Home

Awesome

Second Order

Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.

Installation

From binary

Download a prebuilt binary from the releases page and unzip it.

From source

Go version 1.17 is recommended.

go install -v github.com/mhmdiaa/second-order@latest

Docker

docker pull mhmdiaa/second-order

Command line options

  -target string
        Target URL
  -config string
        Configuration file (default "config.json")
  -depth int
        Depth to crawl (default 1)
  -header value
    	Header name and value separated by a colon 'Name: Value' (can be used more than once)
  -insecure
        Accept untrusted SSL/TLS certificates
  -output string
        Directory to save results in (default "output")
  -threads int
        Number of threads (default 10)

Configuration File

Example configuration files are in config

Output

All results are saved in JSON files that specify what and where data was found

{
    "https://example.com/": {
        "input[name]": [
            "user",
            "id",
            "debug"
        ]
    }
}
{
    "https://example.com/": {
        "script[src]": [
            "https://cdn.old_abandoned_domain.com/app.js",
        ]
    }
}
{
    "https://example.com/": {
        "title": [
            "Example - Home"
        ]
    },
      "https://example.com/login": {
        "title": [
            "Example - login"
        ]
    }
}

Usage Ideas

This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.

References

https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder

https://edoverflow.com/2017/broken-link-hijacking/