πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
Search…
πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
HowToHunt.md
Account Takeover Methodology
Account Takeover Methodology
Application Level DoS
Application Level DoS Methods
Authentication Bypass
2FA Bypasses
OTP Bypass
Broken-Link Hijacking
Broken-Link Hijacking
Broken Auth And Session Management
Session Based Bugs
CMS
Wordpress
Moodle
CORS
CORS
CORS Bypasses
CSRF
CSRF
CSRF Bypass
Finding CVEs
CVES
CheckList
Web Application Pentesting Checklist
Web Checklist by Chintan Gurjar.pdf
Mindmap by Rohit Gautam
Mindmap by Cristian Cornea
Web Page Source Code Review
Web Page Code Review Tips
EXIF Geo Data Not Stripped
EXIF Geo Data Not Stripped
File Upload Bypass
File Upload Bypass
Find Origin IP
Find Origin
GraphQL
GraphQL
HTTP Desync Attack
HTTP_Desync
Host-Header Attack
Host-Header
HTML-Injection
HTML-Injection
IDOR
IDOR
JWT ATTACK
JWT
MFA Bypass
MFA Bypasses
2FA-Bypass
Misconfigurations
Default Credential And Admin Panel
OAuth
OAuth
Open Redirection
Find OpenRedirect Trick
Open Redirection Bypass
Parameter Pollution
Parameter Pollution In Social Sharing Buttons
Password Reset Functionality
MindMap
Password Reset Token Leakage
Account_Takeover_By_Password_Reset_Functionality
Rate Limit
Rate-Limit Bypass
Recon
Recon Workflow
Subdomain Enumeration
SQLi
SQL Injection.md
SSRF
SSRF
Blind SSRF
SSTI
SSTI
Sign Up Functionality
Sign Up Bugs
Sign Up MindMap
Sensitive Info Leaks
Github Recon Method
Github-Dorks
Github Dorks All
Google Dorks
Shodan CVE Dorks
Status Code Bypass
Status_Code_Bypass Tips
403 Bypass
Subdomain Takeover
Subdomain Takeover - Detail Method
Subdomain Takeover - Easy Method
Tabnabbing
Tabnabbing
WAF Bypasses
WAF Bypass Using Headers
Weak Password Policy
Weak Password Policy
XSS
XSS
Automated XSS
XXE
XXE Methods
Powered By GitBook
Subdomain Takeover - Detail Method

Subdomain Takeover

Basics

DNS

DNS
  • When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server with the host name.
  • The DNS server takes the hostname and resolves it into a numeric IP address

CNAME

CNAME
  • An alias of domain name to another domain name
  • In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name.
Subtakeover_basics
  • Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly, Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg. xyz.company.com CNAME xyz.cloudservice.com]
  • Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks, the company cancels the subscription of the 3rd party cloud service provider.
  • But, the company forgets to update or simply remove the CNAME record in the DNS zone file
  • Since the CNAME record is not deleted from company.com DNS zone, anyone who registers xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.

How to find subdomain takeover ?

1. Subdomain Enumeration

Use the following tools to enumerate subdomains

2. Checking for takeover

The following tools are designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
You can also verify if the subdomain is vulnerable or not by going through common error pages.

3. Hijacking the subdomain

Use the following github repositiory to check if the engine is vulnerable or not and the steps for hijacking a particular engine.
If you cannot find your engine in the above repository, Google is your friend !

Case : CNAME available to buy

CNAME available to buy
  • There are cases when the CNAME that a subdomain points to, is available to buy.
  • In that case the attacker can directly buy that domain and host his/her content.

References

Check out our talk on the same at NULL / OWASP Bangalore meetup, June 2020

Reports (Hackerone)

Resolved

Authors:

​@aish_kendle​
​@thakare_prateek​
​@klaus​
Status Code Bypass - Previous
403 Bypass
Next - Subdomain Takeover
Subdomain Takeover - Easy Method
Last modified 1yr ago
Copy link
Outline
Subdomain Takeover
Basics
How to find subdomain takeover ?
Case : CNAME available to buy
Authors: