Poster—Reconnaissance via Certificate Transparency Logs: Exposing Self-Hosted Web Applications

Software vulnerabilities in widely deployed, Internet-exposed applications pose a significant threat, but they are only exploited at scale when attackers have a practical way to discover vulnerable instances. One factor that makes such a discovery easier may be Certificate Transparency (CT) logs: although designed to improve trust in digital certificates, they also expose information that attackers could leverage. In this work, we investigate the misuse of CT logs for large-scale reconnaissance of self-hosted web applications. By filtering a single day of CT logs with keywords from 27 popular web applications, we identify over 96000 candidate domains. Crawling these domains reveals a median match rate of 10.9%, with some instances exceeding 20%. Our findings highlight that CT logs can provide attackers with an effective and timely method to identify potentially vulnerable instances of web applications, raising new considerations for Internet-scale security and privacy.