Florian Walter on LinkedIn: Subdomain Takeover: What is It? How to Exploit? How to Find Them? (2024)

🔒 Subdomain Takeover - Part 3: How to Find Them?In my previous posts, I talked about what Subdomain Takeover is and how an attacker can leverage it for further exploitation. In this final part, we talk about how a pentester or bug bounty hunter can find them.𝐒𝐭𝐞𝐩 𝟏: 𝐅𝐢𝐧𝐝 𝐒𝐮𝐛𝐝𝐨𝐦𝐚𝐢𝐧𝐬Before you can find subdomains to take over, you need to find something first… Subdomains! There are plenty of ways to find subdomains and I won’t cover them in this post.So say you’re performing like a Pentest on test.com, and you identified the following subdomains:mail.test.comstatic.test.comcool-app.test.com𝐒𝐭𝐞𝐩 𝟐: 𝐅𝐢𝐧𝐝 𝐂𝐍𝐀𝐌𝐄𝐬It’s very unlikely we can get our hands on e.g. mail.test.com (unless we hack the page itself or like the DNS server or something). Thus, we check if there are some CNAMEs (=aliases) for all identified subdomains, and run e.g.: 𝒅𝒊𝒈 +𝒔𝒉𝒐𝒓𝒕 𝑪𝑵𝑨𝑴𝑬 𝒎𝒂𝒊𝒍.𝒕𝒆𝒔𝒕.𝒄𝒐𝒎Say that there were no CNAMEs for mail.test.com and cool-app.test.com. However, we found a CNAME for static.test.com, and it’s an S3 bucket ('static-test.s3.amazonaws[.]com').𝐒𝐭𝐞𝐩 𝟑: 𝐅𝐢𝐧𝐝 𝐀𝐛𝐚𝐧𝐝𝐨𝐧𝐞𝐝 𝐃𝐨𝐦𝐚𝐢𝐧𝐬Next, we need to check if any of the identified CNAMEs have been abandoned, i.e. no longer used. We talked about this in Part 1 of this series, so I won’t go too much into detail. Basically, we want to find indications that the resource is no longer used.Good indicators for this are for example:- 404 HTTP response status- DNS errors that indicate that the domain is non-existentSay we checked out the identified S3 bucket and found that it doesn’t exist anymore.𝐒𝐭𝐞𝐩 𝟒: 𝐂𝐡𝐞𝐜𝐤 𝐢𝐟 𝐓𝐚𝐤𝐞𝐨𝐯𝐞𝐫 𝐢𝐬 𝐏𝐨𝐬𝐬𝐢𝐛𝐥𝐞This is the hardest part… We can only take over static.test.com if we can register a new S3 bucket and can control its domain name. If we can't, then we won't be able to register 'static-test.s3.amazonaws[.]com'.This isn't a solved problem yet, but a good starting point is this awesome GitHub repo: https://lnkd.in/d2ScVXVf. It contains lots of information on popular domains (e.g. AWS, Azure, etc.), specifies how to fingerprint them, and if they are vulnerable to takeover. 𝐒𝐭𝐞𝐩 𝟓: 𝐓𝐚𝐤𝐢𝐧𝐠 𝐎𝐯𝐞𝐫 𝐭𝐡𝐞 𝐒𝐮𝐛𝐝𝐨𝐦𝐚𝐢𝐧Once we confirm we can take it over, the final step is taking over the subdomain. This means for example creating a new S3 bucket with the same name as a previously deleted bucket.This step can be very easy with things like S3 buckets or Azure Websites but may be more difficult for things like Azure Cloud Apps which require some setup.#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting

71

2 Comments

DAST vs Penetration Testing? The debate between DAST and Pentesting has been a hot topic for a while, but it has reached new heights since the release of AI tools like ChatGPT.If you want to know more about my view on their similarities, differences, and strengths, please check out my recent interview with my Veracode colleague Jenn Buckingham: https://lnkd.in/g2Zjcf27

73

2 Comments

🔒 Subdomain Takeover - Part 2: How to Exploit?In my previous post, I talked about what Subdomain Takeover is. Now, let’s talk about some of the naughty things an attacker can do once they have taken over a subdomain.So the attacker has just taken over 'static.nextaigen.com'. But what now?𝐏𝐡𝐢𝐬𝐡𝐢𝐧𝐠The most obvious thing that comes to mind is probably phishing. Considering you now control a subdomain of 'nextaigen.com', why not change it to a phishing page and try to social engineer e.g. customers or employees of NextAIGen?𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐢𝐧𝐠 𝐂𝐎𝐑𝐒 𝐌𝐢𝐬𝐜𝐨𝐧𝐟𝐢𝐠𝐮𝐫𝐚𝐭𝐢𝐨𝐧Say you find another app from NextAIGen which is hosted under 'ai-verse.nextaigen.com'. It is configured to allow CORS requests from all subdomains of '*.nextaigen.com' (I honestly see this all the time!). This by itself is not exploitable and probably wouldn’t even necessarily classify as a "misconfiguration".However, since you now control a subdomain of 'nextaigen.com', you can host content on 'static.nextaigen.com' that sends cross-origin requests to'ai-verse.nextaigen.com' and stores the HTTP responses. You then have to social engineer a user of 'ai-verse.nextaigen.com' to visit 'static.nextaigen.com'. Now, you can then send requests in the user's name to 'ai-verse.nextaigen.com'. The severity of this may differ. But this would often be high or critical if there is any endpoint in 'ai-verse.nextaigen.com' that returns sensitive data, and I also found this scenario leading to account takeover in the past if there is an endpoint that returns e.g. a session token in the response body. 𝐁𝐲𝐩𝐚𝐬𝐬𝐢𝐧𝐠 𝐂𝐒𝐏 𝐟𝐨𝐫 𝐗𝐒𝐒Another example could potentially be bypassing a CSP to get XSS. Say you find XSS but can’t exploit it because of the CSP, but the CSP trusts all scripts from subdomains of '*.nextaigen.com'. You can see what’s next right? Just host the XSS payload on 'static.nextaigen.com' then.I hope you liked this little introduction to leveraging Subdomain Takeovers. What other exploitation scenarios can you think of?#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting

