loading
loading
Recon
Discover new target domains using Content Security Policy.
overview
csprecon reads a source most recon tools skip: the Content Security Policy header. A CSP lists every origin a page may load scripts, frames, fonts, and other resources from, so it often names internal apps, CDNs, third-party services, and sibling properties an organization runs. csprecon fetches that header, parses the directives, and turns one URL into a fresh set of related domains.
It runs over a single domain with -url, a file of domains with -list, or a network block when you set -cidr. The -domain filter keeps only results that fall inside the scopes you care about, -json emits structured records for the rest of a pipeline, and -rate-limit with -concurrency control how hard a wide run hits the network.
On Trickest, csprecon is a Recon node that takes a domain or a list and writes a file and a folder of discovered domains. Run it beside subdomain enumeration to widen scope, then pass the new domains to a prober like httpx to see which ones are live.
use cases
Parse the Content Security Policy of known assets to surface related domains, CDNs, and third-party services that subdomain enumeration alone would miss.
Apply a domain filter so the discovered set keeps only the properties that belong to the organization you are assessing.
Treat the input as CIDR to pull CSP-referenced domains across a network block in one run.
Emit JSON so the new domains merge cleanly into the rest of the attack-surface workflow for probing and scanning.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -url | Target domain whose CSP header csprecon reads. |
| list | FILE | -list | File of domains to read CSPs from in bulk. |
| domain | STRING | -domain | Keep only results inside these comma-separated domains. |
| json | BOOLEAN | -json | Emit results as structured JSON. |
| cidr | BOOLEAN | -cidr | Treat the input as a CIDR range and sweep it. |
| silent | BOOLEAN | -silent | Print only results, with no banner. |
| rate-limit | STRING | -rate-limit | Cap requests sent per second. |
| concurrency | STRING | -concurrency | Parallel workers to run (default 50). |
Showing key inputs. csprecon exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -url | Input domain |
| cidr | BOOLEAN | -cidr | Interpret input as CIDR |
| json | BOOLEAN | -json | JSON output |
| list | FILE | -list | File containing input domains |
| proxy | STRING | -proxy | Set a proxy server (URL) |
| domain | STRING | -domain | Filter results belonging to these domains (comma separated) |
| silent | BOOLEAN | -silent | Silent output. Print only results |
| timeout | STRING | -timeout | Connection timeout in seconds (default 10) |
| verbose | BOOLEAN | -verbose | Verbose output |
| rate-limit | STRING | -rate-limit | Set a rate limit (per second) |
| concurrency | STRING | -concurrency | Concurrency level (default 50) |
example
# fetch a target's CSP and list the domains it referencescsprecon -url example.com -silentcdn.example.comstatic.example.comassets.example.netapi.example.commedia.example.orgfonts.example.netuploads.example.comtracking.example.orgguidance
Use csprecon to widen an organization's domain footprint from CSP headers, a source passive subdomain tools do not cover. Run it next to subfinder rather than instead of it, then probe the combined set with httpx to find what is live.
Passive subdomain discovery from many sources. csprecon adds CSP-derived domains it does not see.
Finds related domains via shared analytics IDs. A different pivot toward the same goal.
Deep OSINT mapping of an organization's footprint. Broader, slower than a focused CSP pass.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds csprecon, which parses its CSP header for related domains and passes them to httpx so only live ones land as output.
Facts on this page come from the live Trickest tool library.