🛠️ Virtual host fuzzing

Theory

A web server can host multiple domain names (websites). This is called virtual hosting. Two main mechanisms are used for a client to access a website on a virtual host:

  • HTTP: the use of the Host request header. The client uses the <host> directive to connect to the domain name of the server. Optionally, it can use the <port> directive to specify a TCP port number on which the server is listening.

  • HTTPS: the use of the Server Name Indication (SNI) extension with TLS. The client indicates the hostname it wants to connect to at the start of the handshake process.

Virtual hosting can be based on a name, an IP, or a port.

Practice

Tools

Fuzzing with ffuf.

# Example with a subdomain FUZZ.$URL
ffuf -w $wordlist -u $URL -H "Host: FUZZ.$URL"

It is possible to filter the responses with a specific size using -fs $size. An example can be found here and more tips here.

Fuzzing with Gobuster.

gobuster vhost -u $URL -w $wordlist

This blog post highlights the fact that, if a website is behind Cloudflare, results given by Gobuster could be wrong.

Finding domains with Findomain.

findomain -t $URL

Manual testing

Using Google Dorks.

site:<url> -www

With -www, the response avoids printing searches related to our main domain so it is easier to focus on interesting subdomains.

References