Infection Method – Sub-Domain Takeover
A subdomain takeover is a type of cybersecurity vulnerability that occurs when an attacker gains control of a subdomain of a website or a domain name. This attack can seriously affect the security and functionality of a web application or website. In this explanation, we’ll look at subdomain takeovers, how they work, the risks they pose, and how to prevent them.
Introduction to subdomains
To understand what a subdomain takeover is, we need to understand the concept of subdomains. In the context of the Internet, a domain name such as “example.com” serves as the primary address for a website. However, a domain name can be further divided into subdomains, which act as separate sections or branches of the main domain. Subdomains are often used for organisational purposes, categorising different website areas, or providing specific services.
For example, consider the subdomains of the abc.com domain:
- http://www.abc.com (for the main website)
- blog.abc.com (for a blog section)
- shop.abc.com (for an online shop)
- mail.abc.com (for email services)
- api.abc.com (for application programming interfaces)
These subdomains can be independently configured to provide different content or applications. Although subdomains are part of the same parent domain, they may be hosted on other servers or managed by different teams within the same organisation.
What is a subdomain takeover?
A subdomain takeover occurs when an unauthorised person or organisation gains control of a subdomain of a domain and thereby effectively takes ownership of it. This unauthorised control can lead to various security risks and potential misuse. The key factors contributing to subdomain takeover are misconfigurations, abandoned resources, and external service integrations.
Here are the main reasons why subdomain takeovers can occur:
Misconfigurations:
Web administrators and developers can accidentally misconfigure DNS records or forget to remove DNS records for no more prolonged use subdomains. These misconfigurations can allow an attacker to take control of a subdomain.
Abandoned resources:
Organisations can create subdomains for specific projects, campaigns, or temporary services and then abandon them later. If an attacker discovers an abandoned subdomain, they can claim it as their own and potentially use it for malicious purposes.
External service integrations:
Many websites integrate third-party services, such as content delivery networks (CDNs), cloud services or hosted applications. These services often require the creation of subdomains that point to the third-party service provider’s infrastructure. If the external service becomes vulnerable, attackers can exploit it to take over the associated subdomain.
How subdomain takeovers work
Subdomain takeovers result from vulnerabilities due to misconfigured DNS records, abandoned resources, or compromised external services.
Incorrectly configured DNS entries:
CNAME Records: A common misconfiguration involves CNAME (canonical name) records. A CNAME record maps a subdomain to another domain or subdomain. If a subdomain is incorrectly pointed to a domain controlled by an attacker, the attacker can effectively take over the subdomain.
Wildcard entries:
Wildcard DNS records are used to direct all subdomains of a domain to a common destination. If a subdomain with a wildcard entry is no longer claimed or points to an attacker’s server, the attacker can control all subdomains.
Abandoned resources:
Subdomains created for temporary projects, campaigns, or services may be forgotten or abandoned after their purpose has been served. Attackers can search for and claim such subdomains if they are available for registration or reconfiguration. I want to describe an example I have found several times in projects.
Let’s assume a service is hosted externally. For example, a virtual machine is created and assigned a logical name in Heroku. This typically looks like this: You can choose a name to which the external operator’s domain is added. In this example, it is demapp.heroku.com. This service is no longer needed and will be cancelled by the customer. However, there are still entries in the DNS configuration that point to demoapp.heroku.com. This can be, for example, a redirect from your own subdomain in this example, demoapp.abc.com. The attacker now creates an instance on Heroku and gives it the name demoapp, leading to the complete name demoapp.heroku.com. Now, the attacker only has to listen to the ports and analyse which requests arrive at this machine and can build his attack vector based on this. For example, he can set up a corresponding compromised service that responds to these requests.
Compromised external services:
Some subdomains are created to link to external services or resources provided by third parties. Attackers can tamper with the associated subdomains if these external services are compromised or misconfigured.
In these scenarios, the attacker effectively takes control of the subdomain by configuring the DNS records or exploiting vulnerabilities. Once they control the subdomain, they can host malicious content, launch phishing attacks, or commit other forms of cybercrime.
In these scenarios, the attacker effectively takes control of the subdomain by configuring the DNS records or exploiting vulnerabilities. Once they control the subdomain, they can host malicious content, launch phishing attacks, or commit other forms of cybercrime.
