Analyzing and Preventing Sub-domain Takeovers: Real Risks? Causes?

0x00 - Intro and Cause

Sub-domain takeovers form a common class of vulnerability, in which an unused sub-domain pointing to a retired service is left as it is by developers. Often developers use SaaS and PaaS services that allow them to reach that service through their own subdomain. But, when they discontinue this service and don't remove DNS records, this can become a major issue, if not handled properly by the service provider (to whom the DNS records are pointing to).

0x01 - What are ...? How they affect you?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

Spotting them is easy!

spot them! 404 pages can give you a hint

404 errors on such sub-domain can be a hint tha the no longer existing service might actually be an existing threat to your organisation if taken over.

Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets which are no longer in use but a subdomain is still pointing at it.

Attackers can thus leverage these stale DNS records, by signing up on these platforms/service and setup their own pages there.

Which leads to

  • Phishing.
  • Direct Account Takeovers in certain cases
  • Damage of Business Reputation.
  • Hijacking old CDNs that still serve CSS, JS to a main application.

0x02 - Adding More Impact as an Attacker

Apart from regular phishing attacks, there can be certain scenarios in which cookies scoped to all sub-domain or, that specific sub-domain which is vulnerable to a takeover can be smuggled by an attacker via XSS and other client-side attack vectors.

Impact - Let's look at a real world case!

0x03 - More Resources

The awesome Ed created a GitHub repository that tracks down services which can be vulnerable to such takeovers. This can be beneficial both for offensive testing and defensive developers who care about such things,

Check out can-i-takeover-xyz here to learn more about subdomain takeovers and which services maybe vulnerable to this.

Found typos/something that I missed? HMU and let's make this write up more complete!

Arif Khan

Vulnerability Researcher and Bug Hunter. I 'm still figuring things out...

Write your comment…

Great article! Def looking forward to seeing more of these, had no idea that this was even possible!

Thanks for the compliment!

Reply to this…