RECON VILLAGE - Supercharge Your Web Recon With Commonspeak and Evolutionary Wordlists
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39950 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2634 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Information securityHacker (term)Hacker (term)Representation (politics)Event horizonOnline helpSpeech synthesisWordCausalitySoftwareSoftware bugBitElectronic mailing listSoftware testingWeb 2.0Musical ensembleGoodness of fitTap (transformer)Process (computing)XML
01:27
State of matterElectric currentContent (media)Computer networkServer (computing)Directory serviceInformation securitySoftware testingInformationWeb 2.0State of matterDemosceneQuicksortContent (media)Ocean currentRight anglePhysical systemStandard deviationBookmark (World Wide Web)Information securityWordSoftwareDirectory serviceElectronic mailing listSoftware testingCartesian coordinate systemMusical ensembleStructural loadComputer fileJSONXMLUML
02:45
WordForcing (mathematics)Software testingElectronic mailing listCanadian Mathematical SocietyInformationRight angleExtension (kinesiology)Directory serviceComputer file
03:34
Electric currentNP-hardOcean currentElectronic mailing listWordRight angleTerm (mathematics)Computer fileMultiplication signMusical ensembleQuicksortFilm editingJSONXMLUML
04:24
Electric currentData modelGroup actionAddress spaceWordElectronic mailing listMultiplication signOcean currentEndliche ModelltheorieXML
05:03
Shift operatorElectronic mailing listSoftware frameworkInformation securityElectronic mailing listInformation privacyWordRight angleGrand Unified TheoryMultiplication signInformation securityQuicksortSelf-organizationSoftware bugAreaVulnerability (computing)Shift operatorIntegrated development environmentSet (mathematics)MereologySoftware frameworkCartesian coordinate systemCovering spaceWeb 2.0Software maintenanceJSONXMLUML
07:06
BuildingQuery languagePoint cloudProcess (computing)GoogolComplex (psychology)Function (mathematics)Regular graphRegulärer Ausdruck <Textverarbeitung>Number2 (number)SequelSet (mathematics)User-defined functionProcess (computing)Information privacyPoint cloudVideo gameElectronic mailing listQuery languageWordComplex (psychology)Functional (mathematics)JSONXMLUML
07:51
Hacker (term)BlogSource codeContent (media)Repository (publishing)Stack (abstract data type)Buffer overflowRight angleBuffer overflowStack (abstract data type)Open sourceRepository (publishing)Electronic mailing listSet (mathematics)Hacker (term)LoginGoodness of fit1 (number)Content (media)Open setXML
08:32
Musical ensembleQuery languageOrder (biology)MiniDiscLimit (category theory)Regulärer Ausdruck <Textverarbeitung>Exponential functionCountingFunction (mathematics)Formal languageComputer configurationString (computer science)Library (computing)Query languageFreewareFront and back endsRight angleQuicksortDebuggerComputer fileRegulärer Ausdruck <Textverarbeitung>Data storage deviceResultantSequelExtension (kinesiology)Functional (mathematics)Function (mathematics)Software developerSet (mathematics)Library (computing)Subject indexingNumber1 (number)CountingParsingUniform resource locatorJSONXMLUML
10:42
Function (mathematics)Musical ensembleFormal languageComputer configurationLibrary (computing)Uniform resource locatorInformation securityQuicksortSoftware bugFitness functionGoodness of fitXMLUMLJSON
11:05
InfinityScripting languageHash functionRevision controlFunctional (mathematics)Ideal (ethics)Software testingStack (abstract data type)Buffer overflowDirectory serviceHacker (term)Public key certificateBlogSoftware testingHacker (term)File archiverRevision controlScripting languageStack (abstract data type)Computer fileDirectory serviceWordBuffer overflowElectronic mailing listXML
11:38
