🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Technical Detail
  • Impact
  • Exploit
  • Remediation
  • Reference
  • POC
  • Analysis
  • Author:
  1. Subdomain Takeover

Subs or Top level Domain

  • CNAME Record 0r A Record —> Points to third party services

  • Check:

     for take-overs is to query a list of domains and check for any that are either:

    1. attached to a third party domain or destination via the use of a cname record 

    2.return a 404 not found error.

    example : domain that resolved to a CloudFront domain which gave the following error: "Error the request could not be satisfied, generated by CloudFront (CloudFront)"

Technical Detail

  • This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use

  • Service providers :

    Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, [StatusPage.io](http://statuspage.io/) and Tumblr.

Impact

  • Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.

  • Another senario:

    1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.
    2. They forget to add the wildcard-entry to their Heroku-app.
    3. Attacker can now claim any subdomain they want from the Domain Owner.
    4. A Domain Owner will be unaware of the subdomain being exploited.
  • In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

Exploit

  • Claim CloudFront:

    Singup to AWS —> head over CloudFront signup

Remediation

    - Check your DNS-configuration for subdomains pointing to services not in use.
    - Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.[example.com](http://example.com/)

Reference

POC

- I found a website, for now call it [www.target.com](http://www.target.com)  
- I went to terminal and run a host command on that target

host www.target.com

- it was pointing its 'A' record to  23.227.38.65 this IP 
- Now i knew that this IP belongs to shopify cause i had setup a shop on shopify few days back (you can also go and check with whois record for this ip)
- I opened the website [www.target.com](http://www.target.com) , I found there shopify template stating  "only one step left to finish setting" (In some cases : it also state Sorry this shop is unavailable) 
- Now i knew what i have to do, i sing-up on shopify with trial account, after that i put the same target website name, it gave me error stating application name already exist, so put target.com as a name, finally it was created.
- I went to setting, it shows me two option "connect your domain automatically" and "connect you domain manually"
- I choose first one automatic one, just put that domain [www.target.com](http://www.target.com) , it got connected. We are done, now we owns this top level domain.

Analysis

- The person registered this domain name from godaddy , and configured its DNS record pointing to shopify IP
- Either he might had forgotten to create a shop or he had created a shop used it for a while then deleted that shop from shopify but didn't removed the DNS entry pointing to shopify's IP

** Pardon for any spelling or grammar mistake **

Author:

  • Twitter Id: @Zero0x00

PreviousSubdomain Takeover - Easy MethodNextTabnabbing

Last updated 9 months ago

Detectify article :

Zsec Blog:

https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
https://blog.zsec.uk/subdomainhijack/