Information Gathering

Bug Bounty Dorks to find a program

inurl /bug bounty
inurl : / security
inurl:security.txt
inurl:security "reward"
inurl : /responsible disclosure
inurl : /responsible-disclosure/ reward
inurl : / responsible-disclosure/ swag
inurl : / responsible-disclosure/ bounty
inurl:'/responsible disclosure' hoodie
responsible disclosure swag r=h:com
responsible disclosure hall of fame
responsible disclosure europe
responsible disclosure white hat
white hat program
insite:"responsible disclosure" -inurl:nl
intext responsible disclosure
site eu responsible disclosure
site .nl responsible disclosure
site responsible disclosure
responsible disclosure:sites
responsible disclosure r=h:nl
responsible disclosure r=h:uk
responsible disclosure r=h:eu
responsible disclosure bounty r=h:nl
responsible disclosure bounty r=h:uk
responsible disclosure bounty r=h:eu
responsible disclosure swag r=h:nl
responsible disclosure swag r=h:uk
responsible disclosure swag r=h:eu
responsible disclosure reward r=h:nl
responsible disclosure reward r=h:uk
responsible disclosure reward r=h:eu
"powered by bugcrowd" -site:bugcrowd.com
"powered by hackerone" "submit vulnerability report"
"submit vulnerability report"
site:responsibledisclosure.com
inurl:'vulnerability-disclosure-policy' reward
intext:Vulnerability Disclosure site:nl
intext:Vulnerability Disclosure site:eu
site:..nl intext:security report reward
site:..nl intext:responsible disclosure reward
"security vulnerability" "report"
inurl"security report"
"responsible disclosure" university
inurl:/responsible-disclosure/ university
buy bitcoins "bug bounty"
inurl:/security ext:txt "contact"
"powered by synack"
intext:responsible disclosure bounty
inurl: private bugbountyprogram
inurl:/.well-known/security ext:txt
inurl:/.well-known/security ext:txt intext:hackerone
inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty
inurl:reporting-security-issues
inurl:security-policy.txt ext:txt
site:..* inurl:bug inurl:bounty
site:help.. inurl:bounty
site:support.. intext:security report reward
intext:security report monetary inurl:security
intext:security report reward inurl:report
site:security.. inurl: bounty
site:..de inurl:bug inurl:bounty
site:..uk intext:security report reward
site:..cn intext:security report reward
"vulnerability reporting policy"
"van de melding met een minimum van een" -site:responsibledisclosure.nl
inurl : /bitcon bug bounty
inurl : btc security rewards

Resourceful Blogs

Vulnerabilites DB

Exploits DB

IP Lookup

Tools

Hacking labs

Encrpyt/Decrypt

Hash Crackers

Network Online tools

SUBDOMAIN - CAN-I-TAKE-ALL-OVER-XYZ

Disclaimer :warning:

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion. On top of that, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat index.html
<!-- PoC by Hacker -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/shifa123/ALLsubdomaintakeovers/issues/new?template=new-entry.md

