I've been meaning to write about this for a while now, but I never took the time to make it happen. So, here we go... Hope it turns out like I was expecting!
What is Subdomain Takeover?
Subdomain takeover has become a popular security topic due to the increasing prevalence of Bug Bounties and how easy it is to detect. Plenty of people have written scripts to check for this issue:
- https://github.com/nahamsec/HostileSubBruteforcer
- https://github.com/haccer/subjack
- https://github.com/michenriksen/aquatone
Simply put, subdomain takeover is a type of DNS misconfiguration where a DNS entry (a CNAME record) points to another site where that domain is no longer registered. For example, let's assume you own myimportantbusiness.com and your important business has a blog. Your blog is located at blog.myimportantbusiness.com but is hosted on Google's Blogger platform. Your business decides you'd rather switch over to Wordpress (cause Wordpress is what everyone else in the industry is using) and your important business blog is now located at wordpress.myimportantbusiness.com.
Your network administrator never removed blog.myimportantbusiness.com but instead just made a new DNS entry. Your web content team deleted the old Blogger blog and migrated the content to Wordpress. Now when you navigate to blog.myimportantbusiness.com you see a Blogger error stating that blog is not registered.
This is where the problem lies. Anyone else on the internet can now go re-register your company's old blog and now technically owns blog.myimportantbusiness.com. They can post whatever rude, malicious, or potentially incriminating content under your the guise of your domain.
How do we exploit this?
Unfortunately, this is the complicated part. Not all dangling subdomains can be exploited as it requires the target service to allow you to re-register the old entry. For example, many CDNs won't let you re-register a service without proving you own the domain. The short answer is: You need to check out where the subdomain is pointing to and determine if you can re-register the old entry. Not a great answer, I know.
The good part though: Others have already made lists of common services which people tend to leave old DNS entries for and can even automatically re-register the entry to your account. A few examples:
- AWS Cloudfront
- Heroku
- Zendesk
- Tumblr/Blogger/Wordpress.com
I linked to a collection of tools above which can assist in determining if a subdomain is vulnerable.
How do we fix these problems?
Quick Solution: Remove the DNS entry -- This works for most situations
Longer Term Solution: Define a policy where whomever manages DNS at your organization performs a regular audit of your DNS entries. Yes, this can be tedious, but it can ensure your DNS records are up-to-date.
Conclusions
While subdomain takeover isn't anything sexy or technically complicated or cool, it is a serious problem facing organizations large and small. Just go search Google for "site:hackerone.com subdomain takeover" - Check out all the results.
Thanks for making it this far. Did I miss something? Let me know below.
No comments:
Post a Comment