Focus (optics)Gastropod shellHacker (term)Revision controlDomain nameRight angleScripting languageSource codeJSONXMLUML
12:08
Software testingType theoryInformation securityOpen sourceExtension (kinesiology)Software frameworkExecution unitHill differential equationModule (mathematics)Disk read-and-write headExtension (kinesiology)1 (number)Software testingRoutingType theoryRight angleWordFile archiverSoftware bugPerspective (visual)Configuration spaceFocus (optics)Electronic mailing listSoftware frameworkOpen sourceInformation securityHacker (term)Web 2.0Portable communications deviceLink (knot theory)Multiplication signMemory managementXML
13:27
Extension (kinesiology)Electronic mailing listDefault (computer science)Source codeBackupSample (statistics)Convex hullAddressing modeInfinityQuery languageRight angleQuicksortComputer fileDifferent (Kate Ryan album)Extension (kinesiology)Projective planeElectronic mailing listWordResultantApplication service providerHacker (term)JSONXMLUMLSource code
14:31
Function (mathematics)Musical ensembleFormal languageComputer configurationLibrary (computing)Query languageMiniDiscOrder (biology)CountingLimit (category theory)Cubic graphComputer fileHacker (term)BlogContent (media)Repository (publishing)Source codeStack (abstract data type)Buffer overflow10 (number)Hacker (term)Electronic mailing listSet (mathematics)WordXML
14:53
Function (mathematics)Programmable read-only memoryMusical ensembleComputer configurationFormal languageLibrary (computing)Order (biology)Software testingDefault (computer science)Sample (statistics)Sampling (statistics)Right angleFile archiverLibrary (computing)Module (mathematics)BitQuery languageSequelWordFunctional (mathematics)Electronic mailing listXMLSource codeJSONUML
15:49
Execution unitComputer configurationElectronic mailing listProjective planeBitBlogGodRight angleNumberSpectrum (functional analysis)Computer fileQuicksortWordCounting1 (number)Software developerTerm (mathematics)Scripting languageUniqueness quantificationReading (process)JSONXML
17:01
Configuration spaceDefault (computer science)Software testingSample (statistics)Software frameworkDirectory serviceFrequencyParameter (computer programming)Uniform resource locatorPermutationBlogPresentation of a groupHill differential equationSlide ruleBinary codeTerm (mathematics)Fuzzy logicRight angleWordElectronic mailing listQuicksortPermutationUniform resource locatorSoftware developerRepository (publishing)Software frameworkDirectory serviceWeb 2.0Information securityDomain nameEstimatorExtension (kinesiology)TwitterConfiguration spaceBitQuery languageTouch typingParameter (computer programming)Router (computing)WebsiteFormal languagePresentation of a groupRoutingComputer fileDifferent (Kate Ryan album)FrequencyMaterialization (paranormal)BlogJSONXMLUMLSource code
19:34
Electronic mailing listFrequencySource codeWordRight angleFluid staticsBoundary value problemSoftware bugMultiplication signForcing (mathematics)QuicksortRandomizationVulnerability (computing)MappingDigital photographySurfaceComputing platformSpeech synthesisHacker (term)JSONXMLUML
Transcript: English(auto-generated)
00:00
will now get started on the last session of the day and I will hand over to Michael very very shortly. The title of the speech is up there. Supercharge your web recon with common speak and evolutionary word list and I'll hand over to Michael. Thanks very much. Cool. Alright, let's get talking about some word lists. Alright, just a note, it's just me flying solo today. Shubs unfortunately wasn't able to make it into the US for
00:25
reasons. So, um, but yeah, so just a little bit about myself. Shubs and I co-founded a company called AssetNote. Um, previously I was the director of Spider Labs in Asia Pacific. Um, you may have seen me around, I've spoken at a bunch of conferences on various topics.
