What Are Subdomain Takeovers, How to Test and Avoid Them?
Want to learn more about subdomain takeovers? Click here to learn more about these attacks and how to test and avoid them.
Join the DZone community and get the full member experience.
Join For FreeIntroduction
Hostile Subdomain takeovers consist of a class of attacks. These attacks have appeared quite frequent in large organizations due to the increased number of factors, like human negligence and an attack surface. A similar sort of attack is called stale DNS entries, which often leads to the hijacking of the domain itself. This has already happened a number of times to companies like Starbucks and Uber, which has already paid thousands of dollars for these security vulnerabilities reported by researchers. Uber actually had more than one subdomain takeovers in the past. This often leads to companies losing the trust of their users and various other implications due to the loss of millions of dollars. When a successful subdomain takeover is maliciously executed, an attacker puts up a successful phishing campaign. In this article, I will discuss practical use cases, impact, and mitigation of this attack to share useful tips on how to avoid such situations.
Servers for DNS monitoring can become a bit tedious for organizations with a large number of assets. However, DNS monitoring can be automated with in-house solutions as well as paid ones to avoid manually checking that you don't leave stale DNS entries (CNAME records).
What Are Subdomain Takeovers?
Subdomain takeover vulnerabilities occur when a subdomain is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets, which are no longer in use but a subdomain is still pointing at it.
As an attacker can make use of this stale DNS record to own the AWS S3 bucket or point to one's own GitHub pages to your (sub)domain, there is no longer a use by your organization. Therefore, it can be used to target innocent users, leaking their account details via XSS and phishing pages hosted on your companies' domains.
In many cases, an attacker can easily steal a victim user's cookies via XSS if they are allowed on the subdomain, so that needs even less user interaction than usual phishing pages, which are set up to steal user credentials.
Some Notable Cases of Subdomain Takeovers
Below are companies that have been victim to this attack in the past:
- Slack through
podcasts.slack-core.com,which was serving content via Feedpress. - US Government via GitHub pages
- GitLab
- Uber, which lead to an account takeover
- Unbounced contained many different pages/domains belonging to different companies
And, many more...
Mitigation
As an end user of a service, going through your organization's DNS records in a routine manner or while discontinuing or terminating a service will safely remove it's DNS records.
As a service provider, implementing stricter methods will prove (sub) domain ownership.
Testing for Subdomain Takeovers
Below, we take a look at the heuristic testing methodology to determine subdomain takeovers.
Heuristic Tests to Determine if a Sub-Domain/Domain Can Be Taken Over
| Engine | Possible | Fingerprint | Reference |
|---|---|---|---|
| AWS/S3 | Yes | The specified bucket does not exist |
|
| Bitbucket | Yes | Repository not found |
|
| Campaign Monitor | Yes | Support Page | |
| Cargo Collective | Yes | 404 Not Found |
Cargo Support Page |
| Cloudfront | Yes | Bad Request: ERROR: The request could not be satisfied |
https://blog.zsec.uk/subdomainhijack/ |
| Desk | No | ||
| Fastly | Yes | Fastly error: unknown domain: |
|
| Feedpress | Yes | The feed has not been found. |
https://hackerone.com/reports/195350 |
| Freshdesk | No | Freshdesk Support Page | |
| Ghost | Yes | The thing you were looking for is no longer here, or never was |
|
| Github | Yes | There isn't a Github Pages site here. |
https://hackerone.com/reports/263902 |
| Gitlab | No | https://hackerone.com/reports/312118 | |
| Google Cloud Storage | No | ||
| Help Juice | Yes | We could not find what you're looking for. |
Help Juice Support Page |
| Help Scout | Yes | No settings were found for this company: |
HelpScout Docs |
| Heroku | Yes | No such app |
|
| JetBrains | Yes | is not a registered InCloud YouTrack |
|
| Mashery | No | Unrecognized domain |
https://hackerone.com/reports/275714 |
| Microsoft Azure | Yes | ||
| Sendgrid | No | ||
| Shopify | Yes | Sorry, this shop is currently unavailable. |
|
| Squarespace | No | ||
| Statuspage | Yes | You are being redirected |
https://hackerone.com/reports/49663 |
| Surge.sh | Yes | project not found |
https://surge.sh/help/adding-a-custom-domain |
| Tumblr | Yes | Whatever you were looking for doesn't currently exist at this address |
|
| Tilda | No | Please renew your subscription |
|
| Unbounce | Yes | The requested URL was not found on this server. |
https://hackerone.com/reports/202767 |
| UserVoice | Yes | This UserVoice subdomain is currently available! |
|
| Wordpress | Yes | Do you want to register *.wordpress.com? |
|
| WP Engine | No | ||
| Zendesk | Yes | Help Center Closed |
Published at DZone with permission of , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments