Hackers can EASILY take over websites using a technique known as subdomain takeover. What’s alarming is that it’s surprisingly simple! Imagine this: you’ve built your online presence, your website acting as your storefront, welcoming visitors from all corners of the web. But there’s a lurking threat waiting to disrupt your online business.
Subdomain takeover might sound complex, but it’s a straightforward concept in cybersecurity. It occurs when cyber attackers exploit weaknesses in your website’s setup, allowing them to seize control of subdomains associated with your site. Once they gain access, they can redirect traffic, host harmful content, or even trick your customers into sharing sensitive information.
What is a Subdomain?
A subdomain is a part of a domain that precedes the second-level domain (SLD). In a typical domain structure like example.com, “com” is the top-level domain (TLD), and “example” is the SLD. The subdomain is what comes before the SLD.
The most common subdomain is www, denoting the World Wide Web. It typically houses a website’s homepage and crucial pages. Many domain registrars automatically include the www subdomain with domain purchases.
Subdomains are often used to segregate specific sections of a website. For instance, blog.example.com and shop.example.com direct users to our blog and online store, respectively.
When combined with a protocol (HTTP or HTTPS for websites) at the beginning and an optional file path at the end, the domain name and subdomain form a complete URL.
Introduction to Subdomain Takeovers
A subdomain takeover occurs when an attacker seizes control of a subdomain belonging to a target domain. This commonly occurs when the subdomain is listed with a canonical name (CNAME) in the Domain Name System (DNS), but there is no host providing content for it. This situation may arise due to the absence of a published virtual host or the removal of an existing virtual host. The attacker can exploit this by introducing their own virtual host and hosting their content on the subdomain.
CNAME:
An alias of domain name to another domain name
In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name.
Consider a target domain, example.com. During the enumeration of all subdomains associated with example.com (a process we will delve into later), a hacker discovers subdomain.example.com. This particular subdomain is configured to point to GitHub pages, as revealed by its DNS records. In this example, subdomain.example.com has multiple A records directing to GitHub’s dedicated IP addresses for custom pages.
$ host subdomain.example.com
subdomain.example.com has address 192.30.252.153
subdomain.example.com has address 192.30.252.154
$ whois 192.30.252.153 | grep “OrgName”
OrgName: GitHub, Inc.
When navigating to subdomain.example.com, we discover the following 404 error page.
This is a moment that catches the attention of most hackers. The 404-page signals that there is no content served in the top-level directory, suggesting that trying to add this subdomain to our private GitHub repository might be worthwhile. It’s important to clarify that this doesn’t guarantee a takeover is possible for all applications. Certain application types may necessitate checking both HTTP and HTTPS responses for takeovers, while others may not be vulnerable at all.
After incorporating the custom subdomain into our GitHub project, we observe that the repository’s contents are now accessible on subdomain.example.com. In essence, we have effectively asserted ownership of the subdomain.
Steps to Check for Subdomain Takeover
These outlines identifying vulnerabilities in subdomains associated with a domain, which attackers could potentially exploit. Below are the steps detailing how to conduct such checks: checks:
- Use tools like Subfinder, Assetfinder, Amass, Findomain, Puredns, Dnsx, Sublist3r, and others to make a list of all subdomains.
- Find out which subdomains are active by using tools like httprobe or Httpx.
- Let’s take an example using subfinder and the takeover.py script. Follow these steps to find vulnerable domains:
- Install takeover.py with the command:
pip install takeover.py
- Set up the config.json file or use the one from GitHub.
- For a single target, use:
echo blog.example.com | takeover –
- For multiple targets using Subfinder:
subfinder -d “example.com” -silent | takeover –
or
subfinder -d “example.com” -silent | takeover /dev/stdin
- The script will find potential vulnerable websites.
- Find the CNAME of the vulnerable website:
- Run dig subdomain.example.com in your terminal.
- Use online tools like
https://mxtoolbox.com/DNSLookup.aspx or https://toolbox.googleapps.com/apps/dig/#CNAME/
- Check if the subdomain has a CNAME pointing to an unclaimed location (often resulting in a 404 Not Found). Search Google for “example.com subdomain takeover,” where “example.com” is the CNAME. If not found, visit https://example.com for possible instructions on connecting to the website.
Impact of Subdomain Takeover
The impact of subdomain takeovers can be significant, leading to various security breaches and fraudulent activities. Let’s check some of the consequences and implications of subdomain takeover:
1. Data Breaches:
Subdomain takeover can lead to unauthorized access to sensitive data or user information. Attackers could exploit the subdomain to trick users into divulging confidential information, such as login credentials, personal data, or financial details. This information can then be used for identity theft, fraud, or other malicious purposes.
2. Phishing and Social Engineering:
Attackers can use a subdomain takeover to set up convincing phishing sites. These sites mimic legitimate services or websites, aiming to deceive users into sharing sensitive information. Subdomain takeover adds legitimacy to these attacks, making it more challenging for users to distinguish between genuine and fake sites.
3. Unauthorized Content or Services:
Once an attacker gains control of a subdomain, they can host malicious content or services under that subdomain. This could include phishing sites, malware distribution, or other fraudulent activities.
How to avoid subdomain takeovers?
Avoiding subdomain takeovers requires proactive management of DNS records and vigilance in monitoring external services associated with your domain. Below are steps outlining how to mitigate the risk of subdomain takeover:
- Review your DNS entries and remove all entries which are active but no longer in use. Especially those which are pointing toward an external service.
- Ensure that your external services are configured to listen to your wildcard DNS.
- When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.
- Continuously monitor your DNS entries and ensure there are no dangling DNS records.
Concluding Thoughts
By understanding the concept of subdomain takeover, conducting thorough assessments of DNS records, and implementing robust security measures, businesses can effectively defend against potential attacks. Organizations must prioritize cybersecurity and seek assistance from experienced professionals and ensure the integrity and trustworthiness of their online presence.
At ValueMentor, we recognize the paramount importance of safeguarding your digital assets against such threats. Our team of seasoned cybersecurity professionals stands ready to assist you in fortifying your defenses against subdomain takeover attacks. Through meticulous vulnerability assessments, robust monitoring solutions, and proactive security measures, we’re committed to ensuring that your business remains safe.
