What are Subdomain Takeovers, How to Test and Avoid them? - Andmp | A blog about infosec, bug hunting and more!

"Good artists copy; great artists steal."

Just another web hacking and vulnerability research blog that details how I use existing knowledge and old ways to discover new vulns ;)



Post Top Ad

Tuesday 21 August 2018

What are Subdomain Takeovers, How to Test and Avoid them?


Hostile Subdomain takeover forms a class of attacks which has appeared quite often in large organisations due to a large number of factors like human negligence and a huge overall attack surface. A similar sort of attack is stale DNS entries which often lead to the hijacking of the domain itself. This has already happened a number of times each in case of companies like Starbucks , Uber have already paid thousands of dollars for these security vulnerabilities reported by researchers. Uber actually had more than one subdomain takeovers in the past. This often leads to companies losing their trust over the users and various other implications, due to loss of millions of dollars when a successful subdomain takeover is maliciously executed and an attacker puts up a successful phishing campaign. In this article, I will discuss about practical cases, impact and mitigation of this attack and share useful tips to avoid such situations.
It's understandable though that for large organisations with a huge number of assets and servers DNS monitoring becomes too tedious, which can, of course, be automated with in-house solutions as well as paid ones and with a little care and effort be manually checked so that you don't leave stale DNS entries (CNAME records).

What are Subdomain takeovers?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets which are no longer in use but a subdomain is still pointing at it.
As an attacker one can thus make use of this stale DNS record to own the AWS S3 bucket or point one's own GitHub pages to your (sub)domain, which is no longer in use by your organisation and use it to target your innocent users into leaking their account details via XSS and phishing pages hosted on your companies' domains.

Further Impact

In many a case, an attacker can easily steal victim user's cookies via XSS if they are allowed on the subdomain, so that needs even little user interaction than usual phishing pages which are set up to steal user credentials.

Some Notable Cases of Subdomain takeovers

Given below are companies who have been victim to this attack in the past.
  1. Slack - through podcasts.slack-core.com which was serving content via Feedpress
  2. US Government - Via GitHub pages
  3. Uber - Leading to Account Takeover
  4. Unbounced - Many different pages/domains belonging to different companies
And many more...


As an end user of a service - Going through your organisation's DNS records in a routine manner or while discontinuing or terminating a service, for example, a GitHub or an AWS S3 instance, safely removing it's DNS records.
As a service provider, by implementing stricter methods to prove (sub) domain ownership.

Testing for Subdomain Takeovers

Given below are some heuristic testing methodology to determine subdomain takeovers.

Heuristic Tests to determine if a sub-domain/domain can be taken over

Engine Possible Fingerprint Reference
AWS/S3 Yes The specified bucket does not exist
Bitbucket Yes Repository not found
Campaign Monitor Yes Support Page
Cargo Collective Yes 404 Not Found Cargo Support Page
Cloudfront Yes Bad Request: ERROR: The request could not be satisfied https://blog.zsec.uk/subdomainhijack/
Desk No
Fastly Yes Fastly error: unknown domain:
Feedpress Yes The feed has not been found. https://hackerone.com/reports/195350
Freshdesk No Freshdesk Support Page
Ghost Yes The thing you were looking for is no longer here, or never was
Github Yes There isn't a Github Pages site here. https://hackerone.com/reports/263902
Gitlab No https://hackerone.com/reports/312118
Google Cloud Storage No
Help Juice Yes We could not find what you're looking for. Help Juice Support Page
Help Scout Yes No settings were found for this company: HelpScout Docs
Heroku Yes No such app
JetBrains Yes is not a registered InCloud YouTrack
Mashery No Unrecognized domain https://hackerone.com/reports/275714
Microsoft Azure Yes
Sendgrid No
Shopify Yes Sorry, this shop is currently unavailable.
Squarespace No
Statuspage Yes You are being redirected https://hackerone.com/reports/49663
Surge.sh Yes project not found https://surge.sh/help/adding-a-custom-domain
Tumblr Yes Whatever you were looking for doesn't currently exist at this address
Tilda No Please renew your subscription
Unbounce Yes The requested URL was not found on this server. https://hackerone.com/reports/202767
UserVoice Yes This UserVoice subdomain is currently available!
Wordpress Yes Do you want to register *.wordpress.com?
WP Engine No
Zendesk Yes Help Center Closed Zendesk Support

Something that I missed? Feel free to add in comments and I will be adding them!

No comments:

Post a Comment

Let me know what you felt after reading the article!

Post Bottom Ad