Mass hunting vulnerabilities with subdomain database feature of prettyrecon

AkShAy KaTkAr
3 min readNov 9, 2023

--

PrettyRecon recently rolled out a pragmatic addition to its toolkit — the “My Subdomain Database” feature. Users now have the ability to delve into comprehensive details of their target’s subdomains, extracting information such as CNAMEs, technologies, titles, status codes, and web servers.

You can now keep eye all your targets data at once.

My usual go to approach for doing my bug hunting is finding open source technologies, WordPress plugins, themes & then finding bugs in them & reporting them to all the similar sites using same plugins or opensource technologies.

Here is example to find out all the subdomains using WordPress, just by searching keyword like “wordpress” in subdomain database you will get all the results in one go.

Database giving 8462 results for websites using WordPress.

Use case:

Mass hunting open redirects:

Open redirects might not sound like a big deal, but they’re like the gateway drug of vulnerabilities. You start with a seemingly harmless redirect, and before you know it, you’re in the deep end with SSRF and token theft.

I’ve got a bunch of third-party services and open-source software in my toolkit, and here’s the scoop — some of them, like bmc.it and Nolt, have their act together and fixed the issue. Kudos to them! On the flip side, there are stubborn ones like Flarum (open source forum software used by many companies) who are still chilling with open redirects, thinking it’s not a big deal.

Even though it’s just a P4 on Bugcrowd, convincing vendors to fix this is like pulling teeth. It’s a quirky world of open redirects, and some vendors need a gentle nudge to get their security game on point.

Here is some services which are still vulnerable .

Use of prettyrecon database:

Results for StatusCast

Results for visualplatform

Results for Flarun(Opensource forum software)

Many of this are bug bounty targets.

Another use case finding subdomain using pantheon, github, aws,heroku…etc to continuously monitor them for subdomain takeover.

Thanks for reading.

--

--