All entries

EngineStatusOld FingerprintNew FingerprintDocumentation
AcquiaNot vulnerableWeb Site Not FoundIf you are an Acquia Cloud customer and expect to see your site at this address ``Issue #103
AftershipVulnerableOops.</h2><p class="text-muted text-tight">The page you're looking for doesn't exist.
Agile CRMVulnerableSorry, this page is no longer available.Sorry, this page is no longer available
AhaVulnerableThere is no portal here ... sending you back to Aha!
Airee.ruVulnerableОшибка 402. Сервис Айри.рф не оплачен
AnimaVulnerableIf this is your website and you've just created it, try refreshing in a minuteIf this is your website and you've just created it, try refreshing in a minute
AkamaiNot vulnerableNot Vulnerable
AWS/S3VulnerableThe specified bucket does not existThe specified bucket does not exist
BigcartelVulnerable<h1>Oops! We couldn&#8217;t find that page.</h1>
BitbucketVulnerableRepository not foundThe page you have requested does not exist
BrightcoveVulnerable<p class="bc-gallery-error-code">Error Code: 404</p>
Campaign MonitorVulnerableTrying to access your account?<strong>Trying to access your account?</strong>
CannyVulnerableTrying to access your account?Company Not Found
CargoVulnerableIf you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel.
Cargo CollectiveVulnerable404 Not Found<div class="notfound">
CloudfrontNot vulnerableViewerCertificateException
DeskVulnerablePlease try again or try Desk.com free for 14 days.this help center no longer exists
Digital OceanVulnerableDomain uses DO name serves with no records in DO.
DiscourseVulnerable
FastlyEdge caseFastly error: unknown domain:Fastly error: unknown domain:
FeedpressNot vulnerableThe feed has not been found.The feed has not been found.
FirebaseNot Vulnerable
Fly.ioVulnerable404 Not Found
FreshdeskNot vulnerable
FrontifyVulnerable404 - Page Not FoundOops… looks like you got lost
GemfuryVulnerable404: This page could not be found.404: This page could not be found.
GhostvulnerableThe thing you were looking for is no longer here, or never wasThe thing you were looking for is no longer here
GithubvulnerableThere isn't a Github Pages site here.There isn't a GitHub Pages site here.
GitlabNot Vulnerable
Google Cloud StorageVulnerableNoSuchBucket The specified bucket does not exist.
GetresponsevulnerableWith GetResponse Landing Pages, lead generation has never been easierWith GetResponse Landing Pages, lead generation has never been easier
HatenaBlogVulnerable404 Blog is not found404 Blog is not found
Help JuicevulnerableWe could not find what you're looking for.We could not find what you're looking for.
Help ScoutVulnerableNo settings were found for this company:No settings were found for this company:
HerokuEdge caseNo such appThere's nothing here, yet.
HelpraceVulnerableAlias not configured!
HubspotvulnerableDomain not found
InstapageNon Vulnerable
IntercomvulnerableUh oh. That page doesn't exist.This page is reserved for artistic dogs.
JetBrainsVulnerableis not a registered InCloud YouTrackis not a registered InCloud YouTrack.
JazzhrVulnerableThis account no longer active
Key CDNNot vulnerable
KinstaVulnerableNo Site For DomainNo Site For Domain
LaunchRockvulnerableIt looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
LandingivulnerableIt looks like you're lost
MasheryEdge CaseUnrecognized domainUnrecognized domain <strong>
Microsoft Azurevulnerable
NetlifyEdge CaseNot Found
NgrokvulnerableTunnel *.ngrok.io not foundngrok.io not found
PantheonVulnerable404 error unknown site!The gods are wise, but do not know of the site which you seek.
PingdomvulnerableThis public report page has not been activated by the userPublic Report Not Activated
ProposifyVulnerableIf you need immediate assistance, please contact <a href="mailto:support@proposify.biz
Readme.ioVulnerableProject doesnt exist... yet!Project doesnt exist... yet!
Readthedocsvulnerableunknown to Read the Docs
SendgridNot vulnerable
ShopifyVulnerableSorry, this shop is currently unavailable.Only one step left!
SmartJobBoardvulnerableThis job board website is either expired or its domain name is invalid.Job Board Is Unavailable
SquarespaceNot Vulnerable
StatuspageNot vulnerable
StrikinglyVulnerablepage not foundBut if you're looking to build your own website
Surge.shvulnerableproject not foundproject not found
SimplebookletvulnerableWe can't find this <a href="https://simplebooklet.com
SmartlingVulnerableDomain is not configured
Smugmugvulnerable{"text":"Page Not Found"
Surveygizmovulnerabledata-html-name
TaveVulnerable<h1>Error 404: Page Not Found</h1>
TeamworkvulnerableOops - We didn't find your site.
TictailvulnerableBuilding a brand of your own?
TumblrEdge CaseWhatever you were looking for doesn't currently exist at this addressThere's nothing here.
TildaEdge CasePlease renew your subscription<title>Please renew your subscription</title>
UberflipVulnerableNon-hub domain, The URL you've accessed does not provide a hub.Non-hub domain, The URL you've accessed does not provide a hub.
UnbounceEdge CaseThe requested URL was not found on this server.The requested URL was not found on this server.
UptimerobotVulnerablepage not foundpage not found
UserVoicevulnerableThis UserVoice subdomain is currently available!This UserVoice subdomain is currently available!
VercelVulnerableThe deployment could not be found on Vercel.
VendvulnerableLooks like you've traveled too far into cyberspace.
WebflowEdge CaseThe page you are looking for doesn't exist or has been moved.<p class="description">The page you are looking for doesn't exist or has been moved.</p>
WishpondVulnerablehttps://www.wishpond.com/404?campaign=true
WufoovulnerableProfile not found
WordpressvulnerableDo you want to register *.wordpress.com?Do you want to register
WorksitesVulnerableHello! Sorry, but the website you&rsquo;re looking for doesn&rsquo;t exist.`Company Not Foundyou’re looking for doesn’t exist`
WP EngineNot vulnerable
ZendeskNot vulnerableHelp Center Closed

Checklist

Others

site:WEBSITE ext:php inurl:?
Disclosed XSS and Open Redirects

site:WEBSITE inurl:reports intext:"WEBSITE"
Juicy Extensions

site:"WEBSITE" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess
Code Leaks

site:pastebin.com "ccsuniversity.ac.in"
site:jsfiddle.net "ccsuniversity.ac.in"
site:codebeautify.org "ccsuniversity.ac.in"
site:codepen.io "ccsuniversity.ac.in"
Cloud Storage

site:s3.amazonaws.com "ccsuniversity.ac.in"
site:blob.core.windows.net "ccsuniversity.ac.in"
site:googleapis.com "ccsuniversity.ac.in"
site:drive.google.com "ccsuniversity.ac.in"
site:dev.azure.com "ccsuniversity.ac.in"
site:onedrive.live.com "ccsuniversity.ac.in"
site:digitaloceanspaces.com "ccsuniversity.ac.in"
site:sharepoint.com "ccsuniversity.ac.in"
site:https://lnkd.in/e8YtGqdX "ccsuniversity.ac.in"
site:https://lnkd.in/evKFV7KK "ccsuniversity.ac.in"
site:dropbox.com/s "ccsuniversity.ac.in"
site:box.com/s "ccsuniversity.ac.in"
site:docs.google.com inurl:"/d/" "ccsuniversity.ac.in"
XSS prone parameters

inurl:q= | inurl:s= | inurl:search= | inurl:query= inurl:& site:WEBSITE
Open Redirect prone parameters

inurl:url= | inurl:return= | inurl:next= | inurl:redir= inurl:http site:WEBSITE
SQLi Prone Parameters

inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:WEBSITE
SSRF Prone Parameters

inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:WEBSITE
LFI Prone Parameters

inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:WEBSITE
RCE Prone Parameters

inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= inurl:& site:WEBSITE High % inurl keywords

inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:WEBSITE
Sensitive Parameters

inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:WEBSITE
JFrog Artifactory

site:jfrog.io "WEBSITE"
Firebase

site:firebaseio.com "WEBSITE"
API Docs

inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"WEBSITE"
File upload endpoints

site:WEBSITE ”choose file”
Bug Bounty programs and Vulnerability Disclosure Programs

"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"
site:*/security.txt "bounty"
Apache Server Status Exposed

site:*/server-status apache
WordPress

inurl:/wp-admin/admin-ajax.php
Drupal

intext:"Powered by" & intext:Drupal & inurl:user
Joomla

site:*/joomla/login

Tools used by nahamsec

  1. Amass - Subdomain Generation
  2. ReconFTW - General Recon
  3. FFUF - For fuzzing with onelistforall and onemillion wordlist
  4. MassDNS - DNS Resolver
  5. Security Trails - Subdomain Enumeartion
  6. Shodan - UI version for finding hidden gems
  7. Web Archive - Look for caches
  8. GitHub - Hidden endpoints, subdomains and secrets
  9. HTTPX - Filter live endpoints on the subdomains collections
  10. http://Crt.sh - More info based on certificates
  11. AlienValut - Massive Recon
  12. FOFA - Collect favicon hash