Risks and consequences of subdomain takeovers
Subdomain takeovers pose significant risks to websites’ and web applications’ security, reputation and functionality. The consequences of a successful subdomain takeover can be severe and far-reaching, including:
Data theft:
Attackers can use subdomains to steal sensitive data such as user credentials, personal information, or financial data.
Phishing attacks:
Subdomain takeovers are often used in phishing campaigns. Attackers can create convincing fake login pages or legitimate content to trick users into revealing their credentials.
Malware distribution:
Malicious files or software can be hosted on the compromised subdomain, which can then be used to distribute malware to unsuspecting visitors.
Denylisting:
Search engines and email providers can denylist the parent domain if they detect malicious activity on a subdomain. This may impact website visibility and email communications.
Brand damage:
A subdomain takeover can damage an organisation or website’s reputation and lose trust among users and customers.
Financial loss:
Depending on the severity of the attack, a company could face financial losses, lawsuits, and fines.
Loss of control:
Once an attacker has control of a subdomain, it becomes difficult for the rightful owner to regain control and limit the damage.
Legal consequences:
Unauthorised access to or control over subdomains can result in legal consequences and penalties for the attacker.
Practical examples
To illustrate the real-world impact of subdomain takeovers, let’s look at a few notable cases:
Uber:
In 2015, researchers discovered a subdomain takeover vulnerability in Uber’s system. The ride-hailing company had a subdomain called riders.uber.com that was vulnerable to a takeover. Attackers may have used this subdomain to launch phishing attacks against Uber users. Uber immediately addressed the issue after being informed by researchers.
GitHub pages:
GitHub Pages is a popular platform for hosting websites and documentation. In 2017, a researcher found that GitHub Page’s subdomains were vulnerable to a takeover when users deleted their repositories but left the associated DNS records intact. Attackers could then claim the subdomains and host malicious content. GitHub has since taken measures to prevent such takeovers.
Shopify:
Shopify, a central e-commerce platform, faced a subdomain adoption issue in 2019. An attacker discovered that he could claim abandoned Shopify store subdomains and potentially use them for fraud. Shopify has fixed the vulnerability and improved its security measures.
These cases show that subdomain takeovers can affect both small and large organisations. Timely identification and remediation of such vulnerabilities is critical to maintaining the security and trustworthiness of online services.
Prevent subdomain takeovers
Preventing subdomain takeovers requires a combination of proactive measures and best practices. Here are steps companies can take to mitigate the risk of subdomain takeovers:
Regular DNS Audits:
Perform routine DNS record checks to identify misconfigurations or abandoned subdomains. Remove unnecessary DNS records and update records for active subdomains.
Best practices for CNAME records:
When using CNAME records, be careful where they point. Make sure you trust the target and check CNAME configurations regularly.
Wildcard DNS records:
Use wildcard DNS records carefully. Avoid directing all subdomains to a single destination, as this can create a single point of failure.
Subdomain Registration Guidelines:
Implement clear guidelines for subdomain creation and management. Ensure that subdomains are registered with valid entities within the organisation and follow a consistent naming convention.
Automated scanning:
Use automated scanning tools to identify subdomains at risk of takeover. These tools can help identify misconfigurations and vulnerabilities.
Security of external services:
If you use external services requiring subdomains, ensure those services are secure. Regularly monitor and audit the security of these services to prevent potential vulnerabilities.
DNS rate limit:
Implement rate limiting for DNS requests to protect against reconnaissance attacks from potential attackers.
Access control:
Restrict access to DNS configuration and ensure only authorised personnel can change DNS records.
Vulnerability disclosure programs:
Encourage security researchers and users to report subdomain takeover vulnerabilities responsibly. Establish a process for receiving and processing such reports.
Monitor subdomain activity:
Monitor subdomain activity and set up alerts for suspicious or unauthorised changes to DNS records.
Conclusion
Subdomain takeovers represent a widespread cybersecurity threat and can significantly impact website owners and users. These takeovers are often due to misconfigured DNS records, abandoned resources, or compromised external services.
To protect against subdomain takeovers, companies/teams must proactively monitor and secure their subdomains. This includes regular DNS audits, best practices for managing DNS records, and a strong awareness of potential vulnerabilities in external services.
Happy Coding
Sven
