$ git blame 2: michenriksen/aquatone

Dec 06, 17

$ git blame

Hello and welcome. This will be an ongoing series of short posts where I outline the minor commits I make to security related OSS.

The Tool

The second tool I contributed to was aquatone, also by Michael Henriksen.

Aquatone is a tool for subdomain enumeration, gathering, and identifying potential subdomain takeovers. It has four modes:

  1. aquatone-discover: uses a variety of methods to enumerate subdomains
  2. aquatone-scan: find open TCP ports/web services for subdomains
  3. aquatone-gather: retrieve screenshots, HTTP headers, and HTML bodies for subdomains
  4. aquatone-takeover: detect potential subdomain takeovers

The Problem


An issue was reported where Aquatone would give a false positive result for some subdomains pointing to CloudFront. The root cause was identified be the reporter as Aquatone failing to check both HTTP and HTTPS.

My contribution


The trivial fix:


return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)


return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT) && get_request("https://#{host}/").body.include?(RESPONSE_FINGERPRINT)