400 000 websites on the internet can be easily hacked, using a simple vulnerability in the subdomain system. Could it be your website? If hackers were able to penetrate the websites of Trump, Microsoft, Snap, etc. – your domain surely can be hacked as well. Malefactors can use information from subdomains to get sensitive data about your business, clients or even hack the main website. So, knowing the actual mapping of your exposed subdomains is critical for your company's cybersecurity.
The other side of mastering subdomain kung fu is the possibility to use it in business reconnaissance to get information about competitor’s technologies, projects under development, strong and weak sides. Acting within the law, of course.
In this monstrously detailed guide, you will find what dangers exposed subdomains hide, how perpetrators can use them, how to find subdomains, and how to defend them against cyber attacks. The article will be useful for cybersecurity specialists, CISO, company owners, system administrators, and bug hunters.
A subdomain is an appendix to your main website domain, like subdomain.example.com. It helps to organize website structure. Companies mostly use it for such goals:
The thing is that each subdomain is an independent entity that needs security infrastructure, which is often neglected. Bearing this in mind we can understand, how finding subdomains can be used in business reconnaissance by your competitor:
A lot of this information is public and can be found simply by running, for example, a search request on Spyse. So, if you have fierce competition in the market, it’s vitally important to manage your subdomains properly – otherwise, your rivals will get a lot of information and you’d never know.
Even more adversaries can be caused by hackers. They can use subdomains in very “creative” ways and cause a lot of harm, or even destroy your company. One of the main simple, but very dangerous hacking techniques in this area is subdomain takeover. Let’s take a closer look at it.
When the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but there is no host who provides content for it – an attacker can gain control over the subdomain. It is possible when a company uses external services (Github, Amazon, Zendesk, Shopify, etc..), has a DNS entry that points to it, but the service is no longer in use.
Think about subdomain as a place at a bar. If you are sitting on it – nobody can take it. But if you left without notifying a bartender (DNS) to keep it reserved for you – somebody else can take it.
In many ways, subdomain takeover is a very dangerous security issue. Examining whether a subdomain takeover is possible and taking control of it usually requires very few technical skills from a perpetrator. Detecting a subdomain takeover is difficult; a company may realize it too late when users start complaining.
How could a hacked subdomain be used? Here are just the 11 most common ways cybercriminals use hacked subdomains:
In 2016 an Iraqi hacker penetrated a fundraising website for Donald Trump and put this image there. Taking into account that then Trump actively criticized Obama’s cybersecurity policy, the incident caused a lot of harm to Trump’s public image.
Even on Facebook! There are a lot of services that run on subdomains and store sensitive user data. CRM, support ticket service, email clients, and so on. Each of them has its own kind of vulnerabilities that could be seized upon by hackers.
For example, there was a case when a white hacker Anand Prakash found a way to get access to any Facebook account! Here is how he's done it. Usually, if a person forgets the password to the account, one can get a 6 digit reset code via email or phone. There is a limit to the number of attempts to enter it and reset the password. However, there were no limitations on the subdomain beta.facebook.com, which was used to test a new version of Facebook. So, the hacker was able to break the code simply by enumerating all possible combinations. As a result, he could access any Facebook account and receive all internal information about a person.
If it’s possible to conduct a subdomain takeover (more about it – in the next section), a hacker can put his own content on a trusted company subdomain. This means he can replicate, for example, the company authorization page to get user credentials, data, or credit card numbers. Or even worse – just imagine that they duplicate the admin login page and some of the employees just provide intruders all the data needed to login into the internal system!
In some cases, intruders may even be able to install a valid TLS certificate for the vulnerable subdomain to serve their fake site over HTTPS (that activates that green lock near a browser address bar to assure you that the connection is safe).
A hacker can just simply put a redirect from a subdomain to his own website. The most harmless consequences – just stealing traffic. But usually, it’s used for phishing data.
Companies can have valuable information stored somewhere on a subdomain, which they do not want to share with publicity (documents, researches, plans, etc..). If attackers find such, they can demand a bounty for keeping it private.
There were cases when developers left the source code of a website in the docker or other services they use. That’s how a hacker named Avicoder was able to get the source code of Vine and reproduce it locally. Just imagine, that a competitor in a day steals the technology a company invested years to develop!
If subdomain.example.com has the authority to modify cookies on the main website, perpetrators can set up malicious cookies. This opens ways to steal user data, analyze their activity or impersonate user sessions.
Cross-Origin Resource Sharing (CORS), is a technology that allows a server to specify any other origins (scheme, port, or domain) than its own from which a browser should permit loading of resources. Applications create a set of procedures that allow hosts to excerpt information, even authenticated data. Some applications assume that subdomains are trusted entities, so they allow them to make cross-origin HTTP requests. If an app whitelists a subdomain with CORS headers, and a hacker can penetrate this subdomain – it allows it to steal data from an authenticated user on the main application.
The Oauth flow also has a whitelisting feature, which allows developers to define which callback URIs to accept. If hacked subdomains are whitelisted, hackers can break the usual Oauth flow to get their Oauth token and access the account.
The Content-Security-Policy (CSP) restricts which hosts can run client-side code in the context of the application, usually to minimize the influence of cross-site scripting. CSP also has a list of hosts that an application trusts and allows them to execute the code. If a hacked subdomain is whitelisted, malefactors can bypass the policy and execute malicious client-side code on the application.
