
Overview
Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.
Installation
From binary
Download a prebuilt binary from the releases page and unzip it.
From source
Go version 1.17 is recommended.
go install -v github.com/mhmdiaa/second-order@latest
Docker
docker pull mhmdiaa/second-order
Configuration File
Example configuration files are in config
LogQueries
: A map of tag-attribute queries that will be searched for in crawled pages. For example,"a": "href"
means log everyhref
attribute of everya
tag.LogNon200Queries
: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn’t return a200
status code.LogInline
: A list of tags whose inline content (between the opening and closing tags) will be logged, liketitle
andscript
Usage Ideas
This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.
- Check for second-order subdomain takeover: takeover.json. (Duh!)
- Collect inline and imported JS code: javascript.json.
- Find where a target hosts static files cdn.json. (S3 buckets, anyone?)
- Collect
<input>
names to build a tailored parameter bruteforcing wordlist: parameters.json. - Feel free to contribute more ideas!
References
https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder
https://edoverflow.com/2017/broken-link-hijacking/