Skip to content

MoriartyPuth/bubble-pop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bubble_pop.sh
bubble_pop.sh
 
 

Repository files navigation

🫧 BUBBLE POP

The Integrated API Interrogator & IDOR Prober

Bubble Pop is a high-speed security engine built to unmask hidden API vulnerabilities. It fuses the core logic of industry-standard tools like Arjun and JWT-Tool into a single, portable Bash script.

Whether you are hunting for hidden parameters, interrogating JWT integrity, or scaling IDOR attacks, Bubble Pop provides real-time, color-coded feedback to help you "pop" the bubbles of data exposure.

🎯 Features & Logic

1. Arjun-Style Parameter Discovery

Bubble Pop doesn't just guess; it analyzes.

  • Heuristic Analysis: It establishes a "Base Response" and flags any parameter that changes the page size or response time.
  • Massive Wordlists: Designed to ingest 25,000+ parameters from the Arjun params.txt.
  • Binary Search Strategy: Identifies valid inputs by narrowing down large chunks of data.

2. JWT Integrity & Forgery (JWT-Tool Logic)

A dedicated phase for testing JSON Web Tokens.

  • Algorithm Downgrade: Automated generation of alg:none tokens to test for signature bypass.
  • Base64-URL Padding Correction: Custom logic to fix "missing padding" errors that break standard decoders.
  • Header Analysis: Detects sensitive headers like kid (Key ID) for potential Path Traversal or SQLi.

3. IDOR Probing & Scaling

The "Bubble Popper" phase.

  • Identity Mapping: Automatically targets parameters found in Phase 1 (e.g., uid, user_id, account_id).
  • Success Detection: Monitors for 200 OK responses on unauthorized ID ranges to confirm data leaks.

⚡ Real-Time Prism UI

Bubble Pop features a semantic color-coded output:

  • 🟢 Green (200): A successful "Pop!" (Potential Vulnerability).
  • 🟡 Yellow (401/404): Unauthorized or Not Found.
  • 🔴 Red (403): Forbidden/Protected.
  • 🟣 Magenta (500): Server Error/Potential Crash.

🚀 Installation & Setup

1. Clone & Permissions

git clone https://github.com/MoriartyPuth/bubble-pop
cd bubble-pop
chmod +x bubble_pop.sh

2. Load the Wordlist

To unlock the full power of Phase 1, download the official Arjun parameter list: 2. Load the Wordlist

curl -s [https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt) -o arjun_params.txt

📖 Usage Examples

Unauthenticated Recon

Discover hidden debug parameters or API versioning:

./bubble_pop.sh [https://api.site.com/v1/user](https://api.site.com/v1/user)

Authenticated Interrogation

Test for JWT bypasses and IDORs:

./bubble_pop.sh [https://api.site.com/v1/user](https://api.site.com/v1/user) "Bearer eyJhbGci..."

📂 Output Structure

Findings are saved in .bubble_loot_[TIMESTAMP]/:

  • **discovered_params.txt** — Every parameter that triggered a response change.

  • **jwt_vulns.txt** — Log of successful alg:none or signature bypasses.

  • **idor_hits.txt** — List of URLs where unauthorized data was successfully accessed.

⚠️ Legal Disclaimer

Usage of Bubble Pop for attacking targets without prior mutual consent is illegal. This tool is for educational purposes and authorized penetration testing only. The author is not responsible for any misuse.

About

A high-speed API security engine for discovering hidden parameters, testing JWT integrity, and scaling IDOR probes with real-time color-coded feedback.

Topics

jwt cybersecurity pentesting bugbounty idor apitesting

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages