Climbing Mount WebAppSec – Discovering Subdomains

Following Jason Haddix’s Bug Hunters Methodology I’m at phase two: Discovery. Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover subdomains. The premise in discovering subdomains is to firstly enlarge the attack surface and in the process find some easier wins. Subdomains may be forgotten in the mists of time; for example, originally set up for testing purposes, or a myriad other reasons that make them of interest to us. There’s a lot of solid tools out there Read More