feat: add securitytrails integration for domain discovery + target expansion

Author: vmfunc

README.md

@@ -115,6 +115,10 @@ makepkg -si
 # shodan host intelligence (requires SHODAN_API_KEY env var)
 ./sif -u https://example.com -shodan
 
+# securitytrails domain discovery (requires SECURITYTRAILS_API_KEY env var)
+# discovers subdomains + associated domains, then scans all of them
+./sif -u https://example.com -securitytrails -headers
+
 # sql recon + lfi scanning
 ./sif -u https://example.com -sql -lfi
 
@@ -148,6 +152,7 @@ sif has a modular architecture. modules are defined in yaml and can be extended
 | `-whois` | whois lookups |
 | `-git` | exposed git repository detection |
 | `-shodan` | shodan lookup (requires SHODAN_API_KEY) |
+| `-securitytrails` | domain discovery + target expansion (requires SECURITYTRAILS_API_KEY) |
 | `-sql` | sql recon |
 | `-lfi` | local file inclusion |
 | `-framework` | framework detection with cve lookup |

internal/config/config.go

@@ -42,6 +42,7 @@ type Settings struct {
 	CloudStorage      bool
 	SubdomainTakeover bool
 	Shodan            bool
+	SecurityTrails    bool
 	SQL               bool
 	LFI               bool
 	Framework         bool
@@ -92,6 +93,7 @@ func Parse() *Settings {
 		flagSet.BoolVar(&settings.CloudStorage, "c3", false, "Enable C3 Misconfiguration Scan"),
 		flagSet.BoolVar(&settings.SubdomainTakeover, "st", false, "Enable Subdomain Takeover Check"),
 		flagSet.BoolVar(&settings.Shodan, "shodan", false, "Enable Shodan lookup (requires SHODAN_API_KEY env var)"),
+		flagSet.BoolVar(&settings.SecurityTrails, "securitytrails", false, "Enable SecurityTrails domain discovery (requires SECURITYTRAILS_API_KEY env var)"),
 		flagSet.BoolVar(&settings.SQL, "sql", false, "Enable SQL reconnaissance (admin panels, error disclosure)"),
 		flagSet.BoolVar(&settings.LFI, "lfi", false, "Enable LFI (Local File Inclusion) reconnaissance"),
 		flagSet.BoolVar(&settings.Framework, "framework", false, "Enable framework detection"),

internal/scan/builtin/register.go

@@ -21,4 +21,5 @@ func Register() {
 	modules.Register(&FrameworksModule{})
 	modules.Register(&NucleiModule{})
 	modules.Register(&WhoisModule{})
+	modules.Register(&SecurityTrailsModule{})
 }

internal/scan/builtin/securitytrails_module.go

@@ -0,0 +1,79 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2025 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package builtin
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+	"github.com/dropalldatabases/sif/internal/scan"
+)
+
+type SecurityTrailsModule struct{}
+
+func (m *SecurityTrailsModule) Info() modules.Info {
+	return modules.Info{
+		ID:          "securitytrails-lookup",
+		Name:        "SecurityTrails Domain Discovery",
+		Author:      "sif",
+		Severity:    "info",
+		Description: "Queries SecurityTrails API for subdomains and associated domains (requires SECURITYTRAILS_API_KEY)",
+		Tags:        []string{"recon", "osint", "dns", "subdomains"},
+	}
+}
+
+func (m *SecurityTrailsModule) Type() modules.ModuleType {
+	return modules.TypeScript
+}
+
+func (m *SecurityTrailsModule) Execute(ctx context.Context, target string, opts modules.Options) (*modules.Result, error) {
+	stResult, err := scan.SecurityTrails(target, opts.Timeout, opts.LogDir)
+	if err != nil {
+		return nil, err
+	}
+
+	result := &modules.Result{
+		ModuleID: m.Info().ID,
+		Target:   target,
+		Findings: []modules.Finding{},
+	}
+
+	if stResult == nil {
+		return result, nil
+	}
+
+	finding := modules.Finding{
+		URL:      target,
+		Severity: "info",
+		Evidence: fmt.Sprintf("discovered %d subdomains and %d associated domains",
+			len(stResult.Subdomains), len(stResult.AssociatedDomains)),
+		Extracted: map[string]string{
+			"domain":           stResult.Domain,
+			"subdomain_count":  fmt.Sprintf("%d", len(stResult.Subdomains)),
+			"associated_count": fmt.Sprintf("%d", len(stResult.AssociatedDomains)),
+		},
+	}
+
+	if len(stResult.Subdomains) > 0 {
+		finding.Extracted["subdomains"] = strings.Join(stResult.Subdomains, ", ")
+	}
+
+	if len(stResult.AssociatedDomains) > 0 {
+		finding.Extracted["associated_domains"] = strings.Join(stResult.AssociatedDomains, ", ")
+	}
+
+	result.Findings = append(result.Findings, finding)
+	return result, nil
+}

internal/scan/result.go

@@ -31,10 +31,11 @@ type ScanResult interface {
 
 // ResultType implementations for pointer result types.
 