00:41
Also organize, uh, SecTalks and another conference, TUSCON in Brisbane, Australia. Um, Shubs, uh, also comes from a pen testing background. Um, he's a prolific bug hunter and the hacker won top 50. Um, he's also a co-founder of Hackers Helping Hackers. So, I'm not gonna, I'm not gonna do too many plugs but I do wanna plug Hackers Helping Hackers
01:04
which is a charity, um, based in Australia. Basically we, we get, um, uh, under privilege and, uh, people who don't necessarily have good representation in the industry and we, you know, send them to cons, network and have various industry events and whatever. So, uh, if that interests you, you know, consider donating, it's a
01:23
really good, really good cause. Um, cool. Let's get on to the meat of it. Um, so, this talk is about, uh, web recon and content discovery and I just wanna start by setting the scene with the, sort of, the current state, right? So, let's say you're testing, uh, the
01:42
security of a large network with zero knowledge of the network, what applications are on the network. Um, you know, the first sort of thing that you'll wanna do is some reconnaissance to get an idea, um, of, you know, what are the applications, one of the, the systems that are running on this network, right? So, to do this, typically, you know, you'll load up,
02:01
uh, you know, a file or directory sort of brute forcing attack, um, and basic, well, not necessarily attack, recon, uh, reconnaissance exercise, um, and you'll perform it across all web assets, um, to, to find, you know, what's, what's out there, right? Pretty, pretty standard stuff for everybody in this room, I'm sure. Um, so, you know, as a security tester, you know, when you're conducting this, uh, directory brute forcing,
02:24
um, you know, you're typically using some sort of wordless, uh, probably seclis or some other wordless that maybe you've created yourself, um, and then you just pipe it into Der Search, go buster or whatever your favorite, uh, directory brute forcer is, maybe it's pad at all, I don't know many people that use that, but it's also a pretty good
02:41
tool. Um, so yeah, pretty, pretty straightforward, right? You guys will be used to that. Um, this is an example, none of this should be shocking, um, this is just, you know, Der Search with, you know, a basic word list, um, you know, looking for, you know, ASPX, HTML, JS extensions, um, and you're also including subdirectories of CMS
03:02
and API, um, so it takes 10 minutes into the brute force and we find sales dot ASPX, and in this particular example, um, visiting this, this file, um, returns a list of customers and sales, right? So it's a sense of information. Um, but what happens, what would happen if we didn't find that? Like, if sales dot ASPX wasn't in our word list,
03:22
um, you know, we would have missed this bug, right? So, obviously the quality of your word list, uh, is really important for the quality of your recon and, and by extension, the quality of your, uh, your pen test. So what are the problems with current word lists, right? So they're curated, i.e. they're created manually, um, they're
03:43
created by often an individual or a group of individuals and, uh, you know, so, so it's really down to their time and their effort as well as their experience in terms of the quality of the word list. Um, they're not really updated regularly and they don't really evolve as new technologies are developed, at least not as, as quickly as it, as they
04:02
should. Um, they're hard to customize and tailor to your needs because, you know, they're just big long text, you know, text files, right? Um, and then you have to sort of cut it up and do whatever. It's not really, um, that customizable, at least not in an easy fashion. Um, and if you're creating them, they require like significant time investment to create word lists that are of any kind of quality,
04:23
right? Um, so how can we address these problems? Well, one, I think we need to move away from curated word lists. So, under the current model, um, updates are slow, um, because, you know, people have stuff to do. Nobody gets paid to create word lists typically. Um, and, you know, they can't really maintain them and keep them up to
04:43
date. Um, we need to figure out a way to keep word lists relevant to current technologies to make sure we, uh, get the most, uh, effectiveness out of those word lists. Uh, we need to reduce the amount of time and effort required to create an up-to-date and high quality word list and they need to be easily customizable to
05:01
meet your needs. So, that's where we introduce the concept of evolutionary word lists. So, addressing those problems that I mentioned earlier was relevant to our business. So, we developed the concept of evolutionary word lists. So, the idea is evolutionary word lists are not static curated lists. They evolve as the underlying technologies used by organizations shift. So, the idea is that it evolves as the
05:24
technologies used in, you know, actual environments are also, uh, shifting. And so, by automating and analyzing large public data sets, we can create these evolutionary word lists. Um, they're dynamic, they're ranked by occurrence and they're generated regularly in a scheduled manner, uh, as part of an automated workflow. So,
