際際滷

際際滷Share a Scribd company logo

Subdomain takeover

Hina Rawal
Hina Rawal

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects service providers and multiple domains are affected.

1 of 16
Subdomain Take Over PRESENTED BY HEENA RAWAL ATTACK & PENTEST TEAM
Index What is Domain Name Service? How it works? What is Subdomain? What is Subdomain Takeover? All About CNAME How to find CNAME records? Impact of the issue Lets Takeover Subdomain (Practical_approach) Mitigation Reference
What is domain name services ?
Subdomain takeover
How DNS work? Facebook.com Hey resolver !! What is the IP address of facebook.com
What is subdomain? support.facebook.com Main Domain Subdomain Domain Extension Subdomain is a part of main domain. In above URL, main domain name is facebook with extension .com and part of this main domain is support which is called subdomain of this main domain.
Why?
What is subdomain takeover? Subdomain Takeover is a type of vulnerability which occurs due to Misconfiguration of DNS CNAME records or forget to delete DNS entry. Scenario Example: when a company has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify etc.) but the service is no longer utilized by that company. In that condition, an attacker could register to the external service and claim the affected subdomain to configure his/her services to point affected subdomain.
All about CNAME A (CNAME) Canonical Name record is a type of resource record in the Domain Name System which maps one domain name to another This can prove convenient when running multiple services from a single IP address such as www, mail, blog etc are used while using domain hosting.
How to find CNAME records? There is n-number of ways to find the CNAME record to associate subdomain. In this section, I'll show you a few of techniques to find the CNAME record of the specific subdomain. DIG COMMAND Command DNS Server Subdomain Name Type
Output
Impact of the issue Easy to sign up for a new account An attacker can build a complete clone of the site It is a covert operation that even the domain owner wont notice Authentication bypass, CORS bypass & Many other high risk vulnerabilities.
Subdomain takeover
Mitigation Remove the DNS-configuration of the external service on your subdomain. SOC Analyst Part Domain monitoring is a service for monitoring your subdomains for potential subdomain takeovers. It monitors changes within public DNS resolvers and warns you as soon as we detect any anomalies.
References https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover- explained/ https://0xpatrik.com/subdomain-takeover-ns/ https://cloudacademy.com/blog/how-dns-works/
Thank You

More Related Content

Subdomain takeover

  • 1. Subdomain Take Over PRESENTED BY HEENA RAWAL ATTACK & PENTEST TEAM
  • 2. Index What is Domain Name Service? How it works? What is Subdomain? What is Subdomain Takeover? All About CNAME How to find CNAME records? Impact of the issue Lets Takeover Subdomain (Practical_approach) Mitigation Reference
  • 3. What is domain name services ?
  • 5. How DNS work? Facebook.com Hey resolver !! What is the IP address of facebook.com
  • 6. What is subdomain? support.facebook.com Main Domain Subdomain Domain Extension Subdomain is a part of main domain. In above URL, main domain name is facebook with extension .com and part of this main domain is support which is called subdomain of this main domain.
  • 8. What is subdomain takeover? Subdomain Takeover is a type of vulnerability which occurs due to Misconfiguration of DNS CNAME records or forget to delete DNS entry. Scenario Example: when a company has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify etc.) but the service is no longer utilized by that company. In that condition, an attacker could register to the external service and claim the affected subdomain to configure his/her services to point affected subdomain.
  • 9. All about CNAME A (CNAME) Canonical Name record is a type of resource record in the Domain Name System which maps one domain name to another This can prove convenient when running multiple services from a single IP address such as www, mail, blog etc are used while using domain hosting.
  • 10. How to find CNAME records? There is n-number of ways to find the CNAME record to associate subdomain. In this section, I'll show you a few of techniques to find the CNAME record of the specific subdomain. DIG COMMAND Command DNS Server Subdomain Name Type
  • 12. Impact of the issue Easy to sign up for a new account An attacker can build a complete clone of the site It is a covert operation that even the domain owner wont notice Authentication bypass, CORS bypass & Many other high risk vulnerabilities.
  • 14. Mitigation Remove the DNS-configuration of the external service on your subdomain. SOC Analyst Part Domain monitoring is a service for monitoring your subdomains for potential subdomain takeovers. It monitors changes within public DNS resolvers and warns you as soon as we detect any anomalies.
AboutCopyright
息 2025 際際滷