Collaborate Disseminate
Eepsites are similar to Tor’s hidden services, but based on the I2P anonymity network.
Named eepsites use central registrars like stats.i2p and no.i2p. Each eepsite also has a b32 domain which is a base32-encoded string that is used to con… Continue reading Is it possible to enumerate registered eepsite (I2P) subdomains?
I am curently scanning for open ports on a subdomain. Say I have example.com and subdomain.example.com, but this subdomain can only be reached at port 8443. How can I scan for other potential open ports? Nmap will show this warning when tr… Continue reading Scan for open ports on subdomain
Recently, I happened to notice that a site I was looking at had different certificate providers for different subdomains. Whilst looking around, I found that seems to be somewhat common (or at least not rare).
Whilst I understand the logic… Continue reading Why would a company choose to use different SSL providers for different subdomains
Everywhere I look, I only find explanations as to who can set who’s cookies and who can access the cookies of whom.
Why do we need these restrictions?
More precisely:
Why is it OK for a subdomain to set a cookie for a parent domain?
Why i… Continue reading What are the security issues with setting cookies for subdomains?
I am a website developer (mainly using MVC.NET). Recently, we have been contacted by a hacker. He claimed that he knows our admin URL. The problem is we do not publish or put the admin URL anywhere on our webpage. The only place where the … Continue reading How does msnbot keep finding my unpublished admin url?
My colleagues and I are developing a public web application with client and admin access.
I want to prevent the client access being the same as the admin access, meaning the same login interface (at least).
My first idea is to create subdo… Continue reading Prevent client access being the same as admin access in web application
To hide a restricted location, e.g.
location /secret/ {
allow 10.0.0.0/24;
deny all;
}
one could set
error_page 403 =404 /404.html;
error_page 404 /404.html;
to make impossible to distinguish a non-existing location (404) from a restri… Continue reading How to hide restricted nginx subdomains?
I’m a newbie ethical hacker and bug bounty hunter. Lets, assume my target is somethingtohack.com, the thing is the company’s scope defines that the main domain is out of scope, but subdomains like subdomain.somethingtohack.com are in scope… Continue reading Can I escalate a main domain SSTI/RCE to all the subdomains belonging to that domain?
When enumerating a site on a Bugcrowd program, I found a subdomain like this:
According to the hackerone report it was classified as a valid report. In my case, they ask for proof. How can I successfully takeover it? I tried using Github… Continue reading Exploiting Subdomain Takeover on Cloud Front [closed]
I am trying to automate my recon process. For port scanning, I resolve subdomains to IPs then loop over those IPs with masscan. But is it worth it to port scan an asset that is hidden behind a web firewall? In other words, by doing this I’… Continue reading Port scanning against assets that are behind a WAF