59

4 Comments

🔒 Subdomain Takeover - Part 1: What is it?Say your company is called NextAIGen and you're using an S3 bucket for your app's static files, called 'static-stuff'. Since you don't want the domain name for your bucket to be like 'static-stuff[.]s3[.]amazonaws[.]com' (the purpose of the [] is simply to prevent LinkedIn from obfuscating the domain…), you register a CNAME (=a DNS alias) that says that 'static.nextaigen.com' is an alias for 'static-stuff[.]s3[.]amazonaws[.]com'.Cool, now you can reference files from your bucket using 'static.nextaigen.com'.A few years pass and you have some new fancy apps and have forgotten about all that old stuff that you developed in the past. You already deleted the 'static-stuff' S3 bucket, because why pay money for something you don't need anymore - right?But there's one thing you didn't delete: The CNAME entry that connects 'static.nextaigen.com' with 'static-stuff[.]s3[.]amazonaws[.]com’.Now, an attacker comes along, creates a new S3 bucket, and uses the now free name 'static-stuff'. Do you see where I’m heading? Since 'static.nextaigen.com' is still an alias for 'static-stuff[.]s3[.]amazonaws[.]com', the attacker has now de facto taken over 'static.nextaigen.com' and can control its content. This is why it’s called Subdomain Takeover!#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting

123

10 Comments

🔒 Subdomain Takeover: What is it? How to Exploit? How to Find Them?I will be publishing a series of posts on Subdomain Takeover soon that discusses 3 things:- What is it? - How to Exploit? - How to Find Them?After that, I will be introducing a new tool I wrote called SubSnipe which helps with identifying subdomain takeovers 🚀.#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting

94

4 Comments

🌟 Secure Code Review Challenge 09 (Broken Access Control) - My SolutionThe problem here is that the app implements authentication but no authorization. Consequently, any logged-in user can edit the profile of any other logged-in user, which is most likely unintended and a serious vulnerability.To remediate this, implement a check ensuring users can only edit their own profile. This can be accomplished e.g. by taking the username from the session (not directly attacker-controlled) instead of the request (directly under the attacker's control).#AppSec #BugHunting #EthicalHacking #Cybersecurity

81

1 Comment

🔍 Secure Code Review Challenge 09: Provide concrete code-level remediation guidance for the vulnerability in the code.Today's vulnerability is omnipresent and I see a variation of it in like 90% of my pentests.(You can also check the below code out on my GitHub: https://lnkd.in/dNNdsJAH)PS: I might respond to your comment from the perspective of a developer under a tight deadline, feeling the pressure to deliver, and attempting to push back on your suggestions.#AppSec #BugHunting #EthicalHacking #Cybersecurity

245

65 Comments

Where did my posts go, LinkedIn?So like many other content creators, I schedule my posts. In fact, I have them scheduled out till sometime in August, which is perfect because it lets me write whenever I feel inspired and not when I feel like "I should post something now".Anyhow, I had the next code-review challenge scheduled for this morning but unless I'm blind, I can't see it posted anywhere 😃. I also can't find it in the list of my scheduled posts. Even more so, I can't see any scheduled posts in my list that go beyond mid-July.So I did some quick googling and this is a thing, and scheduled posts sometimes *poof* disappear.Did this happen to anyone else recently?#WhereIsMyPost

28

11 Comments

🌟 Secure Code Review Challenge 08 (Nginx Off By Slash) - My SolutionSo... What's the problem with this innocent-looking Nginx configuration? The answer is path normalization, one of my favorite research topics at the moment (there will be more on that topic coming for you guys 🙂).Say someone visits 'https://<host>/html../nginx.conf'. Remember that '/html' is an alias for '/usr/share/nginx/html/' which means that Nginx would interpret this as '/usr/share/nginx/html/../nginx.conf'. Thus, an attacker can break out of the designated path and we have a classic LFI vulnerability.💡 SolutionTo remediate this, we can e.g. change the alias to something like this:location /html/ { root /usr/share/nginx/html;}Now, if an attacker again visits 'https://<host>/html../nginx.conf', Nginx would interpret it as '/usr/share/nginx/html../nginx.conf', which would lead to a 404.If you wanna know more about this topic, please watch this: https://lnkd.in/dcFM7Q9zEdit: Thanks to Danilo S. for pointing this out. My remediation guidance is correct, but my explanation is wrong. I said that if an attacker visited 'https://<host>/html../nginx.conf' after the fix, Nginx would interpret it as '/usr/share/nginx/html../nginx.conf'. But considering that our rule maps to '/html/', the '/html../' wouldn't even trigger our rule anymore (and thus, lead to a 404).#AppSec #BugHunting #EthicalHacking #Cybersecurity #Nginx

87

4 Comments