05:44
none of this kind of manual curation and up-to-date, uh, and updating and maintaining. So, one of the key areas is shifting, uh, keeping up with the shifting text landscape, right? So, you know, that really goes to the quality of your word lists. If your word lists are out of date with the technologies that people are
06:01
using to develop applications, um, then you're gonna miss stuff, right? So, you know, just think in the last five years, think about all the new technologies and frameworks that have been introduced over that time, right? Um, there's gotta be at least a bajillion JavaScript frameworks that have come out in the last five years, right? Um, you know, do the word lists available cover these technologies? Um, it
06:25
doesn't really have to be updated, not really that often. Uh, you know, and how are the curators choosing what to cover and what to put in their word lists, right? Is it based on experience or is it based on something more empirical, right? Is it just their sort of gut feel that these are the right things to put into the word lists and what to add? Is it just because they're experienced and they see that stuff
06:43
all the time? What if they are missing stuff or they don't usually work in a certain area of technology or whatever, right? Um, so, you know, and the idea is if our word lists use for web recon, uh, don't keep up with modern technologies. We'll inevitably miss, um, you know, significant vulnerabilities when using word lists for
07:03
security assessments or bug hunting or whatever. Cool. So, that's where BigQuery comes in. Um, so, looking for a way to sort of bring this concept to life, this evolutionary word list concept to life, we looked into BigQuery. So, BigQuery is a
07:23
simple SQL query. Um, you can process terabytes of data in seconds or process by Google. Um, it can handle complex SQL queries, so including regex and user defined functions. Um, and more importantly for us and for the concept that we're trying to get to, it offers a number of large public data sets that are updated
07:44
regularly, right? So, they're evolving as well. And these data sets can be queried in an automated fashion. So, just an example of some of the data sets that are available, uh, on BigQuery that are, that are quite useful. So, the ones that are updated daily are stories and comments from Hacker News, uh, every SSL cert and cert
08:02
transparency logs. Uh, updated weekly, uh, you have contents from, uh, over 3 million open source, uh, public GitHub repositories. Uh, fortnightly you have HTTP archives data set which is obtained by crawling Alexa's top 1 million list and then quarterly or publicly available data from Stack Overflow, right? So, if you think
08:24
about, uh, you know, the idea of shifting with the technological landscape, these are pretty good data sets for that, right? And, BigQuery is, doesn't cost much. You get up to 1 terabyte per, um, free per month and it's 5 bucks per terabyte after that. So, so pretty good for what we need to do and, um, you know, it should be
08:44
free for pretty much everybody's needs, right? So, writing a BigQuery query. Um, so it's pretty straightforward, right? SQL. Pretty, you know, pretty simple. Everybody, or most people at least should be familiar with that. Um, and, you know, as I mentioned, you can use, uh, regular expressions here to sort of, you
09:02
know, pull out extensions like PHP, HTMLJS, um, which is there. Um, so, you know, basically all this does is it's pulling from the GitHub repos, um, data, like the, the data set, um, and it's looking for, uh, anything that has a dot PHP dot HTML
09:20
dot JS extension, um, and then, you know, ordering by, uh, grouping by that path and then ordering by count, so the, the count of those, and then taking 200,000 results. And this is kind of the output, right? Um, so, you know, some of the obvious ones that are there, right, index HTML stands out as number one, that
09:41
doesn't surprise anybody, right? But going back to the, the idea that we're keeping up with the technological landscape, things like grunt files and gulp files, right? Grunt and gulp, you know, are fairly recent kind of tooling with, like, front-end, the rise of sort of front-end development. Um, so, you know, again, you know, they're, they're right up the top, right? So, it gives you a good feel of, you
10:00
know, how you can pull out current but also relevant results from BigQuery. Um, you can also, uh, use JavaScript functions in BigQuery. Um, so, you can create a temporary function. Um, basically, all, all this is doing is, um, parsing a, a URI to get the path, right? Uh, and it's using this, uh, library which is just hosted on, um, Google
10:24
storage, um, and it's just a very simple, um, library for parsing URIs. Um, it's something that Shubbs wrote and it's out there. Um, that's actually publicly accessible so you could use this in your own BigQuery stuff as well if you wanted to. Um, and then it's just pulling out the URL and grouping by the URL. So,
10:43
