[bugbounty] Bug bounty tip: Find (sub)domain takeovers via the Content Security Policy header.

  • From: Edwin <contact@xxxxxxxxxxxxxx>
  • To: bugbounty@xxxxxxxxxxxxx
  • Date: Thu, 05 Jul 2018 16:39:46 +0200

Hey everyone,

Here is a basic script that finds (sub)domain takeovers from the CSP header that I wrote quite a while ago. Admittedly, I haven't tested this script in a little while, but it might come in handy for some of you. By the way, you will need to install meg [1] in order to use this little script.

----------------------------------------------------------------------

#!/bin/bash

searches=(
   "There is no app configured at that hostname"
   "NoSuchBucket"
   "No Such Account"
   "You're Almost There"
   "a GitHub Pages site here"
   "this shop is currently unavailable"
   "There's nothing here"
   "The site you were looking for couldn't be found"
   "The request could not be satisfied"
   "project not found"
   "Your CNAME settings"
"The resource that you are attempting to access does not exist or you don't have the necessary permissions to view it."
   "Domain mapping upgrade for this domain not found"
   "The feed has not been found"
   "This UserVoice subdomain is currently available!"
)

curl -LIs "$1" |
grep -i "Content-Security-Policy" |
sed 's/\( \|;\)/\n/g' |
grep -E '[^.]+\.[^.]+$' |
sed -E 's#https?://##I' |
sed -E 's#/.*##' |
sed -E 's#^\*\.?##' |
sed -E 's#,#\n#g' |
tr '[:upper:]' '[:lower:]' |
sort |
uniq > cspchecker.txt

if [[ -s "cspchecker.txt" ]]; then
   while read host; do
           echo "- Checking $host."
           meg --delay 100 / $host 2> /dev/null
   done < cspchecker.txt

   for str in "${searches[@]}"; do
       grep --color -Hnri "$str" out/
   done

   echo " You can delete out/ now."

   echo "[+] Done."
else
   echo "No CSP header found on $1."
fi

----------------------------------------------------------------------

Have fun!

- Ed

[1]: https://github.com/tomnomnom/meg


Other related posts: