Skip to content

Subdomain Takeover

Vulnerability Name

Subdomain Takeover of [Subdomain URL]

Vulnerability Description

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.

This can happen because either a virtual host hasn't been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.

Add your specific vulnerability description if required, the one given above is a general description.

Steps to Reproduce

  1. Go to [Subdomain URL].
  2. Observe as this URL shows [Specific Error].
  3. The provider/engine for our target application is [Provider Name].
  4. Since [Provider Name] does not perform any automated fingerprint check, we can try to register for this subdomain.
  5. Observe we are able to takeover [Subdomain URL] by registering it without any authentication.

POC

Modify the steps to reproduce above if required. Attach snapshots (POC) or a video link here.

Impact

Attacker can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.

Add your specific impact if required, the one given above is a general impact.

Remediation

  • Define standard processes for provisioning and deprovisioning hosts. Do all steps as closely together as possible.
  • Put pressure on hosting vendors to close gaps; ask how they verify that someone claiming a virtual host actually has a legitimate claim to the domain name. Work within your organization to make this part of the vendor qualification process.

Add your specific remediation if required, the above is a general remediation.

Reference