Hey everyone,
Here is a basic script that finds (sub)domain takeovers from the CSP
header that I wrote quite a while ago. Admittedly, I haven't tested
this script in a little while, but it might come in handy for some of
you. By the way, you will need to install meg [1] in order to use this
little script.
----------------------------------------------------------------------
#!/bin/bash
searches=(
"There is no app configured at that hostname"
"NoSuchBucket"
"No Such Account"
"You're Almost There"
"a GitHub Pages site here"
"this shop is currently unavailable"
"There's nothing here"
"The site you were looking for couldn't be found"
"The request could not be satisfied"
"project not found"
"Your CNAME settings"
"The resource that you are attempting to access does not exist or
you don't have the necessary permissions to view it."
"Domain mapping upgrade for this domain not found"
"The feed has not been found"
"This UserVoice subdomain is currently available!"
)
curl -LIs "$1" |
grep -i "Content-Security-Policy" |
sed 's/\( \|;\)/\n/g' |
grep -E '[^.]+\.[^.]+$' |
sed -E 's#https?://##I' |
sed -E 's#/.*##' |
sed -E 's#^\*\.?##' |
sed -E 's#,#\n#g' |
tr '[:upper:]' '[:lower:]' |
sort |
uniq > cspchecker.txt
if [[ -s "cspchecker.txt" ]]; then
while read host; do
echo "- Checking $host."
meg --delay 100 / $host 2> /dev/null
done < cspchecker.txt
for str in "${searches[@]}"; do
grep --color -Hnri "$str" out/
done
echo " You can delete out/ now."
echo "[+] Done."
else
echo "No CSP header found on $1."
fi
----------------------------------------------------------------------
Have fun!
- Ed
[1]: https://github.com/tomnomnom/meg