Niiiiice! I'll have to check that out.
Another cool thing you can do to find some nice subdomain takeovers is:
1. Enumerate subdomains
2. Check {Subdomain}.s3.amazonaws.com for takeover-ability.
The problem, then, becomes if you can prove that the s3 bucket belongs to
the company or not. However, most of the time it does.
-Justin
Justin Gardner
Cell: (804)525-8089
On Wed, Jul 4, 2018 at 3:37 PM, Edwin <contact@xxxxxxxxxxxxxx> wrote:
Bonjour,
This is one of my favourite tricks of all time and is one that I use time
and time again. While chatting with Frans Rosén, I misunderstood something
that he was explaining and in doing so, came up with a silly trick to
increase the number of valid subdomain takovers that I find. The trick is
so simple, yet very affective in practice as demonstrated in
https://hackerone.com/reports/312118. What you do is when scanning for
subdomain takeovers always check www. (www.example.com) vs the basename
(example.com). In my experience, the most widespread misconfiguration is
where the developer picks one of the two to serve their page and leave the
other option with dangling DNS record.
So one quick task I suggest adding to your workflow, is scanning all in
scope domains and comparing www. to the basename. This can easily be
achieved as follows:
1. Grab all domains and put them into a text file;
2. sed 's/^/www./g' list.txt;
3. sed 's#^#http://#g' list.txt;
4. meg / list.txt;
5. Finally, run TomNomNom's https://github.com/tomnomnom/
dotfiles/blob/master/scripts/findtakeovers against the out/ directory.
You could also just run a screenshot script such as EyeWitness against the
list and manually inspect the results.
Moral of the story, even misunderstanding Frans can end up uncovering
valid issues. Thank you, Frans. :D
- Ed
