Subdomain takeover

Overview

Description

Subdomain takeover is a vulnerability that allows taking control of the subdomain.

Example

Consider an example, subdomain.example.com is using some 3rd party service like (Heroku, Github Pages, Zendesk, Freshdesk, etc.)

so, this mapping is done using CNAME DNS Record subdomain.example.com CNAME subdomain.cloud.com.

Later, Due to some reason, the company decided to STOP using that service.

But, The DNS Record still exists.

So, If someone visits subdomain.example.com, It will show some Error page depending on cloud.com. It may show that 404: Not Found Error or it may show subdomain.cloud.com is available to register!

Now, the Attacker goes to cloud.com and register subdomain.cloud.com

Then, because of DNS record is not deleted/updated, subdomain.example.com will map to subdomain.cloud.com!

Thus, the Attacker will have complete control over subdomain.example.com.

Impact

An attacker can use this vulnerability to damage the image of the organization.

It can be used to bypass the Cross-Origin Resource Sharing (CORS) Policy, which can lead to stealing data from an authenticated user on the main domain.

When subdomains have been waitlisted in Oauth configuration, Oauth token can be leaked.

Prevention

• Remove or Update DNS Record if you stop using such external service.

Tools

• SubOver
• subdomain-takeover
• takeover
• subjack

Guide: https://github.com/EdOverflow/can-i-take-over-xyz

refer
https://0xpatrik.com/subdomain-takeover-basics/ https://0xpatrik.com/subdomain-takeover-ns/