-func (r *ShodanResult) ResultType() string { return "shodan" }
-func (r *SQLResult) ResultType() string    { return "sql" }
-func (r *LFIResult) ResultType() string    { return "lfi" }
-func (r *CMSResult) ResultType() string    { return "cms" }
+func (r *ShodanResult) ResultType() string         { return "shodan" }
+func (r *SQLResult) ResultType() string            { return "sql" }
+func (r *LFIResult) ResultType() string            { return "lfi" }
+func (r *CMSResult) ResultType() string            { return "cms" }
+func (r *SecurityTrailsResult) ResultType() string { return "securitytrails" }
 
 // ResultType implementations for slice result types.
 
@@ -50,6 +51,7 @@ var (
 	_ ScanResult = (*SQLResult)(nil)
 	_ ScanResult = (*LFIResult)(nil)
 	_ ScanResult = (*CMSResult)(nil)
+	_ ScanResult = (*SecurityTrailsResult)(nil)
 	_ ScanResult = HeaderResults(nil)
 	_ ScanResult = DirectoryResults(nil)
 	_ ScanResult = CloudStorageResults(nil)

internal/scan/securitytrails.go

@@ -0,0 +1,253 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2025 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package scan
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/logger"
+	"github.com/dropalldatabases/sif/internal/output"
+)
+
+const securityTrailsBaseURL = "https://api.securitytrails.com/v1"
+
+// SecurityTrailsResult holds discovered domains from SecurityTrails API
+type SecurityTrailsResult struct {
+	Domain            string   `json:"domain"`
+	Subdomains        []string `json:"subdomains,omitempty"`
+	AssociatedDomains []string `json:"associated_domains,omitempty"`
+}
+
+// stSubdomainsResponse is the raw response from the subdomains endpoint -
+// returns prefix labels, not FQDNs
+type stSubdomainsResponse struct {
+	Subdomains []string `json:"subdomains"`
+}
+
+type stAssociatedResponse struct {
+	Records []stAssociatedRecord `json:"records"`
+}
+
+type stAssociatedRecord struct {
+	Hostname string `json:"hostname"`
+}
+
+// SecurityTrails queries the SecurityTrails API for subdomains and associated domains.
+// API key should be provided via the SECURITYTRAILS_API_KEY environment variable.
+func SecurityTrails(targetURL string, timeout time.Duration, logdir string) (*SecurityTrailsResult, error) {
+	output.ScanStart("SecurityTrails lookup")
+
+	spin := output.NewSpinner("querying SecurityTrails API")
+	spin.Start()
+
+	apiKey := os.Getenv("SECURITYTRAILS_API_KEY")
+	if apiKey == "" {
+		spin.Stop()
+		output.Warn("SECURITYTRAILS_API_KEY environment variable not set, skipping SecurityTrails lookup")
+		return nil, fmt.Errorf("SECURITYTRAILS_API_KEY environment variable not set")
+	}
+
+	parsedURL, err := url.Parse(targetURL)
+	if err != nil {
+		spin.Stop()
+		return nil, fmt.Errorf("failed to parse URL: %w", err)
+	}
+	hostname := parsedURL.Hostname()
+
+	client := &http.Client{Timeout: timeout}
+
+	result := &SecurityTrailsResult{
+		Domain: hostname,
+	}
+
+	// fetch subdomains
+	spin.Update("fetching subdomains for " + hostname)
+	subs, err := querySTSubdomains(client, hostname, apiKey)
+	if err != nil {
+		// non-fatal - still try associated domains
+		output.Warn("SecurityTrails subdomains failed: %v", err)
+	} else {
+		result.Subdomains = subs
+	}
+
+	// fetch associated domains
+	spin.Update("fetching associated domains for " + hostname)
+	assoc, err := querySTAssociated(client, hostname, apiKey)
+	if err != nil {
+		output.Warn("SecurityTrails associated domains failed: %v", err)
+	} else {
+		result.AssociatedDomains = assoc
+	}
+
+	spin.Stop()
+
+	if logdir != "" {
+		sanitizedURL := strings.Split(targetURL, "://")[1]
+		if err := logger.WriteHeader(sanitizedURL, logdir, "SecurityTrails lookup"); err != nil {
+			output.Error("error writing log header: %v", err)
+		}
+		logSecurityTrailsResults(sanitizedURL, logdir, result)
+	}
+
+	printSecurityTrailsResults(result)
+
+	total := len(result.Subdomains) + len(result.AssociatedDomains)
+	output.ScanComplete("SecurityTrails lookup", total, "domains discovered")
