Subdomain takeovers are common these days and as Frans Rosén has rightly said in his talk that SubDomain takeovers are modern-day XSS. Companies spend thousands of dollars to buy shiny new tools and suddenly a bug report from bounty hunters made us realize how a small misconfiguration can cause harm to a company’s reputation or assets. While you will get a lot of articles on how to verify if a website subdomain takeover is vulnerable to Sub-Domain takeovers, there were very fewer articles from a blue team/SOC/threat-hunting prospectives. This post is an effort to add something in the later (BlueTeam) section. Most of the content that I will discuss here is a fusion of a great series of posts by Patrick Hudak, HackerOne and Detectify. I have just tried to organize my understanding of the subdomain takeover topic in this blog post. Hopefully, it will help someone connecting the dots while they are understanding the subdomain takeover topic.
What is SubDomain TakeOver
Before proceeding further, let’s try to understand what exactly is a domain takeover. If we have to summarize it in a crisp manner, it is essentially a DNS Spoofing. Your browser is blindly trusting the IP address given by DNS resolver to him.Patrik Hudak has provided detailed and simpler definition in his article SubDomain TakeOver Basics as:
"Subdomain takeover is a process of registering a non-existing domain name to gain control over another domain."
Take the above example where the main domain is pointed to CNAME starting with a service which further points to s3-test.amazonaws.com. Now If after some time, I remove all the content from above S3 bucket (s3-test.amazonaws.com) then, it will be released from my AWS account and anybody can register it and when that happens(someone register the s3 bucket with the same name) , subdomain takeover happens.
A common theoretical example would be you are hosting an event for Saving The Stray Dogs and you register one domain for the same i.e. savethestraydog.com with the domain registrar. Now you hosted a simple static page on S3. After the event is over, you removed the GitHub page but forgot to remove the CNAME entry which points to the S3 Static Website. Now an attacker can claim this S3 bucket and can upload anything he/she wants. This is what is essentially known as SubDomain Takeover.
Ok,Got It.Why Do I Care about it ?
SubDomain Takeover is one of the attack methods which are nearly undetectable. A successful subdomain takeover can open gates to various attack vectors such as phishing email, XSS, reputation loss and even reading the internal email of the users. Just search google for “SubDomain Takeover HackerOne” and check the bounties provided by companies to the BugBounty hunter for reporting such bugs. You can read further detailed risk as mentioned by Patrik Hudak in his blog. It is totally useless to copy-paste the content if it is already available. To cut short, it can lead to much bigger attacks, can cost money to the company and results in loss of reputation of the company.
How Does TakeOvers Happens?
There are various articles over the internet which explain it in details.Two of my favorites are listed below::
I will provide a summarized version of both to grasp/simply the concept for you. The first step is to determine the target domain, such as example.com. You made up your mind that you will try to discover any potential subdomain takeover for this example.com. Now the next step is to find all the subdomains in the domain example.com. There are several methods to get the list of subdomains. Most experienced BugHunters usually use a combination of tools,APIs to get this list. Once you have a list of Sub Domains, your next job is to find the potential vulnerable subdomains which may result in subdomain takeovers. Now the questions comes ,how do you find such potential vulnerable domains? The answer is you need to look for various strings in the error messages to identify if a particular subdomain can results in takeover or not. There is a already a GitHub Project which tracks and provide methods to identify strings. For example,if you get error string such as The specified bucket does not exist that means it is vulnerable to subdomain takeover. Once you have identified it is vulnerable to Subdomain takeover then you can follow the step by step guide provided by in Patrix’s article Takeover Proofs.
How it Can be prevented?
The main idea for the organizations to prevent subdomain takeover is to keep on checking the Dead DNS records in their DNS infrastructure. The process of removing the DNS record should be mandatory while decommissioning any of the internet-facing applications. This has to be more strict if you are using any third-party cloud provider such as AWS, Azure, Heroku, etc. The second method to prevent this is to hack yourself before someone else does which essentially means takeover the potentially vulnerable domain before it is taken over by an external attacker or bug bounty hunter. Such an approach required efforts by the Security Team to set up the system which continuously fetching all the subdomains from various data sources available over the internet as well as dumping the DNS zone files and then running tools to see if any of these subdomains are vulnerable.
Now, I hope you may get the basic idea and brevity about subdomain takeovers. Let’s jump into the Blue Team part of it.
Designing a Monitoring System for SubDomain TakeOver
There are several tools for each step(Enumeration, Verification, and Notification), I have mentioned a few which are most commonly used by the community members. The one advantage a security team has over the bounty hunters/attackers is that we as threat hunters have access to direct DNS data from the DNS servers which provides us with high-quality domain data to run other tools.
Automating the Process
I will explain the basic flow or pseudo code to design a monitoring solution for all the steps. You can choose your favorite language of code and craft it accordingly.
Since this post is getting a bit longer and maybe by now, you might have already checked your mobile or hover to another tab. :) With that being said, I will leave a few references which might help you in case, you want to poke deeper into this
Resources and Links of Tools
In the next article, we will discuss how to dump zone data automatically and then taking over the domain automatically once a dangling record is found.