A web server can host multiple domain names (websites). This is called virtual hosting. Two main mechanisms are used for a client to access a website on a virtual host:
HTTP: the use of the
Host request header. The client uses the <host> directive to connect to the domain name of the server. Optionally, it can use the <port> directive to specify a TCP port number on which the server is listening.
HTTPS: the use of the Server Name Indication (SNI) extension with TLS. The client indicates the hostname it wants to connect to at the start of the handshake process.
Virtual hosting can be based on a name, an IP, or a port.
Fuzzing with ffuf.
# Example with a subdomain FUZZ.$URLffuf -w $wordlist -u $URL -H "Host: FUZZ.$URL"
Fuzzing with Gobuster.
gobuster vhost -u $URL -w $wordlist
Finding domains with Findomain.
findomain -t $URL
Using Google Dorks.
-www, the response avoids printing searches related to our main domain so it is easier to focus on interesting subdomains.