Home · Blog · Projects

Michael Henriksen Michael Henriksen

Subdomain takeover detection with AQUATONE

July 21, 2017

Hostile subdomain takeover is a very prevalent and potentially critical security issue. It's a well-known attack vector and easy to exploit, and should therefore be taken seriously.

A subdomain takeover vulnerability typically happens when an organization assigns a subdomain to an external service, e.g. a support ticketing system like Zendesk, a cloud application platform like Heroku or maybe a content delivery network like Fastly. Maybe the organization is only assessing the service, or maybe they switch to a different service, but for some reason the organization later decides to delete their account on the service, but forget one important step: to remove the subdomain DNS configuration to the service.

Having a dangling subdomain pointing to an unused external service leaves it open for takeover and complete control of an attacker, as they simply need to sign up to the same service and claim the dangling subdomain. Now they control the content on the subdomain which they can use to launch phishing attacks, bypass security controls and other mischief.

Detectify wrote a blog post about subdomain takeover back in 2014, if you're interested in knowing more about this attack vector.

Detecting subdomain takeovers with AQUATONE

In case you don't know, I recently released AQUATONE which is a toolset for doing subdomain discovery, port scanning and screenshotting. Check out the blog post for more information.

A new addition to the AQUATONE toolset is aquatone-takeover which can detect potential subdomain takeover issues across a bunch of popular external services:

Finding subdomains vulnerable to hostile takeover...

To demonstrate the functionality of aquatone-takeover, I temporarily configured a couple of subdomains on michenriksen.com pointed at 3 different external services. aquatone-takeover detects all three as potentially vulnerable:

  • assets.michenriksen.com is a CNAME record pointing to an unclaimed Amazon S3 bucket.
  • store.michenriksen.com is a CNAME record pointing to Shopify, a popular ecommerce platform, and the subdomain has not been registered with any account.
  • Finally, help.michenriksen.com is a CNAME record pointing at a non-existant account on Desk, a popular support ticketing system.

These are not the only external services that aquatone-takeover can detect, it finds subdomain takeover vulnerabilities across - at the time of writing - a total of 25 services:

  • Amazon S3 (Cloud storage)
  • Campaign Monitor (Email marketing)
  • Cargo (Web publishing platform)
  • Cloudfront (Content delivery network)
  • Desk (Customer service and helpdesk ticket software)
  • Fastly (Content delivery network)
  • FeedPress (Feed analytics and Podcast hosting)
  • Freshdesk (Customer support software and ticketing system)
  • Ghost (Publishing platform)
  • GitHub Pages (GitHub static website hosting)
  • Help Scout (Customer service software and education platform)
  • Helpjuice (Knowledge base software)
  • Heroku (Cloud application platform)
  • Instapage (Landing page platform)
  • Pingdom (Website and performance monitoring)
  • Shopify (Ecommerce platform)
  • StatusPage (Status page hosting)
  • SurveyGizmo (Online survey software)
  • Teamwork (Project management, help desk and chat software)
  • Tictail (Social shopping platform)
  • Tumblr (Microblogging and social networking platform)
  • Unbounce (Landing page builder and conversion marketing platform)
  • UserVoice (Product management software)
  • WPEngine (WordPress blog hosting)
  • Zendesk (Customer service software and support ticket system)

I hope to expand this list with many more services, so please let me know if you have any ideas or go ahead and contribute more detector modules on GitHub.

Give aquatone-takeover a try! You can install the AQUATONE toolset with gem install aquatone or get the latest version with gem update aquatone if you already have it installed.

Here's a small list of articles and reports on subdomain takeover issues across the web:

Happy hunting!