Analyzing and Preventing Sub-domain Takeovers: Real Risks? Causes?

payloadartist — Mon, 13 May 2019 18:09:07 +0000

0x00 - Intro and Cause

Sub-domain takeovers form a common class of vulnerability, in which an unused sub-domain pointing to a retired service is left as it is by developers. Often developers use SaaS and PaaS services that allow them to reach that service through their own subdomain. But, when they discontinue this service and don't remove DNS records, this can become a major issue, if not handled properly by the service provider (to whom the DNS records are pointing to).

0x01 - What are ...? How they affect you?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

Spotting them is easy!

404 pages can give you a hint

404 errors on such sub-domain can be a hint tha the no longer existing service might actually be an existing threat to your organisation if taken over.

Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets which are no longer in use but a subdomain is still pointing at it.

Attackers can thus leverage these stale DNS records, by signing up on these platforms/service and setup their own pages there.

Which leads to

Phishing.
Direct Account Takeovers in certain cases
Damage of Business Reputation.
Hijacking old CDNs that still serve CSS, JS to a main application.

0x02 - Adding More Impact as an Attacker

Apart from regular phishing attacks, there can be certain scenarios in which cookies scoped to all sub-domain or, that specific sub-domain which is vulnerable to a takeover can be smuggled by an attacker via XSS and other client-side attack vectors.

Impact - Let's look at a real world case!

Microsoft Live Tiles Sub-Domain takeover!
Uber, Starbucks and so on, have been victims to this attack, but these cases were responsibly reported via their bug bounty programs

0x03 - More Resources

The awesome Ed created a GitHub repository that tracks down services which can be vulnerable to such takeovers. This can be beneficial both for offensive testing and defensive developers who care about such things,

Check out can-i-takeover-xyz here to learn more about subdomain takeovers and which services maybe vulnerable to this.

Found typos/something that I missed? HMU and let's make this write up more complete!