What are Subdomain Takeovers, How to Test and Avoid them?

Introduction

Hostile Subdomain takeover forms a class of attacks which has appeared quite often in large organisations due to a large number of factors like human negligence and a huge overall attack surface. A similar sort of attack is stale DNS entries which often lead to the hijacking of the domain itself. This has already happened a number of times each in case of companies like Starbucks , Uber have already paid thousands of dollars for these security vulnerabilities reported by researchers. Uber actually had more than one subdomain takeovers in the past. This often leads to companies losing their trust over the users and various other implications, due to loss of millions of dollars when a successful subdomain takeover is maliciously executed and an attacker puts up a successful phishing campaign. In this article, I will discuss about practical cases, impact and mitigation of this attack and share useful tips to avoid such situations.

It's understandable though that for large organisations with a huge number of assets and servers DNS monitoring becomes too tedious, which can, of course, be automated with in-house solutions as well as paid ones and with a little care and effort be manually checked so that you don't leave stale DNS entries (CNAME records).

What are Subdomain takeovers?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets which are no longer in use but a subdomain is still pointing at it.

As an attacker one can thus make use of this stale DNS record to own the AWS S3 bucket or point one's own GitHub pages to your (sub)domain, which is no longer in use by your organisation and use it to target your innocent users into leaking their account details via XSS and phishing pages hosted on your companies' domains.

Further Impact

In many a case, an attacker can easily steal victim user's cookies via XSS if they are allowed on the subdomain, so that needs even little user interaction than usual phishing pages which are set up to steal user credentials.

Some Notable Cases of Subdomain takeovers

Given below are companies who have been victim to this attack in the past.

1. Slack - through podcasts.slack-core.com which was serving content via Feedpress
2. US Government - Via GitHub pages
3. GitLab
4. Uber - Leading to Account Takeover
5. Unbounced - Many different pages/domains belonging to different companies

And many more...

Mitigation

As an end user of a service - Going through your organisation's DNS records in a routine manner or while discontinuing or terminating a service, for example, a GitHub or an AWS S3 instance, safely removing it's DNS records.

As a service provider, by implementing stricter methods to prove (sub) domain ownership.

Testing for Subdomain Takeovers

Given below are some heuristic testing methodology to determine subdomain takeovers.

Heuristic Tests to determine if a sub-domain/domain can be taken over

Engine	Possible	Fingerprint	Reference
AWS/S3	Yes	The specified bucket does not exist
Bitbucket	Yes	Repository not found
Campaign Monitor	Yes	Support Page
Cargo Collective	Yes	404 Not Found	Cargo Support Page
Cloudfront	Yes	Bad Request: ERROR: The request could not be satisfied	https://blog.zsec.uk/subdomainhijack/
Desk	No
Fastly	Yes	Fastly error: unknown domain:
Feedpress	Yes	The feed has not been found.	https://hackerone.com/reports/195350
Freshdesk	No	Freshdesk Support Page
Ghost	Yes	The thing you were looking for is no longer here, or never was
Github	Yes	There isn't a Github Pages site here.	https://hackerone.com/reports/263902
Gitlab	No	https://hackerone.com/reports/312118
Google Cloud Storage	No
Help Juice	Yes	We could not find what you're looking for.	Help Juice Support Page
Help Scout	Yes	No settings were found for this company:	HelpScout Docs
Heroku	Yes	No such app
JetBrains	Yes	is not a registered InCloud YouTrack
Mashery	No	Unrecognized domain	https://hackerone.com/reports/275714
Microsoft Azure	Yes
Sendgrid	No
Shopify	Yes	Sorry, this shop is currently unavailable.
Squarespace	No
Statuspage	Yes	You are being redirected	https://hackerone.com/reports/49663
Surge.sh	Yes	project not found	https://surge.sh/help/adding-a-custom-domain
Tumblr	Yes	Whatever you were looking for doesn't currently exist at this address
Tilda	No	Please renew your subscription
Unbounce	Yes	The requested URL was not found on this server.	https://hackerone.com/reports/202767
UserVoice	Yes	This UserVoice subdomain is currently available!
Wordpress	Yes	Do you want to register *.wordpress.com?
WP Engine	No
Zendesk	Yes	Help Center Closed	Zendesk Support

---

Something that I missed? Feel free to add in comments and I will be adding them!