Second Order – Subdomain Takeover Scanner



Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.


From binary

Download a prebuilt binary from the releases page and unzip it.

From source

Go version 1.17 is recommended.

go install -v


docker pull mhmdiaa/second-order

Configuration File

Example configuration files are in config

  • LogQueries: A map of tag-attribute queries that will be searched for in crawled pages. For example, "a": "href" means log every href attribute of every a tag.
  • LogNon200Queries: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn’t return a 200 status code.
  • LogInline: A list of tags whose inline content (between the opening and closing tags) will be logged, like title and script

Usage Ideas

This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.

  • Check for second-order subdomain takeover: takeover.json. (Duh!)
  • Collect inline and imported JS code: javascript.json.
  • Find where a target hosts static files cdn.json. (S3 buckets, anyone?)
  • Collect <input> names to build a tailored parameter bruteforcing wordlist: parameters.json.
  • Feel free to contribute more ideas!


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + fourteen =