Oh, they are subdomains. For the one belonging to xyz.com, what does
'dig NS xyz.com +trace' return?
- Ed
On Thu, Jul 5, 2018 at 5:22 PM, HackersGuild
<luffydragneel151@xxxxxxxxx> wrote:
There are 2 subdomains. For one "host xyz.com" gives host xyz not found. And for other "host abc.com" gives abc.com has address [IP address]. Not sure if any of them is useful. What do you say?
On Thu, Jul 5, 2018, 8:46 PM Edwin <contact@xxxxxxxxxxxxxx> wrote:
Hi LuffyDragneel,
What does 'host xyz.com' return in your terminal? Is the domain available for registration?
- Ed
On Thu, Jul 5, 2018 at 4:47 PM, HackersGuild <luffydragneel151@xxxxxxxxx> wrote:Hey ed,
Wanted to ask something. There is a domain xyz.com and if I browse to there, burp says unknown host. But when I do a xyz.com.s3.amazonaws.com, it shows no such bucket and stuffs. So should I test it for subdomain takeover?
LuffyDragneel
On Thu, Jul 5, 2018 at 8:10 PM Edwin <contact@xxxxxxxxxxxxxx> wrote:
Hey everyone,
Here is a basic script that finds (sub)domain takeovers from the CSP header that I wrote quite a while ago. Admittedly, I haven't tested this script in a little while, but it might come in handy for some of you. By the way, you will need to install meg [1] in order to use this little script.
----------------------------------------------------------------------
#!/bin/bash
searches=(
"There is no app configured at that hostname"
"NoSuchBucket"
"No Such Account"
"You're Almost There"
"a GitHub Pages site here"
"this shop is currently unavailable"
"There's noth ing here"
"The site you were looking for couldn't be found"
"The request could not be satisfied"
"project not found"
"Your CNAME settings"
"The resource that you are attempting to access does not exist or you don't have the necessary permissions to view it."
"Domain mapping upgrade for this domain not found"
"The feed has not been found"
"This UserVoice subdomain is currently available!"
)
curl -LIs "$1" |
grep -i "Content-Security-Policy" |
sed 's/\( \|;\)/\n/g' |
grep -E '[^.]+\.[^.]+$' |
sed -E 's#https?://##I' |
sed -E 's#/.*##' |
sed -E 's#^\*\.?##' |
sed -E 's#,#\n#g' |
tr '[:upper:]' '[:lower:]' |
sort |
uniq > cspchecker.txt
if [[ -s "cspchecker.txt" ]]; then
wh ile read host; do
echo "- Checking $host."
meg --delay 100 / $host 2> /dev/null
done < cspchecker.txt
for str in "${searches[@]}"; do
grep --color -Hnri "$str" out/
done
echo " You can delete out/ now."
echo "[+] Done."
else
echo "No CSP header found on $1."
fi
----------------------------------------------------------------------
Have fun!
- Ed
[1]: https://g ithub.com/tomnomnom/meg