Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Subdomain Takeover: A Wrap-upI hope you liked this recent series on subdomain takeovers. If you want to read through this series more compactly, please check out the whole article on my Medium: https://lnkd.in/dNZ79htSI will soon officially introduce a new tool I wrote called SubSnipe, designed to automate some of the work of finding subdomain takeovers in practice.I think this tool has much potential so stay tuned ๐.#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting
48
1 Comment
Lucas Santos Ferreira
Prรฉ-Vendas | Sales Engineer | Arquiteto de soluรงรตes | Consultor | Technical Account Manager | Cyber Security | DevSecOps | Application Security
1d
- Report this comment
You rock! Iโm looking forward to see this tool ready.
1Reaction 2Reactions
To view or add a comment, sign in
More Relevant Posts
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Subdomain Takeover - Part 3: How to Find Them?In my previous posts, I talked about what Subdomain Takeover is and how an attacker can leverage it for further exploitation. In this final part, we talk about how a pentester or bug bounty hunter can find them.๐๐ญ๐๐ฉ ๐: ๐ ๐ข๐ง๐ ๐๐ฎ๐๐๐จ๐ฆ๐๐ข๐ง๐ฌBefore you can find subdomains to take over, you need to find something firstโฆ Subdomains! There are plenty of ways to find subdomains and I wonโt cover them in this post.So say youโre performing like a Pentest on test.com, and you identified the following subdomains:mail.test.comstatic.test.comcool-app.test.com๐๐ญ๐๐ฉ ๐: ๐ ๐ข๐ง๐ ๐๐๐๐๐๐ฌItโs very unlikely we can get our hands on e.g. mail.test.com (unless we hack the page itself or like the DNS server or something). Thus, we check if there are some CNAMEs (=aliases) for all identified subdomains, and run e.g.: ๐ ๐๐ +๐๐๐๐๐ ๐ช๐ต๐จ๐ด๐ฌ ๐๐๐๐.๐๐๐๐.๐๐๐Say that there were no CNAMEs for mail.test.com and cool-app.test.com. However, we found a CNAME for static.test.com, and itโs an S3 bucket ('static-test.s3.amazonaws[.]com').๐๐ญ๐๐ฉ ๐: ๐ ๐ข๐ง๐ ๐๐๐๐ง๐๐จ๐ง๐๐ ๐๐จ๐ฆ๐๐ข๐ง๐ฌNext, we need to check if any of the identified CNAMEs have been abandoned, i.e. no longer used. We talked about this in Part 1 of this series, so I wonโt go too much into detail. Basically, we want to find indications that the resource is no longer used.Good indicators for this are for example:- 404 HTTP response status- DNS errors that indicate that the domain is non-existentSay we checked out the identified S3 bucket and found that it doesnโt exist anymore.๐๐ญ๐๐ฉ ๐: ๐๐ก๐๐๐ค ๐ข๐ ๐๐๐ค๐๐จ๐ฏ๐๐ซ ๐ข๐ฌ ๐๐จ๐ฌ๐ฌ๐ข๐๐ฅ๐This is the hardest partโฆ We can only take over static.test.com if we can register a new S3 bucket and can control its domain name. If we can't, then we won't be able to register 'static-test.s3.amazonaws[.]com'.This isn't a solved problem yet, but a good starting point is this awesome GitHub repo: https://lnkd.in/d2ScVXVf. It contains lots of information on popular domains (e.g. AWS, Azure, etc.), specifies how to fingerprint them, and if they are vulnerable to takeover. ๐๐ญ๐๐ฉ ๐: ๐๐๐ค๐ข๐ง๐ ๐๐ฏ๐๐ซ ๐ญ๐ก๐ ๐๐ฎ๐๐๐จ๐ฆ๐๐ข๐งOnce we confirm we can take it over, the final step is taking over the subdomain. This means for example creating a new S3 bucket with the same name as a previously deleted bucket.This step can be very easy with things like S3 buckets or Azure Websites but may be more difficult for things like Azure Cloud Apps which require some setup.#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting
71
2 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
DAST vs Penetration Testing? The debate between DAST and Pentesting has been a hot topic for a while, but it has reached new heights since the release of AI tools like ChatGPT.If you want to know more about my view on their similarities, differences, and strengths, please check out my recent interview with my Veracode colleague Jenn Buckingham: https://lnkd.in/g2Zjcf27
73
