Websites come under constant attack, and developers have seen them all, from SQL injections to cross-site request forgeries. Ther’s one kind of attack that often gets overlooked, because it isn’t the developer’s fault: subdomain takeovers. Hackers can use them to hijack entire portions of your website, opening you up to all kinds of trouble. Here’s how they work.
Top-level domains are the part of your website URL that determine the country or industry type that you’re in (eg .gov, .com, .org, and .co.uk). The bit to the left of the dot is the domain name (e.g. the ‘example’ in example.com). However, many organizations have other bits to the left of that dot that further splits their web presence. You might have hr.example.com to represent your personnel department, or covid19.example.com as a microsite for your company’s coronavirus health response. Those are known as subdomains, and they’re often a backdoor for hackers to serve malicious content to your visitors.
April saw Microsoft fix a flaw in its Teams app that enabled attackers to hijack user accounts via a subdomain takeover vulnerability. The company has also suffered from multiple subdomain hijacks that enabled attackers to set up spam content that took advantage of Microsoft’s domain reputation:
https://t.co/XAJfbsE4ht
— Michel Gaschet (@Michel_Gaschet) February 18, 2020
This kind of stuff, this is what you get by putting subdomain takeover out of scope, and don't fix critical subdomain takeover from good peoples, rarely thanks them and generally not respond to them. Great job, @msftsecresponse 👏
Subdomain takeovers can happen in various ways. Often, they are down to a basic misconfiguration in the domain name system (DNS) entries for a subdomain. If it points to an online destination that no longer exists, or contains a misspelling, then attackers can register the destination URL and post their content there. It will then show up in the target subdomain.
Alternatively, if a company points its subdomain to a page on a public online service that no longer exists, you might be able to connect the subdomain to your own site. This blog post from HackerOne explains how an attacker might find a subdomain pointing to a page on the GitHub Pages service that no longer exists, and how they might publish their own repository to that domain. This kind of broken link hijacking, also known as a second order subdomain takeover, works well for social media. If a company deletes a social media account but doesn’t update the subdomain that pointed to it, a hacker could recreate the account and post content registered to that subdomain.
How can you protect yourself against domain takeover? First, ensure that you double-check all subdomain entries for correct destinations and spelling. Second, keep cataloging and auditing your subdomains to ensure that they don’t get orphaned. That ‘run4life’ subdomain might have been perfect for the charity marathon event you organized four years ago, but what is it still doing up, and what is it pointing to now? Establish a life cycle management process for your subdomains so that you know when you’re taking them down.
Finally, there are tools you can use to scan your web applications for subdomain takeover. The open source project Second Order provides one such tool.
Don’t let broken subdomains ruin your day. If you haven’t scheduled this as a topic to raise with your web and security team, there’s no time like the present.