product updates

SecurityTrails Blog · Aug 25 · by Sara Jelen

Announcing SecurityTrails SQL: a Completely New Way to Access SecurityTrails Data

Reading time: 3 minutes
Listen to this article

Over the past few months, we’ve been perfecting our new SQL-like query language, one that will allow security teams to perform massive intelligence collection as well as automate their findings. Today, we’re excited to announce the general release of this powerful new product: SecurityTrails SQL.

By contacting our Sales team, you will be able to use SecurityTrails SQL integrated as a SecurityTrails API endpoint, inside Attack Surface Reduction™, as well as in the SurfaceBrowser™ SQL Explorer interface.

What does SecurityTrails SQL look like?

SecurityTrails SQL will empower you to collect data about any host, including domains, DNS records, WHOIS, SSL, HTTP, and the organization it belongs to, along with detailed IP data. For your convenience, this tool also supports a wide range of SQL operators and with it we provide full documentation complete with examples and technical assistance.

Additionally, SurfaceBrowser™ SQL Explorer users can enjoy our SQL editor, which allows you to run queries, copy data from it, format and clear everything, as well as download results in JSON or CSV.

How can I use SecurityTrails SQL?

You can use SecurityTrails SQL to run different queries to get host, IP and SQL data. And how does the SecurityTrails SQL look when used from SQL Explorer’s visual editor? See it in action:

Now let’s look at some query examples you can run from your SecurityTrails API™.

The following query will expose all subdomains from microsoft.com:

curl -X "POST" "https://api.securitytrails.com/v1/query/scroll" \
   -H 'apikey: api.key.here \
   -H 'Content-Type: application/json; charset=utf-8' \
   -d $'{
 "query": "select domain.hostname from hosts where domain.apex=\\"microsoft.com\\""
}'

In the same way, and by merely changing the SQL-query, you can fetch different data. To find all exposed development areas of subdomains, run:

SELECT
   domain.hostname,
   http.title
FROM
   hosts
WHERE
   domain.subdomain IN ('dev', 'development', 'devl', 'devel')

To locate self-signed SSL certificates, using GE.com for this example, run this query:

SELECT
   domain.hostname,
   http.title,
   dns.a
FROM
   hosts
WHERE
   ssl.is_self_signed = true
   AND domain.apex = 'ge.com'

You can find more SSL-based examples in the SQL Explorer: SSL Certificate Scraping Showcase blog post.

If you want to find domains that redirect to a certain host—and here we used Securitytrails.com—use:

SELECT
   domain.hostname,
   http.title
FROM
   hosts
WHERE
   http.headers.location_host = "securitytrails.com"

Explore even more ways to query our HTTP header data inside SQL Explorer.

To find IPs with SSL certificates that contain a specific hostname in them, like Nike.com for instance, run:

SELECT
   address,
   dns.reverse,
   ports.port,
   ssl.subject.common_name,
   ssl.subject.organization
FROM
   ips
WHERE
   ssl.domains LIKE "%.nike.com"
   OR ssl.domains LIKE "nike.com"

There is much more functionality to be discovered once you start playing with SecurityTrails SQL. Security teams can use it to:

  • Automate detection of security issues

  • Map your entire digital infrastructure

  • Find critical SSL data

  • Detect open services

  • Improve phishing detection

  • Prevent data breaches

  • Find vulnerable operating systems and services

Are you ready to explore SecurityTrails SQL?

Find out how SecurityTrails SQL can help you find critical data from any organizations within seconds—and take your recon and app automation to the next level!



Sara Jelen Blog Author
SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.