Elevate: A new tool for vertical domain discovery
As more and more companies create bug bounty programs with open-ended scopes, vertical domain discovery becomes increasingly useful for bug bounty hunters. Companies such as Uber, Verizon Media, and Netflix all offer bounty rewards for security vulnerabilities found on any of their company-owned assets. Vertical domain discovery describes an attempt to find all domain names owned by a given company. These other domain names can be used to host internal services, microsites, or services outside the company's main domain name. Since they exist outside the central domain, these websites are often less secure, making them easy targets for penetration testers. I have personally found several vulnerable websites using this method, with it earning me about $15,000 in bounties over the past two years.
Typically, vertical domain discovery needs to be done manually, with an attacker scraping WHOIS registry sites such as viewdns.info, whoxy.com, or whoisxmlapi.com. These websites house massive databases that constantly record the WHOIS registry information for newly registered domain names. Since domain names can be present in multiple databases, these need to be filtered out before they can be tested. Outdated information is also usually present in these databases. Since the manual process is arduous and slow, an automated solution is therefore needed.
Elevate is a tool that automates the process of collecting domain names owned by a given company. This tool utilizes APIs from various sources to compile large domain lists. Users can search for domains by organization name, root domain name, or email address. An example usage of the tool, wherein we search for Reddit-owned domains, can be seen below.
Full details on Elevate and its usage can be found on its Github page, found here.