$ git blame 2: michenriksen/aquatone

Dec 06, 17

$ git blame

Hello and welcome. This will be an ongoing series of short posts where I outline the minor commits I make to security related OSS.

The Tool

The second tool I contributed to was aquatone, also by Michael Henriksen.

Aquatone is a tool for subdomain enumeration, gathering, and identifying potential subdomain takeovers. It has four modes:

  1. aquatone-discover: uses a variety of methods to enumerate subdomains
  2. aquatone-scan: find open TCP ports/web services for subdomains
  3. aquatone-gather: retrieve screenshots, HTTP headers, and HTML bodies for subdomains
  4. aquatone-takeover: detect potential subdomain takeovers

The Problem

ISSUE#58

An issue was reported where Aquatone would give a false positive result for some subdomains pointing to CloudFront. The root cause was identified be the reporter as Aquatone failing to check both HTTP and HTTPS.

My contribution

PR#60

The trivial fix:

before:

return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)

after:

return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT) && get_request("https://#{host}/").body.include?(RESPONSE_FINGERPRINT)