giovanniromero.devHow I Found Exposed Subdomains Using an OSINT Agent
During a reconnaissance session with my OSINT Agent, I discovered several subdomains of a company that were publicly accessible without authentication and exposed sensitive internal information. Here's how it happened.
The Starting Point
During a reconnaissance session using my OSINT Agent, I ran automated subdomain enumeration against a target as part of a broader attack surface mapping exercise.
The process was straightforward: the agent queried multiple passive sources — certificate transparency logs, DNS records, public datasets — and compiled a list of subdomains associated with the target domain.
What I Found
Among the results, several subdomains stood out immediately. They were:
- Publicly accessible with no authentication required
- Serving internal tooling and administrative interfaces
- Exposing sensitive information including internal configuration data
This is a common misconfiguration pattern. Development or staging environments get spun up, forgotten, and left exposed. No firewall rule. No auth layer. Just open to anyone who knows where to look.
Why This Matters
Subdomain enumeration is one of the first steps in any external attack surface assessment. Attackers do this routinely — the difference is whether you find it first.
Exposed internal interfaces without authentication fall under Broken Access Control (OWASP A01:2021), one of the most consistently exploited vulnerability categories across web applications.
The risk is not theoretical. An attacker with access to internal tooling can:
- Map internal infrastructure
- Enumerate users, services, and configurations
- Use the access as a pivot point for further compromise
Responsible Disclosure
Once I identified the exposed subdomains, I reported the findings directly to the company's security team with:
- The affected subdomains
- Evidence of unauthenticated access
- A clear description of the risk and potential impact
The company patched the vulnerabilities within days.
No drama. No exploitation. Just a clear report and a fast fix.
What You Can Do
If you manage a web application or infrastructure, run subdomain enumeration against your own assets regularly. You will likely find things you didn't know were public.
Tools like subfinder, amass. Or automate the process entirely.
Not sure what your attack surface looks like? I offer external attack surface assessments that cover exactly this — subdomain enumeration, exposed services, misconfigured interfaces, and unauthenticated access points.
If you want a structured way to test your own application, download the free Web Application Security Checklist.
Web Application Security Checklist
50 security controls to identify vulnerabilities before attackers do. Covers authentication, input validation, API security, session management, infrastructure hardening, and cryptography.
OSINT Agent
Passive OSINT reconnaissance CLI powered by an AI agent for authorized security research. It selects public-source tools, connects findings, and produces structured Markdown reports.
Want help applying this in your stack?
I can help translate the pattern, risk, or workflow described here into practical security review, remediation, or secure implementation work.
Leave a Reply
Your email address will not be published. Required fields are marked *
Comments