From "302" Redirection to Subdomain Takeover

Even though you have an idea on the subdomain takeover. In this write-up, I will show the non-typical way of subdomain takeover.

This post is for educational purposes only, please use it at your discretion and contact the app’s author if you find issues. We will assume that the target host name is REDACTED. The figures during the post just for demonstrations, might not relevant to REDACTED domain.

Introduction — Sub-Domain

Subdomain: A subdomain is a domain that the part of a larger domain. For example blog.example.com, www.example.com are subdomains of example.com

Subdomain Takeover:

Subdomain takeover is the process of registering a non-existing domain name to gain control over another domain.

Actually before going to understand the subdomain takeover we have to discuss the “DNS & CNAME” record. The main logic behind subdomain takeover is tangled with the actual subdomain CNAME record. CNAME records can be used to alias one name to another.

Let’s illustrate the actual flow of subdomain takeover:

1. If you have a target domain let say register.example.com uses a CNAME record to another domain dns.available.com.

2. For suppose, available.com expires and it is available for registration by anyone.

3. Since the CNAME record is not deleted from the example.com DNS zone, anyone who registers anotherdomain.com has full control over register.example.com until the DNS record is present.

The above illustration is one kind of scenario for the subdomain takeover. There are some other different cases that result in subdomain takeover.

Other Cases:

subdomain takeover is possible even on cloud services. Cloud services provide a way of specifying alternate domain names (CNAME records), the possibility of subdomain takeover is still present.

• Take over via AWS S3: Amazon S3 allows specifying the alternate (custom) domain name to access the bucket's content. If any of the reasons you delete that bucket and forgot to remove the CNAME record from the DNS. It leads to subdomain takeover.
• Take over via GitHub: GitHub also allows free web hosting using their GitHub Pages project. This web hosting is usually used for project's documentation, technical blogs, or supporting web pages to open-source projects. GitHub Pages supports custom domain names in addition to the default domain name under github.io.
• Take over via Heroku: Heroku is a Platform-as-a-Service provider which enables the deployment of an application using a simple workflow. Since access to the application is needed, Heroku exposes the application using a subdomain formed on herokuapp.com. However, it is also possible to specify the custom domain name to access the deployed application.

To get to know more about the subdomain takeover technique please refer to this link

Impact:

The impact of the subdomain takeover depends on various factors. Typically, using a subdomain takeover, an attacker can send phishing emails from the legitimate domain, perform cross-site scripting (XSS), or damage the reputation of the brand which is associated with the domain.

Note: Subdomain takeover is not only limited to CNAME records. NS, MX and even A records are affected as well.

How I takeover a Subdomain in one of the bug bounty programs.

Once I get all subdomains of a target then I ran the whatweb scan on all subdomains to fingerprint the domain information. Then instead of going to get CNAMEs data of all subdomains. first I filter the "302" redirected targets from the whatweb scan result based on the Location Header.

As this is a private program I can't disclose the name of target so lets assume that the target domain is redacted.com

In all subdomains, one(registration.redacted.com) of the subdomains is redirected to "hugedomains.com".

I have verified the target domain CNAME using the below command

dig cname registration.redacted.com

As I said above, If the CNAME pointed domain is available to purchase then we can own that subdomain. I have verified the domain whether is available to purchase.

Yah00000000000000000! the CNAME record domain is available to purchase.

References:

https://0xpatrik.com/subdomain-takeover-basics/

https://github.com/EdOverflow/can-i-take-over-xyz

Thanks for reading. If you like this write-up please leave a heart.