theoffsecgirl/bb-copilot

GitHub: theoffsecgirl/bb-copilot

一款基于大语言模型的漏洞赏金辅助工具,以结构化方式引导分析并生成报告。

Stars: 0 | Forks: 0

# bb-copilot **AI 驱动的 Bug Bounty 助手 — 方法论知识库 + 向导式 CLI** ![Language](https://img.shields.io/badge/Python-3.12+-9E4AFF?style=flat-square&logo=python&logoColor=white) ![Version](https://img.shields.io/badge/version-0.1.0-9E4AFF?style=flat-square) ![License](https://img.shields.io/badge/License-MIT-9E4AFF?style=flat-square) ![LLM](https://img.shields.io/badge/LLM-Ollama%20%7C%20Groq%20%7C%20OpenAI%20%7C%20Anthropic-111111?style=flat-square) ![Category](https://img.shields.io/badge/Category-Bug%20Bounty%20%7C%20AI%20Tooling-111111?style=flat-square) *由 [theoffsecgirl](https://github.com/theoffsecgirl) 提供*
``` bbcopilot ask "api.target.com uses JWT and org_id in every request" bbcopilot plan --target api.target.com --type api bbcopilot vuln idor --context notes.txt bbcopilot triage --finding "IDOR on /api/v1/invoices/{id}" bbcopilot report --finding "IDOR on /api/v1/invoices/{id}" --target api.target.com -o report.md ``` ## 它的功能 - 读取本地知识库(按漏洞类型和阶段分类的 Markdown playbook) - 将正确的上下文 + 你的输入发送到配置的模型 - 返回结构化、可操作的输出:假设 → 步骤 → 证据 → 影响 - 生成准备提交至 HackerOne、Bugcrowd 或 YesWeHack 的完整报告 - 将所有会话的本地历史记录保存在 `~/.bbcopilot/history/` - 不会自动化攻击。而是引导你的推理过程。 ## 技术栈 - Python 3.12+ - [Typer](https://typer.tiangolo.com/) + [Rich](https://github.com/Textualize/rich) - 任何兼容 OpenAI 的 LLM API:**Ollama, Groq, OpenAI, Anthropic** - Markdown 知识库(本地,由 Git 进行版本控制) - 本地 JSON 历史记录(`~/.bbcopilot/history/`) ## 安装 ``` git clone https://github.com/theoffsecgirl/bb-copilot cd bb-copilot make setup ``` 然后根据你选择的提供商修改 `.env`(参见 **LLM Providers** 部分)。 ## LLM Providers | Provider | 费用 | 隐私 | 设置 | |---|---|---|---| | **Ollama**(默认) | 免费 | 本地 — 100% 私有 | `brew install ollama` | | Groq | 免费(有限层级) | 云端 | 在 console.groq.com 获取 API key | | OpenAI | 付费 | 云端 | 在 platform.openai.com 获取 API key | | Anthropic | 付费 | 云端 | 在 console.anthropic.com 获取 API key | ### Ollama(默认) ``` brew install ollama ollama pull llama3.1 # ~4GB, one-time ollama serve # run in background ``` `.env`: ``` OPENAI_API_KEY=ollama OPENAI_BASE_URL=http://localhost:11434/v1 OPENAI_MODEL=llama3.1 ``` ### Groq(免费,云端) 注意:免费层级有约 6000 token 的上下文限制。请添加到 `.env`: ``` BBCOPILOT_MAX_CONTEXT_TOKENS=5000 ``` ### OpenAI ``` OPENAI_API_KEY=sk-proj-... OPENAI_BASE_URL=https://api.openai.com/v1 OPENAI_MODEL=gpt-4o ``` ## 用法 ``` # 以整个 vault 为上下文的自由提问 bbcopilot ask "target has GraphQL with user_id in mutations" # 针对特定目标的优先攻击计划 bbcopilot plan --target example.com --type web bbcopilot plan --target api.example.com --type api # 针对特定漏洞的 playbook bbcopilot vuln ssrf bbcopilot vuln idor --context my-notes.txt # 对 finding 进行分类并提供后续步骤 bbcopilot triage --finding "open redirect on /redirect?url=" # 生成可直接提交的完整报告 bbcopilot report --finding "IDOR on /api/v1/invoices/{id} exposes other users' invoices" bbcopilot report --finding "..." --target api.example.com --context requests.txt --output report.md # 会话历史 bbcopilot history bbcopilot history --last 5 bbcopilot history --clear # 列出所有可用的 playbook bbcopilot