In a previous post we touched upon a little about subdomain takeovers, however, this was only brief. So, here we will be discussing this in more detail. In summary, a subdomain takeover is a vulnerability which occurs when there is some sort of misconfiguration (generally DNS) which could allow an attacker to gain control of another company’s subdomain.
You might be wondering how this is even possible, but in fact it’s quite easy. Firstly, the service provider and the company’s subdomain(s) require to be linked by DNS. A company would use an A or CNAME record depending on how the service functions. For example, if there was a server instance named “demo.service.com”, then the record would look something like this “demo.companyA.com CNAME demo.service.com”. The company’s subdomain pointing to the server instance. Once linked, generally there would be a small configuration needed within the service platform to make everything work as expected.
Now, what if the company removes the server instance (out of necessity) but doesn’t remove the DNS record? Well this is generally where the issue is. When the server instance is removed, and you attempt to access it directly, there would most likely be a notification advising that the instance is unavailable.
If only knowing the server instance name this wouldn’t be an issue. However, if this server instance was found by querying DNS record of another company this could escalate quite quickly. Either visiting the subdomain or the server instance directly will give the same unavailable message. From here, an attacker could then register on this same platform, using the same hostname from the CNAME record and create a new server instance. Following the same small configuration change, this setup could be complete.
Although being a bad issue, if this subdomain was used to host files for the company’s main site, this could then further increase what the attacker could do.In the next post we’ll be going through with a demo.