What is Subdomain Hijacking?
A notable recent use of this technique is the SubdoMailing campaign where many household brands had subdomains hijacked and used in spam mailing campaigns.
Subdomain hijacking, also known as subdomain takeover, is the process of an attacker taking control of the target of a DNS record. The attack relies on dangling DNS entries that have a pointer to a service that is no longer in use, and a service that allows for the attacker to take control of host or IP associated with the record.
With the evolution of SaaS and cloud computing, it’s now common to have subdomains that point to a product or service that is not owned by the business directly and this is usually achieved with the use of a CNAME record and this is where the vulnerability is introduced if due care is not taken.
How Does a CNAME Record Work?
A CNAME record is a pointer to a host, and this is commonly what is used with modern cloud or SaaS services. It allows the organizations subdomain to seamlessly point to the external resource, and unlike a redirect, it doesn’t change the URL when visited.
As an example, a business may decide to host their manuals on an S3 bucket since it’s cheap and easy to do. They do the following:
- They create a bucket with the with the subdomain and domain name, for instance
manuals.data.corp
:
- In their DNS providers configuration area, they add a subdomain called manuals with a CNAME record that points to the location of the bucket
manuals.data.corp.s3.eu-west-2.amazonaws.com
:
This is great, everything works as expected. At this point the subdomain can’t be taken over and it’s happily serving manuals to the organizations customers.
One day the team decide they don’t want to use S3 buckets for storage, they want the manuals to be on the main website. They migrate the manuals to the main site, and decide to delete the S3 bucket to save on costs.
What could possibly go wrong?
The Subdomain Takeover Process
The process is frighteningly simple:
- After the bucket has been removed, the CNAME record remains in place and will still have a pointer to this bucket location.
- An attacker will perform reconnaissance against the domain and find that the CNAME record for manuals is pointing to the S3 bucket.
- The attacker will then check to see if this S3 bucket is running, and If it’s not, they would create a bucket with the same name. This would result in the subdomain now serving content owned by the attacker.
It’s scarily easy, and with other services it’s not too difficult, either. The following Github Repository shows the services that are vulnerable to this attack: GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
What is the Impact of Subdomain Hijacking?
There are a few common outcomes from subdomain hijacking:
- Subdomain hijacking can result in website attacks like XSS and CSRF where a victim accessing the subdomain could have a session hijacked, or actions then performed as the user on a different site, for instance on the main www website.
- Defacements are possible, and though these are generally seen more as an annoyance, it’s still something an organization would want to avoid.
- Hosting of adult themed and gambling themed pages that use the reputation of the organization to boost results and reputation with a search engine.
- Depending on the type of service that is taken over, it can also result in spam email campaigns & targeted phishing campaigns, where an attacker is able to send email as the organizations subdomain which will legitimately originate from the subdomain.
In all of the cases there is potential for reputational damage, as well as a loss of integrity and the potential for loss of confidentiality.
Summary
Subdomain takeovers are simple to avoid with monitoring of DNS for dangling entries, and because of the simplicity and impact of a successful attack, it’s imperative that organizations are on top of this process and embed it into their regular processes.
Tools like httpx and aquatone can take screenshots and grab status codes when scanning a given list of hosts, and this can provide a good indication of dangling DNS entries by monitoring for 404 response codes and other unexpected response codes that might signify that there is a problem.
About Us
Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.
Disclaimer
This content is for educational purposes only and we do not endorse illegal activities. Only explore vulnerabilities with proper authorization. The author and Security Blue Team disclaims any liability for misuse.