7.0 KiB
7.0 KiB
name, description
| name | description |
|---|---|
| subdomain-takeover | Subdomain takeover testing for dangling DNS records and unclaimed cloud resources |
Subdomain Takeover
Subdomain takeover lets an attacker serve content from a trusted subdomain by claiming resources referenced by dangling DNS (CNAME/A/ALIAS/NS) or mis-bound provider configurations. Consequences include phishing on a trusted origin, cookie and CORS pivot, OAuth redirect abuse, and CDN cache poisoning.
Attack Surface
- Dangling CNAME/A/ALIAS to third-party services (hosting, storage, serverless, CDN)
- Orphaned NS delegations (child zones with abandoned/expired nameservers)
- Decommissioned SaaS integrations (support, docs, marketing, forms) referenced via CNAME
- CDN "alternate domain" mappings (CloudFront/Fastly/Azure CDN) lacking ownership verification
- Storage and static hosting endpoints (S3/Blob/GCS buckets, GitHub/GitLab Pages)
Reconnaissance
Enumeration Pipeline
- Subdomain inventory: combine CT (crt.sh APIs), passive DNS sources, in-house asset lists, IaC/terraform outputs
- Resolver sweep: use IPv4/IPv6-aware resolvers; track NXDOMAIN vs SERVFAIL vs provider-branded 4xx/5xx
- Record graph: build a CNAME graph and collapse chains to identify external endpoints
DNS Indicators
- CNAME targets ending in provider domains:
github.io,amazonaws.com,cloudfront.net,azurewebsites.net,blob.core.windows.net,fastly.net,vercel.app,netlify.app,herokudns.com,trafficmanager.net,azureedge.net,akamaized.net - Orphaned NS: subzone delegated to nameservers on a domain that has expired or no longer hosts authoritative servers
- MX to third-party mail providers with decommissioned domains
- TXT/verification artifacts (
asuid,_dnsauth,_github-pages-challenge) suggesting previous external bindings
HTTP Fingerprints
Service-specific unclaimed messages (examples):
- GitHub Pages: "There isn't a GitHub Pages site here."
- Fastly: "Fastly error: unknown domain"
- Heroku: "No such app" or "There's nothing here, yet."
- S3 static site: "NoSuchBucket" / "The specified bucket does not exist"
- CloudFront: 403/400 with "The request could not be satisfied"
- Azure App Service: default 404 for azurewebsites.net unless custom-domain verified
- Shopify: "Sorry, this shop is currently unavailable"
TLS clues: certificate CN/SAN referencing provider default host instead of the custom subdomain
Key Vulnerabilities
Claim Third-Party Resource
- Create the resource with the exact required name:
- Storage/hosting: S3 bucket "sub.example.com" (website endpoint)
- Pages hosting: create repo/site and add the custom domain
- Serverless/app hosting: create app/site matching the target hostname
CDN Alternate Domains
- Add the victim subdomain as an alternate domain on your CDN distribution if the provider does not enforce domain ownership checks
- Upload a TLS cert or use managed cert issuance
NS Delegation Takeover
- If a child zone is delegated to nameservers under an expired domain, register that domain and host authoritative NS
- Publish records to control all hosts under the delegated subzone
Mail Surface
- If MX points to a decommissioned provider, takeover could enable email receipt for that subdomain
Advanced Techniques
Blind and Cache Channels
- CDN edge behavior: 404/421 vs 403 differentials reveal whether an alt name is partially configured
- Cache poisoning: once taken over, exploit cache keys to persist malicious responses
CT and TLS
- Use CT logs to detect unexpected certificate issuance for your subdomain
- For PoC, issue a DV cert post-takeover (within scope) to produce verifiable evidence
OAuth and Trust Chains
- If the subdomain is whitelisted as an OAuth redirect/callback or in CSP/script-src, takeover elevates to account takeover or script injection
Verification Gaps
- Look for providers that accept domain binding prior to TXT verification
- Race windows: re-claim resource names immediately after victim deletion
Wildcards and Fallbacks
- Wildcard CNAMEs to providers may expose unbounded subdomains
- Fallback origins: CDNs configured with multiple origins may expose unknown-domain responses
Special Contexts
Storage and Static
- S3/GCS/Azure Blob static sites: bucket naming constraints dictate whether a bucket can match hostname
- Website vs API endpoints differ in claimability and fingerprints
Serverless and Hosting
- GitHub/GitLab Pages, Netlify, Vercel, Azure Static Web Apps: domain binding flows vary
- Most require TXT now, but historical projects may not
CDN and Edge
- CloudFront/Fastly/Azure CDN/Akamai: alternate domain verification differs
- Some products historically allowed alt-domain claims without proof
DNS Delegations
- Child-zone NS delegations outrank parent records
- Control of delegated NS yields full control of all hosts below that label
Testing Methodology
- Enumerate subdomains - Aggregate CT logs, passive DNS, and org inventory
- Resolve DNS - All RR types: A/AAAA, CNAME, NS, MX, TXT; keep CNAME chains
- HTTP/TLS probe - Capture status, body, error text, Server headers, certificate SANs
- Fingerprint providers - Map known "unclaimed/missing resource" signatures
- Attempt claim (with authorization) - Create missing resource with exact required name
- Validate control - Serve minimal unique payload; confirm over HTTPS
Validation
- Before: record DNS chain, HTTP response (status/body length/fingerprint), and TLS details
- After claim: serve unique content and verify over HTTPS at the target subdomain
- Optional: issue a DV certificate (legal scope) and reference CT entry as evidence
- Demonstrate impact chains (CSP/script-src trust, OAuth redirect acceptance, cookie Domain scoping)
False Positives
- "Unknown domain" pages that are not claimable due to enforced TXT/ownership checks
- Provider-branded default pages for valid, owned resources (not a takeover)
- Soft 404s from your own infrastructure or catch-all vhosts
Impact
- Content injection under trusted subdomain: phishing, malware delivery, brand damage
- Cookie and CORS pivot: if parent site sets Domain-scoped cookies or allows subdomain origins
- OAuth/SSO abuse via whitelisted redirect URIs
- Email delivery manipulation for subdomain
Pro Tips
- Build a pipeline: enumerate (subfinder/amass) → resolve (dnsx) → probe (httpx) → fingerprint (nuclei/custom) → verify claims
- Maintain a current fingerprint corpus; provider messages change frequently
- Prefer minimal PoCs: static "ownership proof" page and, where allowed, DV cert issuance
- Monitor CT for unexpected certs on your subdomains
- Eliminate dangling DNS in decommission workflows first
- For NS delegations, treat any expired nameserver domain as critical
- Use CAA to limit certificate issuance while you triage
Summary
Subdomain safety is lifecycle safety: if DNS points at anything, you must own and verify the thing on every provider and product path. Remove or verify—there is no safe middle.