Nowadays generally all websites communicate over HTTPS(HyperText Transfer Protocol Secure). In order to use HTTPS, the website owner needs to issue an SSL(Secure Socket Layer) certificate.
This SSL/TLS(Transport Layer Security) certificate contains hostname belonging to the same organization.
Clicking on the "Lockπ" button in the address bar, you can view the TLS/SSL certificate of any website.
Hackerone.com contain these subdomains in its TLS certificate
For this purpose, we will be using a tool called Cero
Installation:
Running:
2) CSP Probing
In order to defend from the XSS attacks as well as keeping in mind to allow cross-domain resource sharing in websites CSP(Content Security Policies) are used. These CSP headers sometimes contain domains/subdomains from where the content is usually imported.
Hence, these subdomains can be helpful for us. In the below image we can see I extracted domains/subdomains from the CSP header of twitter.com
3) CNAME Probing
I personally came across 2-3 cases where visiting the CNAME of the website showed me the same website without a firewall. (I personally don't know why this happened)
Since then I probe the CNAME's of the subdomains found.
