Subdomain Takeover

What is subdomain?

A domain name typically has two parts: The top-level domain (TLD) is the extension, such as .com or .org, and the second-level domain (SLD) is the unique part of the domain name, often a business or brand name. In the example.com “com” is the TLD and “example” is the SLD.

The subdomain is what goes before the SLD. The most common subdomain is www, which stands for World Wide Web. This subdomain contains a website’s homepage and its most important pages. The www subdomain is so widely used that most domain registrars include it with domain name purchases.

Subdomains are also commonly used to separate a section of a website from the main site. For example, blog.example.com and shop.example.com direct to our blog and online store respectively.

When we group our domain name and subdomain with a protocol at the beginning (HTTP or HTTPS for websites) and an optional file path at the end, we have a complete URL:

Introduction to subdomain takeovers

Subdomain takeover is a process of registering an existing domain name to gain control over the domain. Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g., Shopify, GitHub pages, Heroku, etc.) that has been removed or deleted or never registered from the service. but the DNS entry is kept. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page from Github but didn’t deleted the DNS entry.

Now an attacker can create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

The most common scenario of this process follows:

  1. The domain name (e.g., sub.example.com) uses a CNAME record to another domain (e.g., sub.example.com CNAME domain.com).
  2. At some point in time, domain.com expires and is available for registration by anyone.
  3. Since the CNAME record is not deleted from the example.com DNS zone, anyone who registers example.com has full control over sub.example.com until the DNS record is present.

The implications of the subdomain takeover can be pretty significant. Using a subdomain takeover, attackers can do phishing from the legitimate domain, perform cross-site scripting (XSS), or damage the reputation of the brand which is associated with the domain.

Methods to find Subdomain Takeover:

1. Enumerate all the subdomains using subfiner, asset finder, amass, findomain. Puredns, dnsx, Sublist3r, etc.

2. Combine all the found using the above tools in a text file i.e., subdomains.txt.

3. Find live subdomains using httprobe or Httpx from the list of all subdomains and save them in a text file i.e., livesubdomains.txt.

4. Then use the Nuclei template of subdomain takeover by project discovery to find the vulnerable domains using the below command: -

CMD: nuclei –l livesubdomains.txt -t /nuclei-templates-directory/subdomain-takeover -v -o output.txt

5. That’s all it will find the possible vulnerable websites if any.

6. Now, find the CNAME of the vulnerable website using the below methods: -

Use the following CMD in your terminal: dig subdomain.domain.com

Search your subdomain here: https://mxtoolbox.com/DNSLookup.aspx

Search subdomain here: https://toolbox.googleapps.com/apps/dig/#CNAME/

7. So, now you have to look if the subdomain has CNAME pointing to somewhere and not yet claimed (i.e mostly a 404 Not Found) then search google for “something.com subdomain takeover” here something.com is the CNAME. If you can’t find the result you need you just go to https://something.com and mostly that cloud website will teach you how to connect to a website.

For an extended listing of affected cloud providers, I highly recommend checking the “Can I take over XYZ?” guide.

Note: This bug usually considers in P2 severity if the subdomain is an important one and P3 for other subdomains.

How to avoid subdomain takeovers?

  1. Review your DNS entries and remove all entries which are active but no longer in use. Especially those which are pointing toward an external services.
  2. Ensure that your external services are configured to listen to your wildcard DNS.
  3. When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.
  4. Continuously monitor your DNS entries and ensure there are no dangling DNS records.

Conclusion

I hope reading this post has raised your awareness of the risks associated with subdomain takeovers and how to find them. Subdomain takeovers can be involved in other, more complex attacks.

If you would like to dig deeper, I recommend HackerOne’s feed of disclosed bug-bounty reports is also an excellent resource on the topic.

Published by: Hemant Patidar

--

--

--

Top notch IT company striving to be in the top 1% with a staff of hard-core engineers who like to be challenged to do it RIGHT the first time. Free Assessments!

Love podcasts or audiobooks? Learn on the go with our new app.

Damage Assessment Continues One Month After Massive Cyber Attack

MPC Techniques Series, Part 5: What is Oblivious Transfer, and why should you care?

Letter Number — A1Z26

[DeFi Warrior] New Staking Features Open Now

Why bet your business on Zero Trust Security ?

A Digital Wallet in One App with One Password

We have officially launched our P2P Swap Button!

Cyber security: Cyber crime: an unprecedented threat to society?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TECHNOXI

TECHNOXI

Top notch IT company striving to be in the top 1% with a staff of hard-core engineers who like to be challenged to do it RIGHT the first time. Free Assessments!

More from Medium

The Secret trick for subdomain Enumeration

Bug Bounty: Open Xmlrpc.php vulnerability on WordPress site.

Hacked Dutch Government Website. All I got was this l̶o̶u̶s̶y̶ cool T-Shirt.

The Unobvious About XSS and HTML Encoding