Subdomain takeover or subdomain hijacking refers to a technique by which "unused" subdomains can be made to point to a location of the attacker's choice. Technically, you could call it " domain hijacking ," but that term has a broader meaning with the default connotation being a domain name's registration being overtaken by an attacker. Now, this is clearly problematic. If an attacker could show their webpage in lieu of this can both affect your site's reputation, and enable phishing attacks leveraging the legitimacy of your domain. subdomain.yoursite.com But how could this be? If you own , you naturally have control over the domain and all of its subdomains. example.com Subdomain hijacking has to do with . In other words, you created a subdomain and set its DNS record to point to a shared hosting account (which, by the way, includes services like, Amazon AWS, Azure, Tumblr, GitHub Gist pages, blogs, and other hosting platforms). domains not currently in use Later on, you deleted the hosted set up on the shared hosting end, but forgot to remove the DNS entry pointing to the shared hosting account. Under normal circumstances, your subdomain would be unreachable and won't show up anything. No harm done: Shared for One, Shared for All The problem arises when an attacker is able to set up an account on the same shared hosting provider. also After all, as the name implies, a "shared hosting" service is shared among many customers, and the same server is open to multiple parties for use, and abuse. Prior to letting you add a domain to a hosting account, most hosting providers validate if a domain's DNS points to them correctly - I can at least speak for cPanel-powered shared hosts. But they typically skip validating the domain ownership (which can be a time-consuming process in some cases or just puts an additional hurdle for the honest customer). do If your was configured to point to a shared hosting account but is no longer configured on the shared host's end (because you deleted the subdomain there), this opens up the opportunity for an attacker to subdomain.example.com subdomain.example.com make it point to their hosting set up. In case of subdomain hijacking, an attacker would typically not have the power to alter DNS records set up by you. Instead, by simply, adding the subdomain to hosting account hosted on the same IP as your subdomain, would now redirect visitors to their web root directory. their Whereas, previously your subdomain would've been unreachable, accessing it now would show the attacker's landing pages. Subdomain successfully hijacked! Notable Case Study: Snapchat Not too long ago, this happened when Snapchat was undergoing a branding makeover, transitioning to a shorter name, "Snap." They had removed their Tumblr blog but forgot to reroute (or remove altogether) the DNS entry for which used to earlier point to Tumblr. blog.snapchat.com An actor who could create a Tumblr blog could simply use the subdomain takeover trick to point Snap's dangling subdomain to their Tumblr! Security researcher Jake Reynolds wasted no time in this domain to the company with an innocuous demonstration of how this scenario could've been exploited by phishers: responsibly reporting Rather, in Snapchat's case it was a case of ! domain hijacking The subdomain was nothing but a CNAME record pointing to a domain blog.snapchat.com snapchat-blog.com Reynolds was therefore able to link this "custom domain" to his Tumblr account, after Snapchat had deleted their Tumblr. With no other accounts on Tumblr using the domain, Tumblr let Reynolds "reuse" this domain, thereby leading to a successful hijacking. Pentesting and Recon(naissance) Tools Preventing subdomain hijacking is simple. It doesn't hurt to validate your DNS records from time to time. As an example, here are the DNS records for my domain, courtesy of . axsharma.com dnsdumpster Of course, unlike with my personal website, a DNS zone file of a real-world corporation with several AWS buckets, for example, would be massive. So auditing DNS records manually is error-prone and impractical. Thankfully, pentesting and recon tools exist which can help you identify subdomains which can be taken over. One such tool I've enjoyed over the last few years is . Created by security researcher , the "domain flyover" tool has undergone a lot of improvements and iterations. aquatone Michael Henriksen Aquatone provides an easy way to both lookup dangling DNS entries for subdomains, and predict if these subdomains are vulnerable to being hijacked. A blog post provided by further lists tools, tips and tricks on automating the overall workflow. HackerOne One such tool, offers an effective way of brute-forcing vulnerable subdomain too: Altdns "In order to recursively brute force subdomains, take a look at Shubham Shah's script. Running your custom word list after fingerprinting a target through Altdns can be extremely rewarding. I like to use Altdns to generate word lists to then run through other tools." Altdns Practicing regular DNS audits and frequently assessing your hosting infrastructure to unmask dangling subdomains before they become problematic can save your company's reputation from phishing attacks. only use these tools for security research purposes and for sites that you have permission to use them on, either via a professional engagement, or as a part of their bug bounty program. Warning: © 2020. Ax Sharma. All Rights Reserved. Originally produced for Hacker Noon.

Amazon

Target

My other blog: Security Report

Book a call

Read My Stories

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

What is Subdomain Hijacking and How to Prevent it?

Too Long; Didn't Read

People Mentioned

Companies Mentioned

@ax

RELATED STORIES