Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mhmdiaa/second-order

Second-order subdomain takeover scanner
https://github.com/mhmdiaa/second-order

crawler crawling infosec mapping penetration-testing penetration-testing-tools pentesting recon reconnaissance security security-tools web-application-security wordlist wordlist-generator

Last synced: 13 days ago
JSON representation

Second-order subdomain takeover scanner

Awesome Lists containing this project

README

        

# Second Order

Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.

## Installation
### From binary
Download a prebuilt binary from the [releases page](https://github.com/mhmdiaa/second-order/releases/latest) and unzip it.

### From source
Go version 1.17 is recommended.
```
go install -v github.com/mhmdiaa/second-order@latest
```

### Docker
```
docker pull mhmdiaa/second-order
```

## Command line options
```
-target string
Target URL
-config string
Configuration file (default "config.json")
-depth int
Depth to crawl (default 1)
-header value
Header name and value separated by a colon 'Name: Value' (can be used more than once)
-insecure
Accept untrusted SSL/TLS certificates
-output string
Directory to save results in (default "output")
-threads int
Number of threads (default 10)
```

## Configuration File
**Example configuration files are in [config](/config/)**
- `LogQueries`: A map of tag-attribute queries that will be searched for in crawled pages. For example, `"a": "href"` means log every `href` attribute of every `a` tag.
- `LogNon200Queries`: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn't return a `200` status code.
- `LogInline`: A list of tags whose inline content (between the opening and closing tags) will be logged, like `title` and `script`

## Output
All results are saved in JSON files that specify what and where data was found

- The results of `LogQueries` are saved in `attributes.json`
```
{
"https://example.com/": {
"input[name]": [
"user",
"id",
"debug"
]
}
}
```
- The results of `LogNon200Queries` are saved in `non-200-url-attributes.json`
```
{
"https://example.com/": {
"script[src]": [
"https://cdn.old_abandoned_domain.com/app.js",
]
}
}
```
- The results of `LogInline` are saved in `inline.json`
```
{
"https://example.com/": {
"title": [
"Example - Home"
]
},
"https://example.com/login": {
"title": [
"Example - login"
]
}
}
```

## Usage Ideas
This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.
- Check for second-order subdomain takeover: [takeover.json](config/takeover.json). (Duh!)
- Collect inline and imported JS code: [javascript.json](config/javascript.json).
- Find where a target hosts static files [cdn.json](config/cdn.json). (S3 buckets, anyone?)
- Collect `` names to build a tailored parameter bruteforcing wordlist: [parameters.json](config/parameters.json).
- Feel free to contribute more ideas!

## References
https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder

https://edoverflow.com/2017/broken-link-hijacking/