BOOK THIS SPACE FOR AD
ARTICLE ADTools
- https://subdomainfinder.c99.nl/
- burp suite
- burp Collaborator
- assetfinder : https://github.com/tomnomnom/assetfinder
- httpx : https://github.com/projectdiscovery/httpx
Explain :
First, we’ll get the scope from bugcrowd and save it to a file called scope.txt, then we’ll use it to find the subdomain at https://subdomainfinder.c99.nl/ and save it to subdomain.txt. We file scope.txt to find a subdomain with assetfinder after we’ve done this for all scopes.
> cat scope.txt | assetfinder -subs-only | tee -a subdomain.txt
So far, we’ve only been to the subdomain. After that, we’ll add all of the subdomains to the burp with httpx.
>httpx -l subdomain.txt -sc -cl -fr -mc 200,403 -proxy https://127.0.0.1:8080
We’ll get to the analysis request after we’ve put it in the release.
I came up a request similar to this while reading through the requests.
> GET http://subsub.sub.domain.com HTTP/1.1
I understand that such a request is unusual. I first assumed it was SSRF, so I used a burp Collaborator to construct the URL.
Then, first, bring it to replace the subdomain, then hit send request, then go to the Burp Collaborator Client page, push Poll now, and it will eventually appear.