In a blog post from Bugcrowd titled “Discovering Subdomains”, Google dorking is the first strategy covered…
The site directive will filter results only to your target:
After we have the initial domain in there we can use the -inurl directive.
Each subdomain we find can then be filtered out with more -inurl directives to make place for others:
site:paypal.com -inurl:www -inurl:shopping
This strategy for identifying subdomains is very convenient, but what about if the target is using their naked domain instead of www?
This is an issue I struggled with a bit. For example, Jet.com for which any part of *.jet.com is in scope on Bugcrowd (unless explicity mentioned as out of scope) uses a naked domain.
However, after some time, the solution became obvious.
inurl: looks at the entire url, so we can filter out the naked domain by including everything starting from the protocol…
It worked perfectly!
Hi, I'm Max!
If you'd like to get in touch with me the best way is on Twitter.