second-order — Subdomain Takeover | Tools

Description

second-order scans web applications for second-order subdomain takeover vulnerabilities. Unlike direct takeover where CNAME points to an unclaimed service, second-order takeover happens when a webpage contains references (links, forms, scripts) to vulnerable subdomains.

Installation

BASH

go install github.com/mhmdiaa/second-order@latest

Basic Usage

BASH

                            # Scan target
second-order -target https://target.com -output results.json
                        

Advanced Usage

                        BASH
                        
                    

                            # Custom config
second-order -target https://target.com -config config.json -output results.json

# config.json example:
# {
#   "depth": 3,
#   "headers": {"Cookie": "session=abc"},
#   "timeout": 10
# }
                        

Common Workflows

                        BASH
                        
                            # Check if pages reference vulnerable subdomains
second-order -target https://target.com -output results.json

# Combine with direct takeover scanning
subjack -w subs.txt -c fingerprints.json  # Direct
second-order -target https://target.com    # Second-order