- Dec 9, 2024
Bun Sparks Interest in Security Research Community? Meet BunBuster
BunBuster, a new security research tool built with Bun, is paving the path for more security research projects with Bun.
To my surprise, I learned the other day about a new security research tool that was built with the Bun server-side JavaScript runtime, called BunBuster.
About BunBuster
In the offensive security research community, performing exploratory and automated security scanning is a common practice. Hackers often refer to this step as reconnaissance, where they use tools like ffuf, gobuster, or dirb to scan web servers for hidden directories, files, or subdomains. These tools are designed to be fast, efficient, and effective at finding hidden assets on web servers.
BunBuster, a tool that can be used for automated offensive scanning to expose hidden assets on web servers, was recently published and to my surprise, it is built with Bun (!). Given the name features āBunā in it, I think itās safe to say the researcher is quite excited about using Bun too :-)
Why use Fuzzing Tools and BunBuster?
In 2023 at NodeTLV conference, I gave a talk about path traversal type fo security vulnerabilities, in which I demonstrated how at one point in time the Node.js runtime itself was vulnerable to this type of vulnerability. To show the impact of how hackers effortlessly launch attacks and discover these types of security issues, I performed a hands-on demonstration using a popular web fuzzer tool called dotdotpwn
.
I could launch the dotdotpwn tool with a URL and a wordlist, point it towards a Node.js server and it may (or may not) discover it to be vulnerable to path traversal. In fact, maybe the vulnerability comes from the developerās own code, or from the Node.js runtime itself, or even from a third-party dependency. The point is, these tools are essential for security researchers to perform automated security scanning and reconnaissance.
Similarly, BunBuster allows to launch such automated scans, but with the speed and efficiency of the Bun runtime. This is a great example of how the Bun runtime can be used for more than just web servers, frontend bundling, or package manager. Even security researchers put it to use ;-)
How to Use BunBuster
The BunBuster tool has a CI which builds binaries for Windows, macOS, and Linux platforms. You can download the executable from the GitHub repository where releases are published. If youāre a regular JavaScript or Node.js developer, you could straight off clone the git repository, install the npm dependencies and run the tool from the source code. Handy!
How do you scan for an API endpoint in a webserver, trying to find out if thereās a hidden query string parameter that could be exploited? Hereās an example:
The above command will scan the https://api.example.com
URL with the FUZZ
placeholder, using a wordlist from the ./wordlists/all.txt
file (included in the cloned repository of the project). BunBuster will then perform a scan to find if there are any query string parameters that are valid based on the wordlist.
Whatās next?
Are you also building cool projects, CLIs and tools with Bun? Iād love to hear about them! Share your projects with me on X/Twitter @liran_tal or on Bluesky and letās chat.
Happy hacking! šš„