Heads up! Aquatone has been totally rewritten in Go and is now quite a bit different. Read about the new version!
Hostile subdomain takeover is a very prevalent and potentially critical security issue. It’s a well-known attack vector and easy to exploit, and should therefore be taken seriously.
A subdomain takeover vulnerability typically happens when an organization assigns a subdomain to an external service, e.g. a support ticketing system like Zendesk, a cloud application platform like Heroku or maybe a content delivery network like Fastly. Maybe the organization is only assessing the service, or maybe they switch to a different service, but for some reason the organization later decides to delete their account on the service, but forget one important step: to remove the subdomain DNS configuration to the service.
Having a dangling subdomain pointing to an unused external service leaves it open for takeover and complete control of an attacker, as they simply need to sign up to the same service and claim the dangling subdomain. Now they control the content on the subdomain which they can use to launch phishing attacks, bypass security controls and other mischief.
A new addition to the AQUATONE toolset is
aquatone-takeover which can detect potential subdomain takeover issues across a bunch of popular external services:
To demonstrate the functionality of aquatone-takeover, I temporarily configured a couple of subdomains on
michenriksen.com pointed at 3 different external services. aquatone-takeover detects all three as potentially vulnerable:
CNAMErecord pointing to an unclaimed Amazon S3 bucket.
CNAMErecord pointing to Shopify, a popular ecommerce platform, and the subdomain has not been registered with any account.
CNAMErecord pointing at a non-existant account on Desk, a popular support ticketing system.
These are not the only external services that aquatone-takeover can detect, it finds subdomain takeover vulnerabilities across - at the time of writing - a total of 25 services:
I hope to expand this list with many more services, so please let me know if you have any ideas or go ahead and contribute more detector modules on GitHub.
Give aquatone-takeover a try! You can install the AQUATONE toolset with
gem install aquatone or get the latest version with
gem update aquatone if you already have it installed.
Here’s a small list of articles and reports on subdomain takeover issues across the web: