Subdomain takeover or subdomain hijacking refers to a technique by which "unused" subdomains can be made to point to a location of the attacker's choice.
Technically, you could call it "domain hijacking," but that term has a broader meaning with the default connotation being a domain name's registration being overtaken by an attacker.
Now, this is clearly problematic. If an attacker could show their webpage in lieu of
subdomain.yoursite.com
this can both affect your site's reputation, and enable phishing attacks leveraging the legitimacy of your domain.If you own
example.com
, you naturally have control over the domain and all of its subdomains.Subdomain hijacking has to do with domains not currently in use. In other words, you created a subdomain and set its DNS record to point to a shared hosting account (which, by the way, includes services like, Amazon AWS, Azure, Tumblr, GitHub Gist pages, blogs, and other hosting platforms).
Later on, you deleted the hosted set up on the shared hosting end, but forgot to remove the DNS entry pointing to the shared hosting account.
Under normal circumstances, your subdomain would be unreachable and won't show up anything. No harm done:
The problem arises when an attacker is able to also set up an account on the same shared hosting provider.
After all, as the name implies, a "shared hosting" service is shared among many customers, and the same server is open to multiple parties for use, and abuse.
Prior to letting you add a domain to a hosting account, most hosting providers do validate if a domain's DNS points to them correctly - I can at least speak for cPanel-powered shared hosts. But they typically skip validating the domain ownership (which can be a time-consuming process in some cases or just puts an additional hurdle for the honest customer).
If your
subdomain.example.com
was configured to point to a shared hosting account but subdomain.example.com
is no longer configured on the shared host's end (because you deleted the subdomain there), this opens up the opportunity for an attacker to make it point to their hosting set up.In case of subdomain hijacking, an attacker would typically not have the power to alter DNS records set up by you.
Instead, by simply, adding the subdomain to their hosting account hosted on the same IP as your subdomain, would now redirect visitors to their web root directory.
Whereas, previously your subdomain would've been unreachable, accessing it now would show the attacker's landing pages. Subdomain successfully hijacked!
Not too long ago, this happened when Snapchat was undergoing a branding makeover, transitioning to a shorter name, "Snap."
They had removed their Tumblr blog but forgot to reroute (or remove altogether) the DNS entry for
blog.snapchat.com
which used to earlier point to Tumblr. An actor who could create a Tumblr blog could simply use the subdomain takeover trick to point Snap's dangling subdomain to their Tumblr!
Security researcher Jake Reynolds wasted no time in responsibly reporting this domain to the company with an innocuous demonstration of how this scenario could've been exploited by phishers:
Rather, in Snapchat's case it was a case of domain hijacking!
The
blog.snapchat.com
subdomain was nothing but a CNAME record pointing to a domain snapchat-blog.com
Reynolds was therefore able to link this "custom domain" to his Tumblr account, after Snapchat had deleted their Tumblr.
With no other accounts on Tumblr using the domain, Tumblr let Reynolds "reuse" this domain, thereby leading to a successful hijacking.
Preventing subdomain hijacking is simple. It doesn't hurt to validate your DNS records from time to time. As an example, here are the DNS records for my
domain, courtesy of dnsdumpster.axsharma.com
Of course, unlike with my personal website, a DNS zone file of a real-world corporation with several AWS buckets, for example, would be massive. So auditing DNS records manually is error-prone and impractical.
Thankfully, pentesting and recon tools exist which can help you identify subdomains which can be taken over.
One such tool I've enjoyed over the last few years is aquatone. Created by security researcher Michael Henriksen, the "domain flyover" tool has undergone a lot of improvements and iterations.
Aquatone provides an easy way to both lookup dangling DNS entries for subdomains, and predict if these subdomains are vulnerable to being hijacked.
A blog post provided by HackerOne further lists tools, tips and tricks on automating the overall workflow.
One such tool, Altdns offers an effective way of brute-forcing vulnerable subdomain too:
"In order to recursively brute force subdomains, take a look at Shubham Shah's Altdns script. Running your custom word list after fingerprinting a target through Altdns can be extremely rewarding. I like to use Altdns to generate word lists to then run through other tools."
Practicing regular DNS audits and frequently assessing your hosting infrastructure to unmask dangling subdomains before they become problematic can save your company's reputation from phishing attacks.
Warning: only use these tools for security research purposes and for sites that you have permission to use them on, either via a professional engagement, or as a part of their bug bounty program.
© 2020. Ax Sharma. All Rights Reserved. Originally produced for Hacker Noon.