The latest articles on DEV Community by EdgeIQ Labs (@snipercat). https://dev.to/snipercat https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3920454%2Faf4eca6e-c8b6-4d2f-a110-95582b95b53a.jpg https://dev.to/snipercat en EdgeIQ Labs Fri, 08 May 2026 16:54:44 +0000 https://dev.to/snipercat/the-subdomain-vulnerabilities-most-developers-dont-know-exist-23m2 https://dev.to/snipercat/the-subdomain-vulnerabilities-most-developers-dont-know-exist-23m2 <p>The Subdomain That Brought Down an Enterprise<br> A misconfigured subdomain isn't just a recon finding — it's an open door.<br> In 2023, a security researcher found that a major company's marketing site had an abandoned subdomain pointing to an internal BambooHR instance. No firewall. No auth. Just sitting there with a valid SSL cert and a login page.</p> <p>They documented it. The company patched it. It made headlines.</p> <p>But here's the uncomfortable truth: this isn't rare. It's actually extremely common — and most organizations have no idea they're running dozens of ghost subdomains that aren't even being monitored.</p> <p>Why Subdomains Become a Risk<br> Subdomains get orphaned all the time:<br> A campaign site that ran for a month and got forgotten<br> A staging environment that was never properly decommissioned<br> A vendor integration that got cut but left DNS dangling<br> A wildcard subdomain that resolved to a deleted cloud resource</p> <h2> The parent company forgot about them. Attackers didn't. </h2> <p>What an Attacker Does With a Forgotten Subdomain<br> Points it at a staging server with known creds or a vulnerable version of software<br> Uses it to bypass CSP and iframe restrictions on the main domain<br> Obtains a valid SSL certificate via Let's Encrypt (because the DNS is still pointed at their server) — now you have a "trusted" HTTPS endpoint for phishing<br> Scans it for exposed .git directories, backup files, config files<br> Escalates to the parent domain via shared cookies, storage, or JWT secrets</p> <p>How to Find Your Own Ghost Subdomains<br> Here's a quick recon method anyone can run:</p> <h1> Install subfinder (or use your favorite enum tool) </h1> <p>go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest</p> <h1> Passive enumeration </h1> <p>subfinder -d targetcompany.com -silent</p> <h1> Resolve and filter for live hosts </h1> <p>cat domains.txt | httpx -silent -threads 50 | tee live-domains.txt</p> <p>Look for anything that:<br> Returns a default nginx/apache page<br> Has a valid cert but no content (certificate doesn't match the target)<br> Points to cloud storage buckets you forgot about</p> <h2> Has debug/error endpoints exposed </h2> <p>The Free Tool I Built to Solve This<br> I got tired of running the same recon manually for every client, so I built Subdomain Hunter — part of the EdgeIQ Labs security suite. It runs passive DNS enumeration, zone transfer checks, and takeover detection automatically.</p> <p>Free tier covers basic enumeration. No credit card required.</p> <p>👉 edgeiqlabs.com</p> <p>The Bottom Line<br> If you're a developer, CTO, or IT lead: go audit your subdomains right now. Not next week. Now.</p> <p>If you're an MSP or security consultant: add subdomain enumeration to your standard external assessment. Your clients will thank you when you catch the one pointing at their old Jira instance.<br> EdgeIQ Labs<br> EdgeIQ Labs — Cybersecurity Monitoring for Small Business<br> Find security gaps in your website in 60 seconds — free. Subscription monitoring, SSL/domain alerts, and monthly action-focused reports.<br> EdgeIQ Labs — Cybersecurity for Small Business<br> Subdomain blindspots are low-hanging fruit for attackers — and an easy win for defenders who know to look.</p> security cybersecurity devops webdev