From Certificate Transparency Logs to Vulnerabilities

In this blog post, we’ll learn about Certificate Transparency logs and how they can be used in threat hunting and bug bounty programs to discover newly created assets. These fresh assets are often less secure, making them a great target for finding vulnerabilities.

What Are Certificate Transparency Logs?

Certificate Transparency (CT) logs are publicly accessible logs that record all SSL/TLS certificates issued by Certificate Authorities. Their main purpose is to improve security on the internet by making certificate issuance transparent and auditable, helping detect misissued or malicious certificates.

How Can We Access These Logs?

There was a library called certstream, created by Calidog, but it went down and is now offline. Because of that, we need an alternative. certstream-server-go is a good replacement — it’s written in Golang, is fast, and easy to deploy. We can set it up using Docker on a VPS and monitor the real-time stream of certificate data.

Let’s Start Coding

certstream-server-go show the stream on the wss connection on port 8080 and we need just do filter based on the domain or tld personaly want to do some thread hunting on .ir domains so here is how we can filter on the domains

import asyncio
import json
import websockets

CERTSTREAM_URI = "ws://localhost:8080"

async def certstream_listener():
    while True:
        try:
            async with websockets.connect(
                CERTSTREAM_URI,
                ping_interval=20,
                ping_timeout=20
            ) as ws:
                print("[+] Connected to CertStream")

                async for msg in ws:
                    message = json.loads(msg)

                    if message.get("message_type") != "certificate_update":
                        continue

                    domains = message["data"]["leaf_cert"].get("all_domains", [])

                    for domain in domains:
                        if domain.endswith(".ir"):
                            print(domain, flush=True)

        except Exception as e:
            print(f"[!] Connection error: {e}")
            await asyncio.sleep(5)

if __name__ == "__main__":
    asyncio.run(certstream_listener())

Now we can continuously retrieve .ir domains as soon as their SSL/TLS certificates are issued, giving us early visibility into newly created assets However, we need to go further. We should make the code more advanced by first saving the results into a JSON file. After that, we can run httpx on the collected domains to extract important information — especially the detected technologies. here is a screen-shot of the db results

Vulnerability Discovery

Okay, now we can use tools like Nuclei or focus on recently published CVEs. One such example is a recently disclosed vulnerability called react2shell, which is an RCE that allows an attacker to execute system commands such as id or any other command available on a Linux server.

To approach this efficiently, we can start by filtering targets that use React or Next.js, and then test only the results related to the technologies affected by this CVE.

We found the following vulnerable cases from freshly developed assets that were recently deployed and remained vulnerable for one to two weeks. Using this approach, we were able to identify multiple vulnerable targets affected by this issue.

Now, we have an automation pipeline in place: whenever a new CVE is released, we can immediately start threat hunting, identify affected technologies, and measure how many websites are vulnerable to it.