Google Subdomain Discovery For Sites Using Naked Domain

Published: August 30, 2017

Tags:
:pencil2: Improve this page on GitHub

In a blog post from Bugcrowd titled “Discovering Subdomains”, Google dorking is the first strategy covered…

The site directive will filter results only to your target:

site:paypal.com

After we have the initial domain in there we can use the -inurl directive.

site:paypal.com -inurl:www

Each subdomain we find can then be filtered out with more -inurl directives to make place for others:

site:paypal.com -inurl:www -inurl:shopping

This strategy for identifying subdomains is very convenient, but what about if the target is using their naked domain instead of www?

This is an issue I struggled with a bit. For example, Jet.com for which any part of *.jet.com is in scope on Bugcrowd (unless explicity mentioned as out of scope) uses a naked domain.

Googling for Jet.com including naked domain

However, after some time, the solution became obvious.

inurl: looks at the entire url, so we can filter out the naked domain by including everything starting from the protocol…

Googling for Jet.com with naked domain filtered

It worked perfectly!

Happy hacking :smiley:

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Rightpoint where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.