Subdomain Takeover: Going for High Impact When I and other guys in the web application security started posting stuff around subdomain takeover, it has become increasingly hard to find new cases in the public bug bounty programs. There was
Subdomain Enumeration: Filter Wildcard Domains When doing subdomain enumeration, you are likely to encounter a domain that is a wildcard. Such domains respond to DNS queries with a record/records, which are not explicitly defined in the DNS
Subdomain Enumeration: Doing it a Bit Smarter My last post about subdomain enumeration received great feedback. In the meantime, I thought of some other improvements I could make to increase the chances of finding new assets. This post presents a
Subdomain Enumeration: 2019 Workflow You are probably shaking your head that this is another post about subdomain enumeration. I have written about it in the past, and so did much other security folks. But things have changed,
Subdomain Takeover: Second Order Bugs Subdomain takeover verification can be extended with second order bugs verification. This verification extends potential attack surface using subdomain takeover.
Subdomain Takeover: Identifying Providers Recently, I have come across an interesting list of domain suffixes used by cloud providers which are vulnerable to subdomain takeover. Although the list is pretty accurate, it is still a raw list
Subdomain Takeover: Going beyond CNAME After writing the last post, I started thinking that I pretty much covered all aspects of subdomain takeover. Recently, I realized that there are no in-depth posts about other than CNAME subdomain takeover.
Subdomain Takeover: Finding Candidates Subdomain takeover monitoring is a continuous process. People are often surprised by it. Domains are often working perfectly, but once the administrator removes ...
Subdomain Takeover: Yet another Starbucks case Recently, I was repeatedly awarded $2,000 bounty for subdomain takeover on Starbucks. In this post, I explain the step-by-step process for the proof-of-concept.
OSINT Primer: Organizations (Part 3) In the previous posts, I cover a lot of things around OSINT. There are, however, still some techniques and ideas which were kept untold. I kept them for this post because I feel
OSINT Primer: People (Part 2) In this post, continuing with OSINT related topics, we will look at researching people. Similarly to domains, there are some specific goals during our "person analysis": The person is our new
Finding Phishing: Tools and Techniques Phishing is still one of the most prominent ways of how cyber adversaries monetize their actions. Generally, phishing tries to accomplish two primary goals: Gain initial access to network — Adversary sends spear phishing
OSINT Primer: Domains (Part 1) The post doesn't explain the enumeration part for finding related domains, but rather finding domain-specific data such as owner, reputation, or DNS settings.
Subdomain Takeover: Basics Although I have written multiple posts about subdomain takeover, I realized that there aren't many posts covering basics of subdomain takeover and the whole "problem statement." This post aims to explain
Subdomain Takeover: Starbucks points to Azure This post is the write-up about bug bounty report that I reported back in March 2018 to Starbucks. The report is now disclosed, and I was awarded $2,000 bounty. Although I have
Subdomain Takeover: Proof Creation for Bug Bounties Bug bounty reports often require proof-of-concept. This post demonstrates how to create a subdomain takeover PoC for various cloud providers.
Subdomain Takeover: Thoughts on Risks Risks of subdomain takeover range from phishing to privilege escalation. Although the subdomain takeover concept is generally well understood, its risks aren't. This post tries to fix that.
Censys.io Guide: Discover SCADA and Phishing Sites Censys is an Internet-wide engine which can answer complex questions asked by security researches about a current global state of the Internet.
Asset Discovery: Doing Reconnaissance the Hard Way Organizations often have no clue about what they are exposing to the Internet. The post presents a simple framework for doing black box reconnaissance that will reveal the company's public-facing services.
Project Sonar: An Underrated Source of Internet-wide Data Rapid7 runs their Internet-wide research called Project Sonar. The post explains the ideas behind this project along with practical use cases for security researchers.