pretty, pretty straightforward kind of stuff. So, we've got this idea of evolutionary wordless and the, the problems that we're trying to solve with evolutionary wordless. And then, you know, we've got BigQuery which we see could be a good fit for this. You know, how do we take this concept and turn it into something that's repeatable and can be used in a workflow when you're doing
11:03
sort of bug hunting or security assessments or whatever. So, the initial attempts at automa-, automation were kind of promising but also not that great, right? So, the first attempt at this was CommonSpeak version 1, um, and, uh, it's, it was functional but not really ideal for a testing workflow. Um, it covered
11:22
directories, file names and subdomains from Stack Overflow, Hacker News and HTTP Archive and then subdomains from the search transparency logs. Um, the wordless ended up being very large, very noisy, uh, and it was essentially just a collection of bash scripts which made it hard to integrate into a workflow. Um, so, you can see here, this is CommonSpeak version 1, um, and this is getting the
11:43
subdomains from Hacker News. It's just a shell script, right? Um, and it comes back with 67,360 domains, right? The problem with CommonSpeak 1 was, it was very noisy and it wasn't, it wasn't easy to work with and, uh, you know, really the
12:01
initial focus was on quantity whereas, you know, it became clear that we needed to focus on quality as well. Um, so, that's where CommonSpeak 2 comes in. Um, it is way, way simpler. Um, it's written in Go now. Um, so, you know, it plugs into an existing testing workflow quite easily and currently generates three types of
12:21
wordless. Um, we're adding more modules over time, uh, and we're also getting heaps of interest and pull requests and stuff like that, people who want to add different modules once they sort of get their head around the idea. So, um, the ones that, that are currently in there, uh, extension-based wordless from GitHub, um, and it's quite large and it's sorted by popularity. Um, subdomains from HCP Archive and Hacker
12:43
News, um, and approximately we're, we're focusing on pulling it up about 500k from that and then route-based paths from popular web frameworks. So, Rails, Tomcat, Node.js for now, but it's pulling out, pulling out paths, right? You know, config slash whatever, right? Um, and, uh, yeah. So, as I said earlier, the focus was on better quality
13:04
wordless and, you know, that makes, uh, more sense from a bug hunting and security testing perspective. Uh, often having better quality wordless is better than having, you know, a better quality wordless. Um, so, as I mentioned, it's written in Golang, um, it's extendable, importable, it's really easy to embed in any kind of workflow, uh, and it's
13:24
open source. I'll get to the, the links at the end. So, this is, uh, extension-based wordless, right? So, this is just the, the simple query for, uh, pulling from GitHub, that was the first sort of query, um, and it's just pulling out, um, different, uh, different files, different extensions. Um, so here, um, same, same sort of
13:46
thing in, uh, in comment speak too. So, basically, that's the command at the top. Um, the, the project is just your Google, uh, project ID. So, that's, that's ours, but you'll just, you'll put in yours. Everybody gets one when you set up a, you know, BigQuery and all
14:00
that kind of stuff. Credentials are your credentials, um, and then it's generating, uh, an extension wordless with, uh, this is with ASPX, um, and it's getting 100,000 results, um, and then it's piping it out to ASPX.txt. Yep. Yep.
14:28
What do you mean? Uh, so, uh, so, yeah, so back here, right, Hacker News is updated, I believe, uh, weekly, uh, daily. So, stories and comments. So, so, this is not Hacker News hosting a wordless. This is BigQuery pulling all the stories and comments from
14:45
Hacker News into a data set that you can query. Yeah, so they're not, they're not hosting wordless or anything like that. Yeah. Yeah, we're creating the wordless from that data. Yeah. Get that to where it was. Cool. And this is just, this is just sample data, right? Um, and this is the subdomains, um, wordless from HTTP Archive. Um,
15:09
so this is the, the query. Again, this is a little bit more complex, but not that complex, right? Um, so, so, you know, if you want to extend this and add your own modules and add your own queries, um, it's super simple, right? It's just a bit of
15:21
JavaScript, bit of SQL. Um, so this is very similar to the, the original query that we, we showed earlier, where it's just got a, a JavaScript function, um, that is used to get the, the subdomains, um, using this URI, um, uh, JS, uh, library that, that Shub's wrote. Um, and it's basically just getting all the subdomains from the
15:41
HTTP Archive URLs, um, grouping it by subdomain, and this is getting, uh, I think that's 2 million. So, quite a few, right? Um, and so this is, this is what it looks like in terms of using common spec 2 for that. Again, you've got your project ID, your credentials, um, it's got verbose options as well. So, again, this is not just
16:00
like a really simple bash script. This is, you know, a little bit more featureful and, and something that you could ideally use. Um, and then it's outputting into a subdomain's text file. Um, if you have a look here, the unique subdomains, uh, 484,701 subdomains. And it's sorted by count. So you can see here, right, www is at the top with like, god, I'm not even going to bother reading that