2 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Subdomain Takeover - Part 2: How to Exploit?In my previous post, I talked about what Subdomain Takeover is. Now, letโs talk about some of the naughty things an attacker can do once they have taken over a subdomain.So the attacker has just taken over 'static.nextaigen.com'. But what now?๐๐ก๐ข๐ฌ๐ก๐ข๐ง๐ The most obvious thing that comes to mind is probably phishing. Considering you now control a subdomain of 'nextaigen.com', why not change it to a phishing page and try to social engineer e.g. customers or employees of NextAIGen?๐๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ข๐ง๐ ๐๐๐๐ ๐๐ข๐ฌ๐๐จ๐ง๐๐ข๐ ๐ฎ๐ซ๐๐ญ๐ข๐จ๐งSay you find another app from NextAIGen which is hosted under 'ai-verse.nextaigen.com'. It is configured to allow CORS requests from all subdomains of '*.nextaigen.com' (I honestly see this all the time!). This by itself is not exploitable and probably wouldnโt even necessarily classify as a "misconfiguration".However, since you now control a subdomain of 'nextaigen.com', you can host content on 'static.nextaigen.com' that sends cross-origin requests to'ai-verse.nextaigen.com' and stores the HTTP responses. You then have to social engineer a user of 'ai-verse.nextaigen.com' to visit 'static.nextaigen.com'. Now, you can then send requests in the user's name to 'ai-verse.nextaigen.com'. The severity of this may differ. But this would often be high or critical if there is any endpoint in 'ai-verse.nextaigen.com' that returns sensitive data, and I also found this scenario leading to account takeover in the past if there is an endpoint that returns e.g. a session token in the response body. ๐๐ฒ๐ฉ๐๐ฌ๐ฌ๐ข๐ง๐ ๐๐๐ ๐๐จ๐ซ ๐๐๐Another example could potentially be bypassing a CSP to get XSS. Say you find XSS but canโt exploit it because of the CSP, but the CSP trusts all scripts from subdomains of '*.nextaigen.com'. You can see whatโs next right? Just host the XSS payload on 'static.nextaigen.com' then.I hope you liked this little introduction to leveraging Subdomain Takeovers. What other exploitation scenarios can you think of?#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting
59
4 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Subdomain Takeover - Part 1: What is it?Say your company is called NextAIGen and you're using an S3 bucket for your app's static files, called 'static-stuff'. Since you don't want the domain name for your bucket to be like 'static-stuff[.]s3[.]amazonaws[.]com' (the purpose of the [] is simply to prevent LinkedIn from obfuscating the domainโฆ), you register a CNAME (=a DNS alias) that says that 'static.nextaigen.com' is an alias for 'static-stuff[.]s3[.]amazonaws[.]com'.Cool, now you can reference files from your bucket using 'static.nextaigen.com'.A few years pass and you have some new fancy apps and have forgotten about all that old stuff that you developed in the past. You already deleted the 'static-stuff' S3 bucket, because why pay money for something you don't need anymore - right?But there's one thing you didn't delete: The CNAME entry that connects 'static.nextaigen.com' with 'static-stuff[.]s3[.]amazonaws[.]comโ.Now, an attacker comes along, creates a new S3 bucket, and uses the now free name 'static-stuff'. Do you see where Iโm heading? Since 'static.nextaigen.com' is still an alias for 'static-stuff[.]s3[.]amazonaws[.]com', the attacker has now de facto taken over 'static.nextaigen.com' and can control its content. This is why itโs called Subdomain Takeover!#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Subdomain Takeover: What is it? How to Exploit? How to Find Them?I will be publishing a series of posts on Subdomain Takeover soon that discusses 3 things:- What is it? - How to Exploit? - How to Find Them?After that, I will be introducing a new tool I wrote called SubSnipe which helps with identifying subdomain takeovers ๐.#Cybersecurity #SubdomainTakeover #InfoSec #WebSecurity #AppSec #BugHunting #PenetrationTesting
94
