I love the tools that I can rely on and makes my hacking easier. I think there is a reason why legends like Naffy keep using nmap for everything. It’s the same reason why I use “dig” instead of some fancy tool. Because it’s reliable. Want to see for yourself? Go ahead and try the tools that do the same job and measure the number of results it returns. I keep using Soroush Dalili’s IIS shortname scanner even though it’s a 13 years old tool that got its latest update 2 years ago.

What about when it comes to tech detection? My friends work on TraceWeb. It has multiple use cases under its belt. First of all, it returns the detected tech of a website. But that’s just the tip of the iceberg. It collects URLs from multiple sources including other hackers who use it about the paths discovered on a site and keeps monitoring it for tech detection.

When I test for CORS on a website I make a very comprehensive approach. Through that I’ve scored some great bounties before.

1. Collect as many domains as possible belonging to that organization. In order to do that use Whoxy to check registration data of every domain they own. From those records try to look for a company name or email address related to it. Use them to reverse whois and discover more domains.
2. Collect email addresses that belong to the organization and do whoxy API calls to see if any of them registered a domain. I’ve written a simple bash script for this.
3. Use TraceWeb’s “External Domain Requests” section to get a list of domains that your web app talks.

4. Use all the domains for API request’s origin section to see if any of them are allowed.

5. If there are any allowed, try to see if subdomains are allowed.

6. Try using tools such as recollapse to check for regex mistakes.

7. Try to find XSS on hosts that are allowed in CORS and then use it to chain vulnerabilities.

When testing for CORS, do not forget to utilize browser cache with wildcard allowed origin apps.

How to use tech detects for your advantage? Well the best use case for that is for fuzzing. You can focus on tech related extensions or naming schemes.

What about monitoring targets? Well, it takes some time to build that. Thankfully the Traceweb team keeps monitoring the websites you visit for technology changes. I’m told this feature will be available soon. When it does, in a large wildcard scope, following updates in their techstacks may reveal a couple of things.

1. The most important one is looking for CVEs in the newer versions.
2. The other is if a technology is integrated or the current one is changed, it brings a fresh target which hasn’t been tested before. Especially important in bug bounty, we lost tens of thousands of dollars only by a couple of minutes.

Another upcoming feature is CVE matching with the detected tech. This way you have quick access to vulnerabilities that might exist on target. It’s pretty useful when doing a flyover of targets before getting into details. When it comes to CVEs, there used to be a great repo for keeping POCs called cvebase which is discontinued. I think we need another project like that. Makes hacking much better. I guess I’ll create an AI agent for the job.

TraceWeb also puts you on the waitlist for premium features that are free for a year. Especially more Shodan like features which lets you do filtering of crawled assets based on multiple parameters might be useful for things such as quick exploitation of unpatched CVEs.

Give it a try and any feedback is appreciated for the team. Here it is: https://chromewebstore.google.com/detail/nhdangmilkmahpnhmongdcechinodpob