maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/domain-subdomain-takeover.md
Carlos Polop a01d953303 update xss
2025-02-04 19:24:15 +01:00

102 lines
7.5 KiB
Markdown
Raw Blame History

# Domain/Subdomain takeover
{{#include ../banners/hacktricks-training.md}}
## Domain takeover
If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has **lost** the **ownership** of it, you can try to **register** it (if cheap enough) and let the company know. If this domain is receiving some **sensitive information** like a session cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.
### Subdomain takeover
A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain takeover.
There are several tools with dictionaries to check for possible takeovers:
- [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
- [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)
- [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)
- [https://github.com/haccer/subjack](https://github.com/haccer/subjack)
- [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)
- [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)
- [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)
- [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)
- [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
- [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
- [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy)
- [https://github.com/Stratus-Security/Subdominator](https://github.com/Stratus-Security/Subdominator)
- [https://github.com/NImaism/takeit](https://github.com/NImaism/takeit)
### Subdomain Takeover Generation via DNS Wildcard
When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME...
For example, if `*.testing.com` is wildcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`.
However, if instead of pointing to an IP address, the sysadmin points it to a **third party service via CNAME**, like a G**ithub subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**.
You can find an example of this vulnerability in the CTF write-up: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)
## Exploiting a subdomain takeover
Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker's server. This **transparency** in browsers makes domains prone to phishing. Attackers may employ [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) or [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain's inherent trust.
Check this [post for further details](https://0xpatrik.com/subdomain-takeover/)
### **SSL Certificates**
SSL certificates, if generated by attackers via services like [_Let's Encrypt_](https://letsencrypt.org/), add to the legitimacy of these fake domains, making phishing attacks more convincing.
### **Cookie Security and Browser Transparency**
Browser transparency also extends to cookie security, governed by policies like the [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy). Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can **gather session cookies** simply by directing users to a compromised subdomain, endangering user data and privacy.
### CORS Bypass
It might be possible that every subdomain is allowed to access CORS resources from the main domain or other subdomains. This could be exploited by an attacker to **access sensitive information** abusing CORS requests.
### CSRF - Same-Site Cookies bypass
It could be possible that the subdomain is allowed to send cookies to the domain or other subdomains which was prevented by the `Same-Site` attribute of the cookies. However, note that anti-CSRF tokens will still prevent this attack if they are properly implemented.
### OAuth tokens redirect
It might be possible that the compromised subdomain is allowed to be used in the `redirect_uri` URL of an OAuth flow. This could be exploited by an attacker to **steal the OAuth token**.
### CSP Bypass
It might be possible that the compromised subdomain (or eveyr subdomain) is allowed to be used for example the `script-src` of the CSP. This could be exploited by an attacker to **inject malicious scripts** and abuse potential XSS vulnerabilities.
### **Emails and Subdomain Takeover**
Another aspect of subdomain takeover involves email services. Attackers can manipulate **MX records** to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.
### **Higher Order Risks**
Further risks include **NS record takeover**. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high **TTL (Time to Live)** for DNS records, prolonging the duration of the attack.
### CNAME Record Vulnerability
Attackers might exploit unclaimed CNAME records pointing to external services that are no longer used or have been decommissioned. This allows them to create a page under the trusted domain, further facilitating phishing or malware distribution.
### **Mitigation Strategies**
Mitigation strategies include:
1. **Removing vulnerable DNS records** - This is effective if the subdomain is no longer required.
2. **Claiming the domain name** - Registering the resource with the respective cloud provider or repurchasing an expired domain.
3. **Regular monitoring for vulnerabilities** - Tools like [aquatone](https://github.com/michenriksen/aquatone) can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.
For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), have recognized this issue and implemented domain verification mechanisms.
## References
- [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)
- [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
- [https://www.hackerone.com/blog/guide-subdomain-takeovers-20](https://www.hackerone.com/blog/guide-subdomain-takeovers-20)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink