Sub-Domain Takeovers — How Can Companies Better Secure Their Assets? Part 1

An Ethical Hacker’s Perspective

Chevon Phillip
4 min readDec 10, 2019
Image by Trung Nguyen

Introduction

Hi, my name is Chevon Phillip. I am a Security Researcher and Penetration Tester. In this article, I will explain what are sub-domain takeovers, how hackers can exploits these vulnerabilities by finding potential targets, and how companies should secure their assets from these types of vulnerabilities.

What are Sub-Domains?

For those of you who may not know what a sub-domain is here’s a brief description in my own words.

Sub-Domains are children to a parent domain or top-level domains (TLD). For example, https://example.com may have a sub-domain with the following URLs http://devlopment.server.example.com and http://staging.server.example.com.

Why do Sub-Domains exist?

There are several reasons why sub-domains are used. Here are some of the main reasons I have come across during my research.

  • CNAME (Canonical Name Record) — pointing to a third party service that includes WordPress, Pantheon, and GitHub Pages.
  • Hosting static resources — such as images, files, and other data that may not necessarily need to be hosted on a company's internal servers. Services such as Amazon Web Services (AWS), Microsoft’s Azure, Google Cloud Engine, and Content Delivery Networks (CDNs).
  • Development and Staging Environments — creating sub-domains that point to servers that aren't meant to be public or discovered by end-users or web crawlers.
  • API endpoints integrations — creating sub-domains that point to an API endpoint that is meant to serve RESTFUL data to and from applications.

How to find potential targets?

There are several techniques that hackers use to find potential targets for sub-domain takeovers. In this article, I will demonstrate one technique that is very popular and is used by many hackers. This technique is called Certificate Transparency.

What is Certificate Transparency?

Certificate Transparency is an open framework that monitors and audits TLS/SSL certificates. It’s made up of three important components, Certificate Transparency logs, Certificate monitors, and Certificate auditors. — SECURITYTRAILS BLOG · OCT 25 2018 · SECURITYTRAILS TEAM

Crt.sh — Certificate Transparency Search

https://crt.sh/

Cert.sh certificate search is a widely used tool by hackers to search for potential sub-domains own by companies. Here example.com is used to demonstrate the use of certificate transparency.

What are the Security Impacts of a Sub-Domain takeover?

The ability to identify the impact of a sub-domain takeover depends on the initial sub-domain and the assets that are hosted on each domain. For example, a sub-domain that is used for development purposes may not have as much impact as a sub-domain that handles API calls or pointing to a third-party cloud hosting service. Here are some of my most reported impacts to companies.

  • The ability to host malicious files that can be used to steal user data.
  • The ability to launch phishing campaigns on behalf of the targeted company.
  • The ability to chain other vulnerabilities to take over user accounts and other sensitive information
  • The ability to display malicious content that would degrade the usability and accountability of that company.

How should companies secure their Sub-Domain assets?

Sub-domains are all part of the SDLC in one way or another, especially within the DevOps environments and third party services. Here are some general tips that can help better secure your company's assets.

  • Ensure that DNS entries are no longer pointing to a third party vendor service that is no longer in use.
  • Ensure that sub-domains are properly claimed and pointed to the correct name-servers especially for cloud-hosted services.
  • Ensure that Sensitive Information are not exposed within sub-domains for example API endpoints. Be sure to implement the proper security controls such as user authentication and token validation for API endpoints.
  • Ensure that sub-domains are no longer configured to servers that are non-operational for example, development servers and services.

Conclusion

This article gave a general overview of sub-domain takeovers and why it’s important for companies to identify these risks and better secure their assets by applying basic application and server-level security controls. Stay tuned for Part 2 of this article as it will dive deeper into how easy it is to takeover sub-domains and some of the tools that are used to automate the process.

--

--

Chevon Phillip
Chevon Phillip

Written by Chevon Phillip

Application Security Engineer. I helped secure top companies and organizations.

No responses yet