Bonjour,
This is one of my favourite tricks of all time and is one that I use
time and time again. While chatting with Frans Rosén, I misunderstood
something that he was explaining and in doing so, came up with a silly
trick to increase the number of valid subdomain takovers that I find.
The trick is so simple, yet very affective in practice as demonstrated
in https://hackerone.com/reports/312118. What you do is when scanning
for subdomain takeovers always check www. (www.example.com) vs the
basename (example.com). In my experience, the most widespread
misconfiguration is where the developer picks one of the two to serve
their page and leave the other option with dangling DNS record.
So one quick task I suggest adding to your workflow, is scanning all in
scope domains and comparing www. to the basename. This can easily be
achieved as follows:
1. Grab all domains and put them into a text file;
2. sed 's/^/www./g' list.txt;
3. sed 's#^#http://#g' list.txt;
4. meg / list.txt;
5. Finally, run TomNomNom's
https://github.com/tomnomnom/dotfiles/blob/master/scripts/findtakeovers
against the out/ directory.
You could also just run a screenshot script such as EyeWitness against
the list and manually inspect the results.
Moral of the story, even misunderstanding Frans can end up uncovering
valid issues. Thank you, Frans. :D
- Ed