Externer Scan
      Zurück zur Startseite
      1. Hilfezentrum
      2. Stoïk Protect
      3. Externer Scan

      subdomain-takeover

      Subdomain takeover is possible in various applications such as:

      • Github
      • Shopify
      • Netlify
      • Wix
      • AWS S3 bucket

      A successful exploitation of this kind of vulnerability allows an adversary to claim and take control of the victim’s subdomain. This attack relies on the following:
      1. The victim’s external DNS server subdomain record is configured to point to a non-existing or non-active resource/external service/endpoint. The proliferation of XaaS (Anything as a Service) products and public cloud services offer a lot of potential targets to consider.
      2. The service provider hosting the resource/external service/endpoint does not handle subdomain ownership verification properly.

      If the subdomain takeover is successful, a wide variety of attacks are possible (serving malicious content, phishing, stealing user session cookies, credentials, etc.). This vulnerability could be exploited for a wide variety of DNS resource records including: A, CNAME, MX, NS, TXT etc.

      In terms of the attack severity an NS subdomain takeover (although less likely) has the highest impact because a successful attack could result in full control over the whole DNS zone and the victim’s domain.

      We are gonna walk through a Shopify domain takeover for this example but the same scenario can be applied for the other applications.


      When arriving to the vulnerable subdomain, we are greeted with the following:



      Then, we can simply connect the available domain in the shopify admin panel:

       

      Then our own website is accessible through the subdomain impacted:

       

      This can be used by attacker to deploy malicious files or create phishing attacks made believable with valid domains.
       

      Remediations 

      Short term remediation

      In the case the vulnerable subdomain is unused for business purposes, we recommend removing the DNS record.
       

      Mid term 

      Managing infrastructure as code (IaC) should definitely help to avoid situations where the subdomain is removed but the associated DNS record is left behind.
       
      Such scenario would not pass unnoticed on a code view. Keep application assets under active monitoring for unexpected content delivery, domain expiration or ownership changes will allow early detection and remediation.