ProfessionalCommunity Edition
Enumerating subdomains with Burp Suite
-
Last updated: June 18, 2024
-
Read time: 2 Minutes
You can use Burp Intruder to enumerate additional, hidden subdomains that are in scope but aren't explicitly linked from the initial set of domains you're testing. This enables you to discover additional access points and attack surface, including:
- Internal subdomains that shouldn't be publicly accessible.
- Subdomains that may have been forgotten about and therefore aren't regularly updated.
Note
The following technique is only possible in cases where the target domain has a wildcard DNS record. Burp Intruder is an extremely versatile tool and can be used for a variety of other purposes. For more information, see Typical uses for Burp Intruder.
Steps
You can follow along with the process below using portswigger-labs.net, our deliberately vulnerable sandbox domain. To enumerate additional subdomains:
- Send a request for the main domain you want to investigate to Burp Intruder. For example,
http://portswigger-labs.net
. - Go to the Intruder tab. The request is displayed in a new attack tab.
- In the Target field, add a placeholder subdomain. For example,
http://x.portswigger-labs.net
. -
Highlight the placeholder subdomain and click Add ยง to mark it as a payload position.
- Go to the Payloads tab. Add your list of potential subdomain names under Payload settings [Simple list]. If you are using Burp Suite Professional, you can select from a list of built-in wordlists. The Directories list is suitable in this case.
- Click Start attack. An attack results window opens. Intruder sends a request for each payload in the list, with the payload in place of the placeholder subdomain.
-
Click the column headers to sort the responses. Identify any inconsistent items. For example, the response for
http://staff.portswigger-labs.net
has a different length from the other responses. - Right-click the subdomain you enumerated. Select Request in browser > In original session to copy a URL for the request.
- Open Burp's browser and access the URL. For example,
http://staff.portswigger-labs.net
renders a login form.