, designed by the brilliant tomnomnom. It allows you to quickly search for specific patterns within text, making it incredibly effective for discerning potential vulnerabilities like SQL injection parameters or Cross-site Scripting (XSS) reflection points. Instead of crafting lengthy, complex grep commands every time, gf lets you define these patterns once in a simple JSON file and then call them by a friendly name.
For instance, to find URLs that might be vulnerable to SQLi, you might normally run a grep command with a complex regex. With gf, after setting up the appropriate pattern, you could simply pipe your URLs to gf sqli – a massive time-saver and clarity booster. This ease of use makes it a fantastic tool for quick analysis of large datasets of URLs, especially when combined with other recon tools that gather URLs from various sources.
The Common Hurdle: Limited Default Templates
While gf is undoubtedly powerful, a common sentiment I've encountered when teaching aspiring bug bounty hunters is the perceived limitation of its default templates. The patterns that come pre-packaged with gf are a great starting point, covering many common vulnerability types. However, as technology evolves and attack surfaces become more diverse, these default templates can often feel a bit... lacking.
Many beginners assume that gf is a "set it and forget it" tool, where you simply use the provided patterns and that's the extent of its capabilities. This often leads to missed opportunities, as the generic nature of some default patterns means they might not catch more nuanced or application-specific vulnerabilities. It's like having a basic fishing net when you need a specialized one for a particular kind of fish.
Unlocking GF’s True Potential: Custom Patterns Are Key
Here’s the secret sauce that many overlook: you can easily add your own patterns to gf. This is where gf truly transforms from a useful utility into an indispensable, personalized weapon in your bug bounty toolkit.
On Linux systems, gf looks for its pattern definition files (the JSON files) in the ~/.gf/ directory. Sometimes, this directory might not exist after you first install gf, and you'll need to create it with mkdir ~/.gf. Once created, this is where you'll place all your custom .json pattern files.
Think about it: Every web application is unique. A common SQLi pattern might work on many, but what about those obscure parameters, or custom-built functionalities that might have their own unique input validation quirks? This is where your ability to define custom patterns shines. You can craft regexes to look for anything you can imagine — specific parameter names, error messages, unique response headers, or even complex chains of keywords that indicate a particular framework or technology in use.
I’ve seen countless instances, both in my own bug bounty work and when teaching others, where the ability to quickly create and deploy a custom gf pattern made the difference between finding a bug and overlooking it. It allows for highly targeted reconnaissance, enabling you to focus your efforts on areas most likely to yield results. Want to find parameters related to a specific API version? Build a pattern. Looking for endpoints that handle file uploads or image processing, often overlooked attack vectors? Create a pattern! The possibilities are virtually endless.
If you dont have the tool yet, you can get it at:
https://github.com/tomnomnom/gf
My Contribution: Modern GF Patterns for Today’s Tech
Recognizing this gap and the immense power of custom patterns, I’ve dedicated time to curating and developing a comprehensive collection of gf patterns on my GitHub. I've taken the time to update each and every one of the default patterns, refining them for today's technology, and have added a significant number of my own. These patterns go far beyond the defaults, incorporating insights from countless bug bounty reports, new technologies, and evolving attack techniques.
My repository includes:
- Updated patterns for common vulnerabilities: Refined regexes to catch modern variations of SQLi, XSS, SSRF, LFI, and more.
- Technology-specific patterns: Patterns designed to identify parameters or responses unique to popular frameworks, CMSs, and cloud services.
- Informational patterns: Not just for vulnerabilities, but also for finding interesting information, such as debug pages, internal paths, or exposed API keys.
- Complex, multi-line patterns: Demonstrating how
gfcan be used to identify intricate patterns that span multiple lines of output.
You can find and leverage these patterns to supercharge your reconnaissance efforts at: https://github.com/CypherNova1337/GF_Patterns
Real-World GF Pipeline Examples
Here are some practical examples demonstrating how gf can be integrated into powerful reconnaissance pipelines:
XSS Parameter Discovery:
echo "example.com" | waybackurls | httpx -silent -threads 50 | gf xss | sed 's/=.*/=/' | sort -u > xss_params.txtSensitive Information in JavaScript Files:
echo "target.com" | gau | gf js | httpx -silent -mc 200 | while read url; do curl -s "$url" | gf secrets >> found_secrets.txt; doneAdmin/Login Panel Identification:
echo "example.org" | subfinder -silent | httpx -silent -mc 200 | katana -silent -depth 3 -f url | gf panel > potential_panels.txtOpen Redirect Discovery from Historical Data:
cat all_domains.txt | waybackurls | gf redirect | uro -rd | tee redirect_urls.txt | qsreplace 'http://evil.com' | httpx -silent -rc -rl 1 | grep "http://evil.com" > confirmed_redirects.txtBy incorporating custom patterns into your gf workflow, you're not just using a tool; you're actively shaping it to fit your unique needs and the ever-changing landscape of web security. So, take the leap, explore the world of custom gf patterns, and empower your bug bounty hunting with a level of precision you didn't know was possible.