16:24
number, right? Makes sense, right? Um, but yeah, you can see some interesting ones here, like m makes sense, right? Um, developer, whatever, but, you know, as you go on, you know, bits dot blogs, right, is up there. Like, that seems kind of weird to me. I probably wouldn't have put that in a subdomain word list, right? Um,
16:44
spectrum, I don't, I don't know, maybe that's related to some sort of technology, right? But like, um, you know, some of these make sense to be at the top, but some of these are kind of surprising even in that top list, right? Um, so it, so it is sorting by relevancy as well, so automatically by just, you know, working on the count. Um, cool. So, same thing, um, but this, uh, sorry, this is, looks like
17:15
duplicate slides. Never mind. Um, let's get on to the future development of
17:20
common speak, too. So, um, framework based route extensions, so things like, things like config, um, slash routes dot rb, um, more comprehensive file and directory word lists for many languages and frameworks, so we only support a few, right? So we spoke about, you know, Rails, um, Tomcat, you know, NodeJS, whatever. Um, but, you know,
17:41
we're going to add some more support for stuff, and hopefully, you know, the community will also add different queries for different stuff that they think about. The other thing is, it's not necessarily just useful for recon, right? So, there's other security domains that are also useful. So, think about, like, um, so, like, fuzzing, right? Um, with BigQuery, um, and even with common speak, you can pull out all
18:04
the PDFs that are on GitHub, let's say, right? And then you could use that as a corpus for fuzzing or any kind of binary or whatever. Um, so it's not just for web recon. We find use in it for web recon, but, uh, it's great in, you know, a whole bunch of other, um, you know, security domains, right? Um, so, in terms of future
18:24
development as well, parameter and value-based extraction from URLs, uh, sorted by frequency, um, a permutation engine as well to sort of, uh, you know, take different permutations of the word list, um, to get, you know, again, focusing on quality, and then schedule wordless creation, again, going back to that concept of keeping it up to date and constantly evolving. Um, we're still working on it. Uh,
18:44
we're working on it right up until, uh, up until this presentation. Um, but all of those features that we're listing here are expected to be released within the next couple of weeks, right? Um, so, so, yeah, it'll be, here we go. Um, in terms of where you can find this, um, and find resources on it, um, labs.acid.io and blog.acid.io will be
19:06
posting up some write-ups, uh, on using common speak and obviously all the materials from this presentation. Um, github under our, uh, our github, um, uh, repository, uh, common speak too, uh, under asinote. And then if you want to just
19:21
get in touch with us, um, our website or tweet at us is probably the, the easiest way to get to us. Um, so infosec au, it's actually underscore au, uh, sorry, that's a bit of a mistake, for shubs and, uh, mgeneracus for me. And that's the URL. And, that's everything. I'll leave it on the URL for anyone else to take photos. Um, so yeah,
19:45
any questions? Uh, yes, we have used it in bug bounties to very significant success. It's also driving, uh, so asinote is a platform that monitors your
20:05
external attack surface for vulnerabilities and it maps out stuff with recon. And we have passive and active sources. Our active sources are based on word lists generated by, um, by common speak. Right, so. Oh yeah, definitely, definitely,
20:30
especially on bounties, right? We've seen a lot of success on bounties. Um, you know, shubs, if you don't know, is very, very successful bounty hunter, right? He's in the top 50 hacker one globally. Um, and where he stands out and where he gets
20:42
his edge and where the top bug hunters really get their edges in recon, right? And the stuff that he's pulled out, um, you know, using common speak, uh, has definitely been interesting stuff that I seriously doubt would be, I haven't checked, but I seriously doubt would be in set lists, right? Um, because it's up to date, it's sorted by frequency as well and popularity. So it's not just
21:02
like, you know, here's a static word list. It's also like you can take, if you, if you're sort of pressed for time or you don't want to do a huge scan or whatever, huge brute force, you can take the top, you know, 200 or top 100, right? And you're likely to have more success with that than necessarily just a, you know, unsorted random kind of, uh, word lists, right? Um,
21:23
so there's, there's, it's definitely more flexible and I, I, at least in our experience using it, both for our business as well as for, for bug hunting, um, it's definitely been successful and to that, but to, that said, we haven't compared it necessarily to set lists, right? Um, but you know, we, we
21:42
are confident that it's a better approach, right? Any other questions? Okay, no further questions. Thank you.