daniyalnasir-root/scopesift

# scopesift **Scope Ownership Validator for Bug Bounty & Pentest Engagements** *"which of these assets actually belong to the program?"*    ## 概述 Bug bounty programs and pentest scopes often list dozens of domains. Some are solid in-scope assets the company owns outright. Some are third-party SaaS (Heroku apps, Netlify sites, Zendesk help centers) that were handed a subdomain and forgotten about. Some are flat-out misconfigured. The third category is where money lives: subdomain takeovers, leaked assets, forgotten staging, off-by-one scope mistakes. `scopesift` eats a scope file, probes each asset over DNS + TLS + HTTP, and scores how strongly the evidence ties back to a program identity you supply. It ranks SUSPICIOUS first so you see the interesting ones before the obvious HIGHs. Built for hunters who get handed a scope list and want a one-minute sanity check before diving in. ## 功能 - DNS + CNAME, TLS cert (SANs / issuer / subject org), and HTTP HEAD fingerprinting in one pass - Keyword matching across every evidence source, scored per asset - Four-tier confidence: HIGH, MEDIUM, LOW, SUSPICIOUS - Third-party host fingerprint library (Heroku, Netlify, Vercel, GitHub Pages, Azure, S3, Fastly, and more) - Parallel probing with optional JSON export ## 安装 ``` git clone https://github.com/daniyalnasir-root/scopesift.git cd scopesift go build -o scopesift . ``` Or install straight into `$GOPATH/bin`: ``` go install github.com/daniyalnasir-root/scopesift@latest ``` Requires Go 1.21 or newer. ## 用法 Basic scan against a scope file with a program keyword: ``` ./scopesift -i scope.txt -p 'hackerone,hackerone inc' ``` With JSON export: ``` ./scopesift -i scope.txt -p 'gitlab' -o results.json ``` Tune concurrency and timeout for a large list: ``` ./scopesift -i big-scope.txt -p 'shopify' -c 50 -t 15s ``` Pipe-friendly (no color) for CI or further processing: ``` ./scopesift -i scope.txt -p 'acme' --no-color | grep SUSPICIOUS ``` The scope file is plain text, one asset per line. Blank lines and `#` comments are ignored. URLs get their scheme stripped automatically. ## 命令行选项 ``` Required: -i scope file, one asset per line -p program keyword(s) to match against cert/DNS/HTTP evidence Optional: -o write full JSON output to file -c concurrent workers (default 20) -t per-probe timeout (default 10s) -v verbose stderr logging --no-color disable color (also honours NO_COLOR env) -h show help ``` ## 置信度评分 Each keyword contributes up to 3 points per asset: | evidence type | points | example | |-----------------|--------|---------| | cert SAN match | +3 | SAN `hackerone.com` matches keyword `hackerone` | | cert subj org | +3 | cert subject org "HackerOne Inc." matches `hackerone inc` | | CNAME match | +2 | CNAME resolves into program-owned domain | | HTTP Server | +1 | `Server` header contains keyword | | Redirect target | +1 | `Location` header contains keyword | Tiers: - **HIGH**: score ≥ 3. Strong ownership evidence. - **MEDIUM**: score 1–2. Some signal but not conclusive. - **LOW**: score 0, no third-party fingerprint matched. - **SUSPICIOUS**: score 0, but the asset resolves into a known third-party host (Heroku, Netlify, Vercel, etc.). These are the ones worth looking at. - **UNRESOLVED**: DNS failed. Results sort SUSPICIOUS → HIGH → MEDIUM → LOW → UNRESOLVED so the interesting items float to the top. ## 输出示例 ``` # ./scopesift -i examples/scope-mixed.txt -p 'hackerone' -o examples/mixed-results.json ASSET CONFIDENCE SCORE FINGERPRINT EVIDENCE -------------------- ------------ ------ ------------------------------ -------------------- netlify.app SUSPICIOUS 0 Netlify third-party:netlify.app hackerone.com HIGH 3 cloudflare cert-san:hackerone.com www.hackerone.com HIGH 3 cloudflare cert-san:hackerone.com google.com LOW 0 gws github.com LOW 0 github.com example.com LOW 0 cloudflare summary: 6 assets | HIGH=2 MEDIUM=0 LOW=3 SUSPICIOUS=1 UNRESOLVED=0 ``` Typical run timing on a 50-asset scope with default concurrency: ``` $ time ./scopesift -i scope-50.txt -p 'acme' ... real 0m6.412s user 0m0.204s sys 0m0.088s ``` ## 工作原理 For each asset: 1. If it's an IP, skip DNS. Otherwise resolve A/AAAA and capture any CNAME. 2. Open a TLS connection to `:443` (skipping verification; we inspect, we don't trust) and read the leaf certificate's SAN list, issuer CN/O, and subject CN/O. 3. Send an HTTP HEAD to `https://` first, falling back to `http://` if that fails. Record the `Server` and `Location` headers. 4. Score each evidence source against every keyword and classify. 5. Render a sorted table and optionally dump raw results as JSON. All probes run in parallel with a worker pool. The default `20` is a safe floor for most ISPs; bump `-c` for big lists. ## 注意事项 - The tool does not brute-force subdomains, scan ports, or send anything resembling an exploit payload. It's pure fingerprinting over three standard protocols. - Cert inspection uses `InsecureSkipVerify` so self-signed or expired certs still surface evidence. This is intentional. - HEAD is used instead of GET to minimise bandwidth and server load. Some servers reject HEAD; those show up with empty Server values, which is fine for the scoring logic. - Whois isn't in the default path because registrars rate-limit aggressively and the signal overlaps with cert org. Happy to add it behind a flag if people actually want it. ## 法律免责声明 This tool is for authorized security testing and educational use only. Run it only against systems you own or have explicit written permission to test. The author accepts no liability for misuse. Unauthorized scanning may violate local, state, or federal law. ## 许可证 MIT, see [LICENSE](LICENSE).

标签：Azure, DNS探测, EVTX分析, Fastly, GitHub Pages, Go语言, Heroku, HIGH MEDIUM LOW SUSPICIOUS, HTTP指纹识别, JSON导出, Netlify, OSV, S3, ScopeSift, TLS证书探测, Vercel, 关键词匹配, 四层置信度, 域名所有权验证, 子域名接管, 并发探测, 指纹库, 日志审计, 程序标识匹配, 程序破解, 第三方托管识别, 资产归属验证