fig.example.com
(I have no idea why it was interesting, but it was).http://fig.example.com/
on the browser, It showed nothing but a blank page with empty _HTML _code, So I decided to brute force directories using Dirsearch. When I found http://fig.example.com/includes/
a directory with directory listing enabled.github.example.com
and goose.example.com
with the same issue. How did I figure it out? Simply it was redirecting to a different site.github.example.com
maybe it will help me identify other subdomains with the same issue.pilot.example.com
And this turned out very helpful as I found an SSL certificate issued for a totally different Org.henry.example.com
, And again SSL certificate was issued for a different Org.net:54.161.231.55
ip:54.161.231.55
And check for crawled data.“What happened to that IP tied to that EC2 instance that you just killed? Well, when you terminate an instance, that IP address isn’t put to waste. Instead, it’s reused by other AWS customers. There is a massive pool of IP addresses that are constantly being recycled and trusted by various organizations and people.”
CNAME
or A
record, without using elastic IP. If the EC2 instance is killed or terminated and the DNS is not updated, this will lead to creating a dangling DNS record for the subdomain. Then EC2 IP will be released to the AWS IP pool, which means it’s possible to assign the IP to a new EC2 instance.compute.amazonaws.com
or compute-1.amazonaws.com
in CNAME
record.N/A
, As mentioned before. Avoid managed bug bounty programs as they require a PoC file.