hunt-subdomain
Identifies subdomain vulnerabilities by leveraging public bug bounty reports and specific attack methodologies.
Install this skill
or
34/100
Security score
The hunt-subdomain skill was audited on Jun 10, 2026 and we found 18 security issues across 2 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 77
Curl to non-GitHub URL
SourceSKILL.md
| 77 | - `curl -sk https://subdomain.target.com` — check for provider error string |
medium line 130
Curl to non-GitHub URL
SourceSKILL.md
| 130 | curl -sk "https://$subdomain" | grep -iE \ |
medium line 136
Curl to non-GitHub URL
SourceSKILL.md
| 136 | curl -Isk "https://target.com" | grep -i "set-cookie" | grep "domain=.target.com" |
medium line 141
Curl to non-GitHub URL
SourceSKILL.md
| 141 | curl -sI "https://subdomain.target.com" -H "Host: subdomain.target.com" | grep -i "fastly\|x-served-by\|x-cache" |
medium line 142
Curl to non-GitHub URL
SourceSKILL.md
| 142 | curl -sk "https://subdomain.target.com" | grep -i "fastly error" |
high line 212
Curl to non-GitHub URL
SourceSKILL.md
| 212 | - `curl -sk https://subdomain.target.com` → confirms provider error string |
medium line 295
Fetch to external URL
SourceSKILL.md
| 295 | - **C.** Attacker page hosted on the taken-over subdomain issues `fetch('https://api.target.com/account', {credentials:'include'})`. CORS preflight passes. Server returns credentialed response. Attack |
low line 77
External URL reference
SourceSKILL.md
| 77 | - `curl -sk https://subdomain.target.com` — check for provider error string |
low line 130
External URL reference
SourceSKILL.md
| 130 | curl -sk "https://$subdomain" | grep -iE \ |
low line 136
External URL reference
SourceSKILL.md
| 136 | curl -Isk "https://target.com" | grep -i "set-cookie" | grep "domain=.target.com" |
low line 141
External URL reference
SourceSKILL.md
| 141 | curl -sI "https://subdomain.target.com" -H "Host: subdomain.target.com" | grep -i "fastly\|x-served-by\|x-cache" |
low line 142
External URL reference
SourceSKILL.md
| 142 | curl -sk "https://subdomain.target.com" | grep -i "fastly error" |
low line 212
External URL reference
SourceSKILL.md
| 212 | - `curl -sk https://subdomain.target.com` → confirms provider error string |
low line 237
External URL reference
SourceSKILL.md
| 237 | 12. **Microsoft Azure DevOps — Two `cloudapp.azure.com` subdomains + wildcard `*.visualstudio.com` OAuth reply_to → 1-click ATO** ([Binary Security writeup](https://www.binarysecurity.no/posts/2022/11 |
low line 239
External URL reference
SourceSKILL.md
| 239 | - ATO chain: **YES** — `app.vssps.visualstudio.com/_signin?reply_to=https://feedsprodwcus0dr.feeds.visualstudio.com/` whitelisted any `*.visualstudio.com`. Attacker claimed the dangling Azure VM hostn |
low line 243
External URL reference
SourceSKILL.md
| 243 | 13. **Anonymous H1 — `admin-support.xyz.com` → unclaimed Zendesk → email interception → ATO** ([Writeup by 0xprial](https://0xprial.com/the-art-of-zendesk-hijacking/)) |
low line 271
External URL reference
SourceSKILL.md
| 271 | - **C.** Host an OAuth callback receiver on the claimed subdomain. Send victim to `/oauth/authorize?redirect_uri=https://legacy.target.com/cb&response_type=code&client_id=<legit>`. Victim's browser al |
low line 295
External URL reference
SourceSKILL.md
| 295 | - **C.** Attacker page hosted on the taken-over subdomain issues `fetch('https://api.target.com/account', {credentials:'include'})`. CORS preflight passes. Server returns credentialed response. Attack |
Scanned on Jun 10, 2026
View Security DashboardGitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
frontenddesignstriperemotiondocxgitapitestingdevopsbackendsecurity-engineerdata-analystgrowth-marketergithubdevelopmentdata analyticsmarketing
elementalsouls/Claude-BugHunter