Google Subdomain Discovery For Sites Using Naked Domain
Published: August 30, 2017
In a blog post from Bugcrowd titled “Discovering Subdomains”, Google dorking is the first strategy covered…
The site directive will filter results only to your target:
After we have the initial domain in there we can use the -inurl directive.
Each subdomain we find can then be filtered out with more -inurl directives to make place for others:
site:paypal.com -inurl:www -inurl:shopping
This strategy for identifying subdomains is very convenient, but what about if the target is using their naked domain instead of www?
This is an issue I struggled with a bit. For example, Jet.com for which any part of *.jet.com is in scope on Bugcrowd (unless explicity mentioned as out of scope) uses a naked domain.
However, after some time, the solution became obvious.
inurl: looks at the entire url, so we can filter out the naked domain by including everything starting from the protocol…
It worked perfectly!