4 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Secure Code Review Challenge 09 (Broken Access Control) - My SolutionThe problem here is that the app implements authentication but no authorization. Consequently, any logged-in user can edit the profile of any other logged-in user, which is most likely unintended and a serious vulnerability.To remediate this, implement a check ensuring users can only edit their own profile. This can be accomplished e.g. by taking the username from the session (not directly attacker-controlled) instead of the request (directly under the attacker's control).#AppSec #BugHunting #EthicalHacking #Cybersecurity
81
1 Comment
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Secure Code Review Challenge 09: Provide concrete code-level remediation guidance for the vulnerability in the code.Today's vulnerability is omnipresent and I see a variation of it in like 90% of my pentests.(You can also check the below code out on my GitHub: https://lnkd.in/dNNdsJAH)PS: I might respond to your comment from the perspective of a developer under a tight deadline, feeling the pressure to deliver, and attempting to push back on your suggestions.#AppSec #BugHunting #EthicalHacking #Cybersecurity
245
65 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
Where did my posts go, LinkedIn?So like many other content creators, I schedule my posts. In fact, I have them scheduled out till sometime in August, which is perfect because it lets me write whenever I feel inspired and not when I feel like "I should post something now".Anyhow, I had the next code-review challenge scheduled for this morning but unless I'm blind, I can't see it posted anywhere ๐. I also can't find it in the list of my scheduled posts. Even more so, I can't see any scheduled posts in my list that go beyond mid-July.So I did some quick googling and this is a thing, and scheduled posts sometimes *poof* disappear.Did this happen to anyone else recently?#WhereIsMyPost
28
11 Comments
Like CommentTo view or add a comment, sign in
-
Florian Walter
Sr. Penetration Tester | Dev & AppSec Specialist | Security Researcher | Building, Breaking & Fixing Apps
- Report this post
๐ Secure Code Review Challenge 08 (Nginx Off By Slash) - My SolutionSo... What's the problem with this innocent-looking Nginx configuration? The answer is path normalization, one of my favorite research topics at the moment (there will be more on that topic coming for you guys ๐).Say someone visits 'https://<host>/html../nginx.conf'. Remember that '/html' is an alias for '/usr/share/nginx/html/' which means that Nginx would interpret this as '/usr/share/nginx/html/../nginx.conf'. Thus, an attacker can break out of the designated path and we have a classic LFI vulnerability.๐ก SolutionTo remediate this, we can e.g. change the alias to something like this:location /html/ { root /usr/share/nginx/html;}Now, if an attacker again visits 'https://<host>/html../nginx.conf', Nginx would interpret it as '/usr/share/nginx/html../nginx.conf', which would lead to a 404.If you wanna know more about this topic, please watch this: https://lnkd.in/dcFM7Q9zEdit: Thanks to Danilo S. for pointing this out. My remediation guidance is correct, but my explanation is wrong. I said that if an attacker visited 'https://<host>/html../nginx.conf' after the fix, Nginx would interpret it as '/usr/share/nginx/html../nginx.conf'. But considering that our rule maps to '/html/', the '/html../' wouldn't even trigger our rule anymore (and thus, lead to a 404).#AppSec #BugHunting #EthicalHacking #Cybersecurity #Nginx
DEF CON 26 - Orange Tsai - Breaking Parser Logic Take Your Path Normalization Off and Pop 0Days Out https://www.youtube.com/
87
4 Comments
Like CommentTo view or add a comment, sign in
- 106 Posts
- 4 Articles
View Profile
FollowMore from this author
- AI vs. Human: Who is the better Vulnerability Researcher? ๐ง ๐ค Florian Walter 1mo
- Deserialization: What the Heck *Actually* Is a GadgetChain? Florian Walter 3mo
- How I Became an Ethical Hacker Florian Walter 3mo