Jump to content
Kev

Second-order subdomain takeover scanner

By Kev, in Programe hacking

Recommended Posts

Kev Experienced

Kev

Posted
Posted

Second Order

Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match some specific rules, or respond in a specific way.

 

Installation

Go version >= 1.8 is required. 

go get github.com/mhmdiaa/second-order

This will download the code, compile it, and leave a second-order binary in $GOPATH/bin.

 

Command line options 

 -base string
       Base link to start scraping from (default "http://127.0.0.1")
 -config string
       Configuration file (default "config.json")
 -debug
       Print visited links in real-time to stdout
 -output string
       Directory to save results in (default "output")

Example 

go run second-order.go -base https://example.com -config config.json -output example.com -concurrency 10

 

Configuration File

Example configuration file included (config.json)

  • Headers: A map of headers that will be sent with every request.
  • Depth: Crawling depth.
  • LogCrawledURLs: If this is set to true, Second Order will log the URL of every crawled page.
  • LogQueries: A map of tag-attribute queries that will be searched for in crawled pages. For example, "a": "href" means log every href attribute of every a tag.
  • LogURLRegex: A list of regular expressions that will be matched against the URLs that are extracted using the queries in LogQueries; if left empty, all URLs will be logged.
  • LogNon200Queries: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they don't return a 200 status code.
  • ExcludedURLRegex: A list of regular expressions whose matching URLs will not be accessed by the tool.
  • ExcludedStatusCodes: A list of status codes; if any page responds with one of these, it will be excluded from the results of LogNon200Queries; if left empty, all non-200 pages' URLs will be logged.
  • LogInlineJS: If this is set to true, Second Order will log the contents of every script tag that doesn't have a src attribute.

 

Output Directory Structure

All results are saved in JSON files that specify what and where data was found 

OUTPUT
      logged-queries.json         -> The results of `LogQueries`
      logged-non-200-queries.json -> The results of `LogNon200Queries`
      inline-scripts.json         -> The results of `LogInlineJS`

 

Usage Ideas

This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.

  • Check for second-order subdomain takeover. (Duh!)
  • Collect JS code by setting LogInlineJS to true, and adding "script": "src" to LogQueries.
  • Find a target's online assets by using LogURLRegex. (S3 buckets, anyone?)
  • Collect SWF files by adding "object": "src" to LogQueries.
  • Collect <input> names by adding "input": "name" to LogQueries.

 

References

https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder

https://edoverflow.com/2017/broken-link-hijacking/

 

Source

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...