IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sub-domain]

The domain name system tree structure or DNS hierarchy has a root domain at the top and all the child nodes in the tree are called sub-domains.

Basically a sub-domain in a domain that is a part of a larger domain. e.g. a.mysite.com and b.mysite.com are sub-domains of mysite.com which is a sub-domain of a top level domain .com

67 questions
47
votes
8 answers

How can I find subdomains of a site?

One of the things I need to do from time to time is to find subdomains of a site for example. Starting with example.com sub1.example.com other.example.com another.example.com I'm looking for any additional ways to perform recon on these targets…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
38
votes
4 answers

HSTS on a subdomain with includeSubdomains

Suppose that my site is located at foo.example.com and I send the following HTTP header when visitors accessing my site using HTTPS: Strict-Transport-Security: max-age=31536000; includeSubDomains Would the HSTS policy have any effect on domains…
rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
21
votes
2 answers

Double Submit Cookies vulnerabilities

Is the Double Submit Cookies mechanism vulnerable anything other than XSS and sub-domain attacks? All CSRF protection mechanisms are vulnerable to XSS, so that's nothing new. I'm just wondering if I can safely rely on this mechanism so long as I…
Gili
  • 2,149
  • 3
  • 23
  • 41
9
votes
3 answers

Why does HSTS not automatically apply to subdomains to enhance security? For what reason would someone not want HSTS on every subdomain?

HSTS restricts the connection to be always HTTPS if deployed by any domain, however for it to be applied to sub-domains the 'includeSubDomain' attribute is needed. Why doesn't the policy itself make it mandatory to include all subdomains? For what…
mfs
  • 531
  • 1
  • 6
  • 9
8
votes
3 answers

SSL Cert for sub.domain.com and www.sub.domain.com

I have a wildcard cert issued by godaddy for *.domain.com. currently, https://sub.domain.com works just fine. however, https://www.sub.domain.com does not work. Do I need a separate cert for each? the error i see in browser when i goto…
bart2puck
  • 197
  • 1
  • 3
7
votes
2 answers

Should a wildcard ssl certificate be shared with a different organization hosting a subdomain?

We are hosting our own secure site with a wildcard certificate. However, we are working with a marketing company that provides landing pages on subdomains of our domain, on ip addresses supplied by their isp. They might want to secure those…
Gerard ONeill
  • 173
  • 5
6
votes
3 answers

Setting up LetsEncrypt SSL for domains/subdomains on two servers

LetsEncrypt certificates have been created for example.com and www.example.com. This is a Linux server on IP 123.123.123.1. I would like to add foo.example.com and bar.example.com, but these subdomains are set to 123.123.123.2 (MS2012 server, IPs…
Fid
  • 161
  • 1
  • 3
6
votes
3 answers

Any threats from isolated subdomain (controlled by hacker)?

I have a domain and a subdomain (on the same hosting) with isolated, jailed directories (no ability to go from one to another) and separate user accounts, as if they were two different domains (has own Control Panels, with full DNS ZONE…
T.Todua
  • 2,677
  • 4
  • 19
  • 28
5
votes
1 answer

Wildcard SSL and EV SSL

Is it possible to mix a Wildcard SSL for subdomains and an EV SSL for the www and non-www domain? I know that an EV SSL can't have a wildcard. Example: hello.test.com -> wildcard ssl hello2.test.com -> wildcard ssl www.test.com -> green bar ev…
Dominique Alexandre
  • 153
  • 5
5
votes
1 answer

XSS security concerns from untrusted parent domains

There's lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around? If my content is hosted at subdomain.example.com, what attacks am…
Tim Perry
  • 161
  • 5
5
votes
1 answer

Subdomains - Security Risk?

I have just checked and found that I have a number of subdomains live that re-direct to sites which I don't recognise. Is it possible for a 3rd party to own a sub-domain of my site? From a security POV, should I be worried about these sites?
John
  • 51
  • 2
4
votes
2 answers

What is the purpose of subdomain enumeration?

There're a number of security tools out there that enumerate the subdomains of a given domain. I wonder: What's the purpose of that in terms of security / hacking? Is there any way to do that other than by brute-force with a dictionary of the most…
Oskar K.
  • 149
  • 1
  • 5
4
votes
2 answers

Security implications of providing users subdomains on my domain?

I want to provide users with sub domains on my website. Users will provide an ip address and the sub domain they want and I will then use a DNS service to redirect to that IP through an A record or CNAME record. Apart from the obvious risk that the…
James
  • 41
  • 3
4
votes
2 answers

Is it safe to point a (sub)domain to my home IP address?

I have my own website and I created a subdomain that points to my home IP address. It is useful for personal things like entering my domain for wake-on-lan and letting my friends enter it to join multiplayer games I host from time to time. But is…
Keavon
  • 286
  • 1
  • 11
4
votes
2 answers

Can random subdomain naming enhance security?

I have a bunch of services which I want to group under a subdomain. Somehow 2-factor authentication is not possible to identify the users of these services. I have a thought to have randomly named subdomain to make it difficult for the attackers to…
Navjot Singh
  • 143
  • 3
1
2 3 4 5