Part 2: Subdomain takeovers

Part 2: Subdomain takeovers blog graphic

Part 2: Subdomain takeovers

In this second part there will be a demonstration of a subdomain takeover in action, using the example from the previous post. Firstly, we need to create the server instance that will be utilised throughout this example:

 

 

From here we link to this server instance with the subdomain that will be used. For this, in the DNS provider panel we create a CNAME record. Also, set the custom domain with the service provider control panel:

 

 

Check that the update has occurred by running NS Lookup via command line:

 

Type the alias name into a web browser:

 

As you can see, everything has now updated, and the subdomain is pointed to the server instance name. Now, if an attacker discovered this subdomain and observed it was pointing to this server instance, (as shown above) and they attempted to re-create this subdomain – at that moment the attempted subdomain takeover wouldn’t work. However, if the company removes this server instance and omits to remove the CNAME record, there would be an issue. 

 

So, in demonstrating the removal of the server instance, this would be the result:

 

Now, we re-create this server instance with the same host name and at the same time re-create the custom domain on the different account:

 

Once both have been created, we now re-visit the company’s subdomain, and we will be presented with same message as below; however, this instance would be controlled by the attacker:

 

This concludes the demonstration of subdomain takeover.