I have been using Lepus for a number of years as it is one of the better subdomain enumeration tools.
Read PostExpression Language injection or EL Injection for short is an attack vector I'd never heard of until recently. This post talks about leveraging EL for RCE.
Read Post