Subdomain Takeover is a type of vulnerability which appears when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized. In this article, we have identified top 2 ways to identify and prevent subdomain takeover risk.
Subdomain Takeover (Simple Definition):
- Somebody register subdomains.
- They Point it to 3rd party apps/websites, Github pages, Heroku, S3, AWS etc.
- They migrated or stopped using the feature and forget to remove the name pointer.
- An entry exists at name server pointing to a page
- Create an account and claim that page/subdomain.
- You are the owner of that page/subdomain now…. Done!
How it Works?
For example, A service named ‘Work’ on your website “mysite.com” which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront, Github or Heroku etc and the CNAME points at this url mysitework.herokudns.com in case of heroku. It expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it. Then when you visit work.mysite.com you are redirected to attacker site on heroku or show content by the attacker.
How to identify that this subdomain can be hijacked ?
1- The first symptom is he error page when you try to reach the subdomain … This error message may vary based on different 3rd party apps/websites, Github pages, Heroku, S3, AWS etc.
In case of Github, it will look like as following:
2- But that’s not enough, You need to Check the subdomain on Both HTTPS/HTTP if they give the same error then the subdomain can probably be Hijacked
Note that above two symptoms say that subdomain can probably be hijacked. Now you just need to verify it at 3rd party website if this subdomain can really be hijacked ….
In case of Heroku: For verification further check the DNS info for CNAME Entry should be something similar to (site.herokudns.com)
In case of Desk.com: To verify check the DNS info for CNAME Entry it should be something like (site.desk.com)
In case of Github: First You need to check the DNS info for CNAME Entry that should b something like (something.github.io)
After that visit the CNAME also it should show the same Error as The subdomain is showing
Impact of Subdomain takeover :
It’s very easy to sign up for a new account and claim the subdomain name.
- By getting access of a subdomain, an attacker can completely clone of the site, steal valuable credentials like admin accounts (by adding a login form that will redirect the user to a certain page) , steal cookies, or completely destroy the credibility of your company.
- It is a covert operation so even the domain owner won’t notice, even your IDS can’t monitor this.
- This Vulnerability can lead to other high risk vulnerabilities like Authentication bypass, CORS bypass & many.
How do you prevent this kind of attacks?
- Remove the DNS-configuration of the external service on your subdomain. In case, If you’ve forgotten that your subdomain is pointed to an external service which you don’t update
- You need to keep track of your digital infrastructure and monitor them on regular basis for any such changes on digital attack surface.