The creator of the Subsnipe tool, Florian Walter, discussed the new opportunities that have arisen with the development of the tool to identify vulnerable subdomains.
Subsnipe is an open-source multi-flowing tool designed to help find subdomains vulnerable to interception. Walter asserts that Subsnipe is more user-friendly, provides superior results, and offers more features compared to its counterparts.
Subsnipe conducts additional checks following the initial identification of subdomains to locate potential candidates for interception.
For instance, if the subdomain Static.example.com is used with Subsnipe, it can be utilized in two ways:
- The first method involves inputting a domain, after which the tool searches for known subdomains via CRT.SH.
- The second method entails providing a path to a file that already contains a list of subdomains.
Walter highlighted that one of the most challenging aspects of identifying vulnerable subdomains is determining which domains can be intercepted and how to verify this. During the tool’s development and utilization, Walter observed that some domains, such as those on Azure, appeared susceptible to interception but could not be captured. Walter suggests that the reason for this could be the continual changes within cloud services. Without accounting for changes in fingerprints, there remains a potential for false-positive outcomes.
Looking ahead, Walter intends to incorporate additional fingerprints into the tool, a process that will require time for research and validation. The developer emphasized that aside from CNAME, there are other methods for intercepting subdomains that should also be considered in Subsnipe.