Jeremiah Grossman had an interesting post the other day about creating an inventory of a company’s existing web sites. Many people I speak with are surprised that this can be a difficult task for many medium and large businesses.
This is not nearly as simple as an inventory of domains owned as most of these companies have many more domains than actual sites (brand protection, squatting prevention, etc.). Often a large corporation will own thousands of domains. Also, there may be many subdomains representing different sites, read mail.google.com, http://www.google.com, code.google.com, etc.
You’ll also need to determine what sites are real versus a simple redirect. An oversimplified example of this would be www2.google.com redirecting users to http://www.google.com. This task can be complex with a large number of subdomains, many created for search engine optimization (SEO) purposes.
Take a look at Jeremiah’s post. It’s good advice and a very necessary first step to finding your application vulnerabilities.
Ed Bellis - ClearText 