vault-list ``` ## 输出示例 ### `bbcopilot ask` ``` $ bbcopilot ask "api.target.com uses JWT and org_id in every request" ╭─ bb-copilot ─────────────────────────────────────────────────────────╮ │ Context loaded: 8 playbooks (idor, auth, jwt, api, cors, ssrf, biz) │ ╰───────────────────────────────────────────────────────────────────────╯ 📌 Hypotheses (prioritized) 1. IDOR via org_id manipulation → Replace org_id in requests with another org's ID → Test: GET /api/v1/invoices?org_id= Confidence: HIGH 2. JWT algorithm confusion (RS256 → HS256) → Decode JWT, modify alg header, re-sign with public key as secret Confidence: MEDIUM 3. Missing org_id validation on bulk endpoints → POST /api/v1/export — does it check org_id ownership? Confidence: MEDIUM 🔎 Next steps 1. Enumerate all endpoints accepting org_id 2. Create two test accounts in different orgs 3. Cross-org request matrix 💾 Session saved → ~/.bbcopilot/history/2026-04-17_ask_001.json ``` ### `bbcopilot report` ``` $ bbcopilot report --finding "IDOR on /api/v1/invoices/{id} exposes other users invoices" --target api.target.com ╭─ Generating report ──────────────────────────────────────────────────╮ │ Vuln: IDOR │ Target: api.target.com │ Format: HackerOne Markdown │ ╰───────────────────────────────────────────────────────────────────────╯ ## 摘要 Insecure Direct Object Reference on `/api/v1/invoices/{id}` allows authenticated users to access invoices belonging to other accounts by incrementing the `id` parameter. ## 复现步骤 1. Log in as user A, create an invoice → note ID (e.g. 1042) 2. Log in as user B 3. Send: GET /api/v1/invoices/1041 4. Observe: invoice data from user A is returned ## 影响 Full read access to all invoices across all accounts. Estimated severity: **High** (CVSS 8.1) [+] Report saved → report.md ``` ## 命令 | 命令 | 输入 | 输出 | |---|---|---| | `ask` | 自由格式的观察 | 优先级假设 + 步骤 | | `plan` | 目标 + 类型 | 完整的攻击计划 | | `vuln` | 漏洞类别 + 可选上下文 | Playbook + 测试内容 | | `triage` | 漏洞描述 | 严重程度 + 证据 + 后续步骤 | | `report` | 漏洞 + 可选上下文 | 完整报告 (Markdown) | | `history` | — | 表格中的近期会话 | | `vault-list` | — | 可用的 playbook 列表 | ## 知识库结构 ``` vault/ ├── methodology/ # Recon, asset triage, JS analysis, API hunting, reporting ├── vulns/ # Playbook per vulnerability class ├── patterns/ # Auth bypass, multi-tenant, role confusion, race conditions └── prompts/ # System prompt and model rules ``` ## 涵盖的漏洞 `IDOR` · `SSRF` · `XSS` · `SQLi` · `Open Redirect` · `File Upload` · `Subdomain Takeover` · `Business Logic` · `CORS` · `XXE` · `SSTI` · `OAuth` ## Makefile ``` make setup # Full initial setup make install # Dependencies only make dev # Dependencies + dev (pytest, ruff) make test # Run tests make lint # Linter make format # Format code make vault # List vault make ask Q="your question" # Quick query make clean # Clean caches ``` ## 历史记录 所有会话都会以 JSON 格式自动保存到 `~/.bbcopilot/history/`。 在任何命令中使用 `--no-save` 即可禁用此功能。 ## 理念 - 结果重于解释 - 始终保持结构化:假设 → 检查 → 证据 → 影响 - 知识库是大脑。模型是引擎。 - 没有黑盒。知识是属于你的。 作者:[@theoffsecgirl](https://github.com/theoffsecgirl)
标签:AI助手, Python, 命令行工具, 安全测试, 攻击性安全, 无后门, 漏洞报告, 漏洞赏金