In a blog post from Bugcrowd titled “Discovering Subdomains”, Google dorking is the first strategy covered…
The site directive will filter results only to your target:
After we have the initial domain in there we can use the -inurl directive.
Each subdomain we find can then be filtered out with more -inurl directives to make place for others:
site:paypal.com -inurl:www -inurl:shopping
This strategy for identifying subdomains is very convenient, but what about if the target is using their naked domain instead of www?
This is an issue I struggled with a bit. For example, Jet.com for which any part of *.jet.com is in scope on Bugcrowd (unless explicity mentioned as out of scope) uses a naked domain.
However, after some time, the solution became obvious.
inurl: looks at the entire url, so we can filter out the naked domain by including everything starting from the protocol…
It worked perfectly!
Hi, I'm Max!
I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.
During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.
If you'd like to get in touch with me the best way is on Twitter.