Some password managers automatically fill out login forms on subdomains belonging to the main application. If a user applies one, a hacker can simply steal his credentials.
We could go on, but you’ve got the main idea – even if your main website is secured like the Pentagon, a subdomain can be an Achilles' heel in your security system. So you should be really thorough in their cybersecurity management.
To protect ourselves from such adversaries, at first we should make an audit of our existing subdomains, and know possible attack surface – how our website looks from a hacker point of view. Let’s take a look at the ways to get it done.
Finding subdomains is very similar to being a detective who uses plenty of instruments and clues to find the killer. In the same way, hackers have a lot of methods and tools to find subdomains. However, it’s very important to find as many subdomains as you can to understand the whole possible attack surface. For such purposes, it’s better to get data from several sources. So, let’s take a look at the most common ways to find subdomains:
The most simple, brute, and quite an effective method. A hacker iterates through a common wordlist and based on the response can determine whether the host is valid.
Tools: AltDNS, SubFinder, Subbrute.
Read more: Active Subdomain Enumeration (Part 2)
You can find subdomains indexed by Google, it’s very simple. Just write in a google search bar such command: “site:cloudflare.com -www”. You will get the full enumeration of subdomains indexed by Google by its last crawl.
A DNS zone transfer is a way to replicate a remote DNS zone. This helps to reveal all the configured subdomains within the DNS server.
It works only when the DNS zone is not secured or limited by the system administrators for AXFR requests. Most DNS servers are protected against this type of DNS request, but it’s worth a try to combine it with other subdomain finding methods.
The Subject Alternate Name (SAN) of SSL/TLS certificates can have information on domains and subdomain names. If you combine it with python or bash scripting, you can quickly find a lot of subdomains.
Perform a search on web archives, current websites, backlinks, and public datasets to find all subdomains associated with the main domain. There are a lot of tools that can help with it, a couple of them we mention below.
Tools: DNS Dumpster, Subl3str Read more: A guide to subdomain takeovers
It’s a subtype of brute-forcing, just more granular and precise. Often developers deploy beta and alternative versions for a subdomain, changing its name a bit, like subdomain2.example.com, etc. So, it’s quite a quick way to find some subdomains just “playing” with what is already known.
Often subdomain addresses could be found just inside the website code, documents, or text files. So a hacker just needs to scan it to find the precious treasures.
It is a method used to find subdomains using domains whose NSEC records are set. When signing a zone, DNSSEC automatically connects all labels in alphabetical order using NSEC Resource Records. This is used to prove the absence of names. If someone calls for the non-existent name name3, the name server responds with the NSEC entry name2 NSEC name5, indicating that no other entry exists between name2 and name5. We take advantage of that by starting with the first entry and then getting all domains by calling successive queries and getting other subdomains.
As you see, there are a lot of different techniques to find subdomains. For each of them usually, you need a different tool, which causes a lot of headaches. It’s convenient to start your search with Spyse – the ultimate cybersecurity tool which aggregates most of the mentioned techniques and more. After that, you will have a needed ground base and can widen your list with other tools. Now let’s take a look at how we can secure ourselves against subdomain takeover.
As Nelson Mandela said: “Safety and security don't just happen, they are the result of collective consensus and public investment”. This principle brilliantly works not only in politics but in cybersecurity also. Following these simple steps will dramatically reduce the risk of hacking your subdomains.
Set up proper firewalls for all subdomains for internal use.
Secure your subdomain name access credentials, update your password every 90 days, and log who has access to it.
Thoroughly and constantly update a list of subdomains in use.
Keep a log of all 3rd party services used and their subdomains. Here is a wonderful list of 62 third-party services that can be exposed to subdomain takeover.
Instantly close subdomains you don’t use. The smaller the attack surface – the better. Don't forget to update DNS configurations for subdomains you need, but they currently are not in use.
Establish a standard operating procedure (SOP) for the “life” of your subdomains, so your team will know when you close the subdomain. Start provisioning by claiming the virtual host; create DNS records last. Start deprovisioning by removing DNS records first.
Thoroughly choose hosting vendors, study how they verify a person who is claiming a virtual host. Develop a standard vendor qualification process.
Use uncommon names for subdomains. It makes brute-forcing hard – dictionaries don’t have words like aptoplasure12334fx.example.com.
Use honeypots for active defense. It’s a method of active defense intelligence where you at purpose create hosts that are attractive to potential attackers but place non-critical machines in a network that are isolated from the company's production environment. If there is an attack, cybersecurity specialists can gather information about the attackers and use it to reinforce the defense. Here is the list of tools for honeypots.
Periodically run a checkup for your website on Spyse to see its security score, possible CVE, and what public information about your website structure and subdomains is available.
Write strict guidelines on subdomain usage, share it with your team, and control the execution. It’s good to print these rules and hang them on the wall in the IT department.
A subdomain is an essential part of a website structure, but often it is a weak point. So, don’t lose your vigilance and use all needed knowledge about finding subdomains, types of attack, and ways to defend your company’s cybersecurity. Start right now – find subdomains with Spyse.
May the Force of cybersecurity be with you.