loading
loading
Recon
Crawler and second-order subdomain takeover scanner.
overview
second-order crawls a target and inspects the resources each page pulls in, hunting for second-order subdomain takeover. The risk it chases is indirect: a page you trust loads a script, image, or link from a subdomain that no longer resolves to a live service, and an attacker who claims that dangling subdomain controls content inside your trusted page.
Driven by a configuration file, the crawler records the attributes and resources you tell it to collect as it walks the site, then surfaces the external and subdomain references worth checking for takeover. Depth bounds how far it crawls from the seed, custom headers carry context, and a thread count sets concurrency. Its output is a folder of structured results rather than a single verdict.
Reach for second-order when host enumeration alone misses the risk. It finds the dangling references a live page still loads, which a subdomain list built from DNS or certificate data will not reveal on its own. Run it across discovered hosts, then review the dangling references it collects for takeover.
use cases
Crawl a target and collect the subdomain resources its pages load, surfacing references that point at services no longer claimed and open to takeover.
Use the -config file to specify which HTML attributes and resources to record, whether to log non-200 references, and which URLs to skip, so the crawl captures exactly what you want to review.
Set -depth to control how far second-order walks from the seed, keeping a scan focused on the immediate surface or reaching deeper into linked pages.
Pass -header to carry a session cookie or token so pages behind a login are crawled and the resources they load are inspected for dangling references.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -target | Target URL to crawl. |
| config | FILE | -config | Configuration file controlling which attributes and resources to collect. |
| depth | STRING | -depth | How far to crawl from the seed URL. Default: 1. |
| header | STRING | -header | Header as 'Name: Value', usable more than once for session context. |
| threads | STRING | -threads | Number of concurrent crawl threads. Default: 10. |
| insecure | BOOLEAN | -insecure | Accept untrusted SSL/TLS certificates while crawling. |
Showing key inputs. second-order exposes 6 inputs in total.
example
# crawl a target two levels deep, collecting the configured resourcessecond-order -target https://example.com -config config.json -depth 2 -threads 20# output/ folder: one JSON file per configured attributeoutput/script-src.json (loaded <script src> values)output/a-href.json (page <a href> links)# script-src.json excerpt: pages mapped to the scripts they load{ "https://example.com/": [ "https://cdn.example.com/app.js", "https://assets.staging.example.com/widget.js" ]}guidance
Use second-order when you specifically want to find subdomain takeover through resources a trusted page loads, not just enumerate hosts. For direct takeover checks against a subdomain list, subjack and nuclei takeover templates are a faster fit.
Checks a subdomain list against known takeover fingerprints directly.
Runs takeover-detection templates across a host list as part of broader scanning.
General-purpose crawler when you want endpoints rather than takeover candidates.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target URL feeds second-order, which crawls the site and records loaded subdomain references, writing takeover candidates as a queryable output.
Facts on this page come from the live Trickest tool library.