In this article, we will discuss the Subdomain Takeover attack, and present 25 disclosed reports based on this flaw.
What is a Subdomain Takeover Vulnerability?
Theoretically, a Subdomain Takeover flaw is when an attacker can hijack the subdomain of a company, and control what content is being displayed when the users are navigating to that one.
Practically, you can do a Subdomain Takeover through hacking or registration of an existing DNS CNAME record of that subdomain.
Let’s take the following example:
- We have the domain “xyz.com” with the subdomain “victim.xyz.com”.
- The “victim.xyz.com” subdomain has a CNAME record that is pointing to another domain called “promotional-campaign-xyz.com”.
- You find that “promotional-campaign-xyz.com” expired and you are able to purchase it.
- Once you get “promotional-campaign-xyz.com” in your control, you will have a page displaying any arbitrary content you want, that will be displayed once a user accesses “victim.xyz.com”.
My Favorite Scenario: Subdomain Takeover through Cloud Services
I would like to mention one of my favorite scenarios of Subdomain Takeover, which is basically hijacking the CNAME records that are pointing to different Cloud-related services, such as Traffic Manager from Azure.
A list of domains related to Azure services that are suspected of being vulnerable is the following:
You can find more services like that by taking a look over this GitHub repository: