The POST explains What is Subdomain Hijack/takeover Vulnerability, What are the Impacts of the Vulnerability & How can You prevent such attacks, In addition to this I Tried my best to add the step by step guide about how to Identify & Exploit Vulnerable Subdomains Using 5 different services that includes,
Amazon CloudfrontÂ
Heroku
Desk.com
Pantheon service
Github Pages
Hope This Post will help you guys to get a Clear POC about subdomain Takeover issues đÂ
Hey guys so I was looking at messages in my inbox and Realized that Most of my friends are sending In ScreenShots of random 404 errors on subdomains and asking about Possibilities of Subdomain Takeover… I don’t Know Much about the Subdomain Takeover Vulnerability! But Still i’m writing this…. LOL :v So Lets begin!
What is a Subdomain Hijack/Takeover Vulnerability?Â
A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) By doing this, the hacker can take full control of the subdomains. Subdomain Takeover can be done by using external services such as Desk, Squarespace, Shopify, Github, Tumblr, and Heroku.
How it Works?
A service named âWorkâ on your website which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront or Heroku and the CNAME Points at this url mysitework.herokudns.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit work.mysite.com you are redirected to attacker site on heroku or show Mac Content by the attacker.
Subdomain Takeover In a Sec?
#OkThnxByeLoL
Here i’m Trying to share step by Step example of attack Identification & Exploitation!
How to Identify Subdomain Takeover via Expired Cloudfront Distribution..
The Error? on The Subdomain the error will b something like This.
But that’s Not enough You need to Check the subdomain on Both HTTPS/HTTP if the same error Occur on Both then the subdomain can be Hijacked by creating an AWS cloudfront distribution and adding the subdomain in CNAME!
Simply login to your AWS Cloudfront account and create a New Bucket for the subdomain or use existing bucket
Now After that I visited Cloudfront Distribution options and created a New Cloudfront Distribution
I chooses the WEB option and In CNAME i added the link to the subdomain i.e sub.site.com
Next i simple Linked my Distribution to my S3 bucket and tadaaa, The Subdomain is NOw Yours
BlogPost related to This https://blog.securitybreached.org/2017/10/10/subdomain-takeover-lamborghini-hacked/
Wanna learn More about amazon? Read the Amazing amazon cookbook http://www.allitebooks.com/read/index.php?id=21483
2. Subdomain Takeover Using Heruko:
Error? The Vulnerable Subdomain might have an error similar to this one.
Now For verification further check the CNAME entry in DNS info it should be something similar to (site.herokudns.com) Then.. Create a New account on heruko.com and fill in the billing details ( Necessary ) then create a new app in your accountÂ
after Creating the app Go to the app deploy menu and connect Your Deployment Method (Github, dropbox etc ) Then Go to settings and set build pack,
Now after that simply add the domain under the Build packs menu and then add content to the github and go back to deploy menu and clikc on deploy or enable automatic deploy Your all set.. The subdomain is now Yours
That’s all for Heroku!
3. Subdomain Takeover via Desk.com:
Error? the error on the subdomain that can be Hijacked via Desk.com will be something like.
To verify check the DNS entry for CNAME record it should be something like (site.desk.com)
after confirmation create an account on desk.com with the same CNAME and Then Go to settings and add the subdomain in Your Web address
after that enable it and the Subdomain will b yours đ
That’s all for Desk.com
4. Subdomain Takeover via Pantheon service:
Error? the error on vulnerable subdomain should be like something like this:
i didn’t have screenShots related to this so Just gonna Post the steps đ
Steps:
5. Subdomain takeover Using Github Pages:
Error? The Error on the vulnerable subdomain should b like.
First You need to check the DNS info for CNAME Entry that should b something like (something.github.io)
after that visit the CNAME also it should show the same Error as The subdomain is showing.. Now You need to create a New repository in Your Github account matching with the CNAME of the website
then simply go to the settings of the repository
Now Scroll down to the GitHub Pages section. Press Choose a theme.. adn Select a New Theme for your guthub page.
Pick a Theme you like
Now U can upload index and Other files to The repository and Edit them
Now at the end Go to the setting of the repository again and Under Github pages choose custom domain and Add the domain that is Vulnerable to Takeover
Now Go to the subdomain and now it belongs to you đ wanna know more about it read https://help.github.com/articles/what-is-github-pages/
Now Lets Talk about Whats the impact of the issue and How can u defend against the issue?
How do you prevent this kind of attacks?
Now For the Hunters Looking for some Scanners That can help you scan subdomains and Identify possibilities of Subdomain Takeover Vulnerability Here are some of them i frequently use
etc đ
That’s what everything i know and I can share about the Subdomain Takeover vulnerability! hope It was helpful and easy to understand đ Don;t forget to share đ
found these Memes related to the issue đ
[…] most of us know that sometimes this error can lead to subdomain takeover ( read about subdomain takeover here )Â so I logged in to my Heroku account and created an app named “Ubertst” and Then after […]
Buddy for Cloudfront Distribution what if only in http we get The request could not be satisfied. And in https you get access denied amazon error msg.
Does that mean it’s not hijackable?
That means the Subdomain is Not Vulnerable đ 403/Frobidden/Access Denied means Its already owned and working well
What If i get Application Error on Heroku,,
bro i am unable to create account in desk it redirect me to salesforce website and dont ask me for cname for creation can you explain me how to takeover subdomain in desk.com as i read your above post but fou d difficulties in desk.com
hi, its acquired by salesforces so not possible anymore
[…] References to read:>https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/>https://0xpatrik.com/subdomain-takeover-basics/>https://github.com/EdOverflow/can-i-take-over-xyz […]
[…] https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/ […]
6 hosted to aid in subdomain finder before takeover is performed https://www.nmmapper.com/sys/tools/subdomainfinder/ including famous nmap’s dns-rute
[…] References to read:>https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/>https://0xpatrik.com/subdomain-takeover-basics/>https://github.com/EdOverflow/can-i-take-over-xyz […]