+
+	return result, nil
+}
+
+// DiscoveredURLs returns all discovered domains as https:// URLs.
+// used by the orchestration layer for target expansion.
+func (r *SecurityTrailsResult) DiscoveredURLs() []string {
+	seen := make(map[string]struct{})
+	var urls []string
+
+	for _, sub := range r.Subdomains {
+		fqdn := sub + "." + r.Domain
+		if _, ok := seen[fqdn]; !ok {
+			seen[fqdn] = struct{}{}
+			urls = append(urls, "https://"+fqdn)
+		}
+	}
+
+	for _, assoc := range r.AssociatedDomains {
+		if _, ok := seen[assoc]; !ok {
+			seen[assoc] = struct{}{}
+			urls = append(urls, "https://"+assoc)
+		}
+	}
+
+	return urls
+}
+
+func querySTSubdomains(client *http.Client, hostname, apiKey string) ([]string, error) {
+	reqURL := fmt.Sprintf("%s/domain/%s/subdomains", securityTrailsBaseURL, hostname)
+	body, err := doSTRequest(client, reqURL, apiKey)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp stSubdomainsResponse
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return nil, fmt.Errorf("parse subdomains response: %w", err)
+	}
+
+	return resp.Subdomains, nil
+}
+
+func querySTAssociated(client *http.Client, hostname, apiKey string) ([]string, error) {
+	reqURL := fmt.Sprintf("%s/domain/%s/associated", securityTrailsBaseURL, hostname)
+	body, err := doSTRequest(client, reqURL, apiKey)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp stAssociatedResponse
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return nil, fmt.Errorf("parse associated response: %w", err)
+	}
+
+	domains := make([]string, 0, len(resp.Records))
+	for _, rec := range resp.Records {
+		if rec.Hostname != "" {
+			domains = append(domains, rec.Hostname)
+		}
+	}
+
+	return domains, nil
+}
+
+// doSTRequest makes an authenticated GET to the SecurityTrails API
+func doSTRequest(client *http.Client, reqURL, apiKey string) ([]byte, error) {
+	req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, reqURL, http.NoBody)
+	if err != nil {
+		return nil, fmt.Errorf("create request: %w", err)
+	}
+	req.Header.Set("APIKEY", apiKey)
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("SecurityTrails request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusUnauthorized {
+		return nil, fmt.Errorf("invalid SecurityTrails API key (status %d)", resp.StatusCode)
+	}
+
+	if resp.StatusCode == http.StatusTooManyRequests {
+		return nil, fmt.Errorf("SecurityTrails rate limit exceeded")
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
+		return nil, fmt.Errorf("SecurityTrails API error (status %d): %s", resp.StatusCode, string(body))
+	}
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 5*1024*1024))
+	if err != nil {
+		return nil, fmt.Errorf("read response: %w", err)
+	}
+
+	return body, nil
+}
+
+func printSecurityTrailsResults(result *SecurityTrailsResult) {
+	output.Info("Domain: %s", output.Highlight.Render(result.Domain))
+
+	if len(result.Subdomains) > 0 {
+		output.Info("Subdomains found: %d", len(result.Subdomains))
+		for _, sub := range result.Subdomains {
+			output.Success("  %s.%s", sub, result.Domain)
+		}
+	}
+
+	if len(result.AssociatedDomains) > 0 {
+		output.Info("Associated domains found: %d", len(result.AssociatedDomains))
+		for _, assoc := range result.AssociatedDomains {
+			output.Success("  %s", assoc)
+		}
+	}
+}
+
+func logSecurityTrailsResults(sanitizedURL, logdir string, result *SecurityTrailsResult) {
+	var sb strings.Builder
+
+	sb.WriteString(fmt.Sprintf("Domain: %s\n", result.Domain))
+
+	if len(result.Subdomains) > 0 {
+		sb.WriteString(fmt.Sprintf("\nSubdomains (%d):\n", len(result.Subdomains)))
+		for _, sub := range result.Subdomains {
+			sb.WriteString(fmt.Sprintf("  %s.%s\n", sub, result.Domain))
+		}
+	}
+
+	if len(result.AssociatedDomains) > 0 {
+		sb.WriteString(fmt.Sprintf("\nAssociated Domains (%d):\n", len(result.AssociatedDomains)))
+		for _, assoc := range result.AssociatedDomains {
+			sb.WriteString(fmt.Sprintf("  %s\n", assoc))
+		}
+	}
+
+	logger.Write(sanitizedURL, logdir, sb.String())
+}