What is subdomain?
A domain name typically has two parts: The top-level domain (TLD) is the extension, such as .com or .org, and the second-level domain (SLD) is the unique part of the domain name, often a business or brand name. In the example.com “com” is the TLD and “example” is the SLD.
The subdomain is what goes before the SLD. The most common subdomain is www, which stands for World Wide Web. This subdomain contains a website’s homepage and its most important pages. The www subdomain is so widely used that most domain registrars include it with domain name purchases.
Subdomains are also commonly used to separate a section of a website from the main site. For example, blog.example.com and shop.example.com direct to our blog and online store respectively.
When we group our domain name and subdomain with a protocol at the beginning (HTTP or HTTPS for websites) and an optional file path at the end, we have a complete URL:
Introduction to subdomain takeovers
Subdomain takeover is a process of registering an existing domain name to gain control over the domain. Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g., Shopify, GitHub pages, Heroku, etc.) that has been removed or deleted or never registered from the service. but the DNS entry is kept. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.
For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page from Github but didn’t deleted the DNS entry.
Now an attacker can create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
The most common scenario of this process follows:
- The domain name (e.g., sub.example.com) uses a CNAME record to another domain (e.g., sub.example.com CNAME domain.com).
- At some point in time, domain.com expires and is available for registration by anyone.
- Since the CNAME record is not deleted from the example.com DNS zone, anyone who registers example.com has full control over sub.example.com until the DNS record is present.
The implications of the subdomain takeover can be pretty significant. Using a subdomain takeover, attackers can do phishing from the legitimate domain, perform cross-site scripting (XSS), or damage the reputation of the brand which is associated with the domain.
Methods to find Subdomain Takeover:
1. Enumerate all the subdomains using subfiner, asset finder, amass, findomain. Puredns, dnsx, Sublist3r, etc.
2. Combine all the found using the above tools in a text file i.e., subdomains.txt.
3. Find live subdomains using httprobe or Httpx from the list of all subdomains and save them in a text file i.e., livesubdomains.txt.
4. Then use the Nuclei template of subdomain takeover by project discovery to find the vulnerable domains using the below command: -
CMD: nuclei –l livesubdomains.txt -t /nuclei-templates-directory/subdomain-takeover -v -o output.txt
5. That’s all it will find the possible vulnerable websites if any.
6. Now, find the CNAME of the vulnerable website using the below methods: -
Use the following CMD in your terminal: dig subdomain.domain.com
Search your subdomain here: https://mxtoolbox.com/DNSLookup.aspx
Search subdomain here: https://toolbox.googleapps.com/apps/dig/#CNAME/
7. So, now you have to look if the subdomain has CNAME pointing to somewhere and not yet claimed (i.e mostly a 404 Not Found) then search google for “something.com subdomain takeover” here something.com is the CNAME. If you can’t find the result you need you just go to https://something.com and mostly that cloud website will teach you how to connect to a website.
For an extended listing of affected cloud providers, I highly recommend checking the “Can I take over XYZ?” guide.
Note: This bug usually considers in P2 severity if the subdomain is an important one and P3 for other subdomains.
How to avoid subdomain takeovers?
- Review your DNS entries and remove all entries which are active but no longer in use. Especially those which are pointing toward an external services.
- Ensure that your external services are configured to listen to your wildcard DNS.
- When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.
- Continuously monitor your DNS entries and ensure there are no dangling DNS records.
I hope reading this post has raised your awareness of the risks associated with subdomain takeovers and how to find them. Subdomain takeovers can be involved in other, more complex attacks.
Published by: Hemant Patidar