Subdomain takeover detection with AQUATONE

- 3 mins

Heads up! Aquatone has been totally rewritten in Go and is now quite a bit different. Read about the new version!

Hostile subdomain takeover is a very prevalent and potentially critical security issue. It’s a well-known attack vector and easy to exploit, and should therefore be taken seriously.

A subdomain takeover vulnerability typically happens when an organization assigns a subdomain to an external service, e.g. a support ticketing system like Zendesk, a cloud application platform like Heroku or maybe a content delivery network like Fastly. Maybe the organization is only assessing the service, or maybe they switch to a different service, but for some reason the organization later decides to delete their account on the service, but forget one important step: to remove the subdomain DNS configuration to the service.

Having a dangling subdomain pointing to an unused external service leaves it open for takeover and complete control of an attacker, as they simply need to sign up to the same service and claim the dangling subdomain. Now they control the content on the subdomain which they can use to launch phishing attacks, bypass security controls and other mischief.

Detectify wrote a blog post about subdomain takeover back in 2014, if you’re interested in knowing more about this attack vector.

Detecting subdomain takeovers with AQUATONE

In case you don’t know, I recently released AQUATONE which is a toolset for doing subdomain discovery, port scanning and screenshotting. Check out the blog post for more information.

A new addition to the AQUATONE toolset is aquatone-takeover which can detect potential subdomain takeover issues across a bunch of popular external services:

Finding subdomains vulnerable to hostile takeover.

To demonstrate the functionality of aquatone-takeover, I temporarily configured a couple of subdomains on pointed at 3 different external services. aquatone-takeover detects all three as potentially vulnerable:

These are not the only external services that aquatone-takeover can detect, it finds subdomain takeover vulnerabilities across - at the time of writing - a total of 25 services:

I hope to expand this list with many more services, so please let me know if you have any ideas or go ahead and contribute more detector modules on GitHub.

Give aquatone-takeover a try! You can install the AQUATONE toolset with gem install aquatone or get the latest version with gem update aquatone if you already have it installed.

Here’s a small list of articles and reports on subdomain takeover issues across the web:

Happy hunting!

Michael Henriksen

Michael Henriksen

Freelance security engineer and consultant

Work with me

I help companies secure web applications using vulnerability assessments, secure code reviews, threat modeling, and developer training. I have secured systems at places like SoundCloud, Peakon, and F-Secure. I would love to work with you too!

Learn more

twitter facebook linkedin reddit rss