Patrik Hudak

When I and other guys in the web application security started posting stuff around subdomain takeover, it has become increasingly hard to find new cases in the public bug bounty programs. There was

When doing subdomain enumeration, you are likely to encounter a domain that is a wildcard. Such domains respond to DNS queries with a record/records, which are not explicitly defined in the DNS

My last post about subdomain enumeration received great feedback. In the meantime, I thought of some other improvements I could make to increase the chances of finding new assets. This post presents a

You are probably shaking your head that this is another post about subdomain enumeration. I have written about it in the past, and so did much other security folks. But things have changed,

Subdomain takeover verification can be extended with second order bugs verification. This verification extends potential attack surface using subdomain takeover.

Recently, I have come across an interesting list of domain suffixes used by cloud providers which are vulnerable to subdomain takeover. Although the list is pretty accurate, it is still a raw list

After writing the last post, I started thinking that I pretty much covered all aspects of subdomain takeover. Recently, I realized that there are no in-depth posts about other than CNAME subdomain takeover.

Subdomain takeover monitoring is a continuous process. People are often surprised by it. Domains are often working perfectly, but once the administrator removes ...

Recently, I was repeatedly awarded $2,000 bounty for subdomain takeover on Starbucks. In this post, I explain the step-by-step process for the proof-of-concept.

In the previous posts, I cover a lot of things around OSINT. There are, however, still some techniques and ideas which were kept untold. I kept them for this post because I feel

In this post, continuing with OSINT related topics, we will look at researching people. Similarly to domains, there are some specific goals during our "person analysis": The person is our new

Phishing is still one of the most prominent ways of how cyber adversaries monetize their actions. Generally, phishing tries to accomplish two primary goals: Gain initial access to network — Adversary sends spear phishing

The post doesn't explain the enumeration part for finding related domains, but rather finding domain-specific data such as owner, reputation, or DNS settings.

Although I have written multiple posts about subdomain takeover, I realized that there aren't many posts covering basics of subdomain takeover and the whole "problem statement." This post aims to explain

This post is the write-up about bug bounty report that I reported back in March 2018 to Starbucks. The report is now disclosed, and I was awarded $2,000 bounty. Although I have

Bug bounty reports often require proof-of-concept. This post demonstrates how to create a subdomain takeover PoC for various cloud providers.

Risks of subdomain takeover range from phishing to privilege escalation. Although the subdomain takeover concept is generally well understood, its risks aren't. This post tries to fix that.

Censys is an Internet-wide engine which can answer complex questions asked by security researches about a current global state of the Internet.

Organizations often have no clue about what they are exposing to the Internet. The post presents a simple framework for doing black box reconnaissance that will reveal the company's public-facing services.

Rapid7 runs their Internet-wide research called Project Sonar. The post explains the ideas behind this project along with practical use cases for security researchers.