Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.
Download a prebuilt binary from the releases page and unzip it.
Go version 1.17 is recommended.
Example configuration files are in config
LogQueries: A map of tag-attribute queries that will be searched for in crawled pages. For example,
"a": "href"means log every
hrefattribute of every
LogNon200Queries: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn’t return a
LogInline: A list of tags whose inline content (between the opening and closing tags) will be logged, like
This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.
- Check for second-order subdomain takeover: takeover.json. (Duh!)
- Find where a target hosts static files cdn.json. (S3 buckets, anyone?)
<input>names to build a tailored parameter bruteforcing wordlist: parameters.json.
- Feel free to contribute more ideas!