January 2024
Intermediate to advanced
444 pages
11h 10m
English
Content preview from Web Application Security, 2nd Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Chapter 4. Finding Subdomains
To scope out and test API endpoints, you should first be familiar with the domain structure a web application uses. Today it is rare for a single domain to be used to serve a web application in its entirety. More often than not, web applications will be split into client and server domains at minimum, plus the well-known https://www versus just https://. Being able to iteratively find and record subdomains powering a web application is a useful first recon technique against that web application.
Multiple Applications per Domain
Let’s assume we are trying to map MegaBank’s web applications in order to better perform a black-box penetration test sponsored by that bank. We know that MegaBank has an app that users can log in to and access their bank accounts. This app is located at https://www.mega-bank.com.
We are particularly curious if MegaBank has any other internet-accessible servers linked to the mega-bank.com domain name. We know MegaBank has a bug bounty program, and the scope of that program covers the main mega-bank.com domain quite comprehensively. As a result, any easy-to-find vulnerabilities in mega-bank.com have already been fixed or reported. If new ones pop up, we will be working against the clock to find them before the bug bounty hunters do.
Because of this, we would like to look for some easier targets that still allow us to hit MegaBank where it hurts. This is a purely ethical corporate-sponsored test, but that doesn’t mean we can’t ...