Introduction

A subdomain takeover occurs when a subdomain is pointing to another domain (CNAME) that no longer exists. I’ve personally seen this vulnerability in a range of organizations as it only requires a DNS record to become invalid which can happen without user interaction. This vulnerability is ephemeral; you may be safe one day and the next vulnerable.

Subdomain Takeover

Subdomain takeover takes place when a domain points to an unregistered domain that another person can register. If an attacker were to register the non-existent domain, then the target subdomain would now point to their domain, effectively giving the attacker full control over the target’s subdomain. What makes this vulnerability so interesting is that you can be safe one minute, and a single DNS change can make you vulnerable the next minute.

The vulnerability here is that the target subdomain points to a domain that does not exist. An attacker can then register the non-existent domain. Now the target subdomain will point to a domain the attacker controls.

If you’re planning on hunting for this vulnerability you should reference the following GitHub repository as it contains many examples and walk throughs on exploiting different providers:

• https://github.com/EdOverflow/can-i-take-over-xyz

As you can see above, this page contains a large list of engines that can be exploited by this vulnerability. If you click on the issue number, it will give you a walk through exploiting that particular engine. Because every provider has its own way of registering domains, you will need to learn the process of registering a domain on the engine that impacts your target.

GitHub Takeover

One of the easiest ways to spot a subdomain takeover vulnerability is by the error message it throws, as shown below:

As you can see above, when we visit our target site, it throws a 404 status code and gives us the error message “There isn’t a GitHub Pages Site here.” If we go to the subdomain takeover wiki we can confirm that this error message indicates the possibility of subdomain takeover.

Now that we have an indicator that this site is vulnerable, we need to get the GitHub page the vulnerable subdomain is pointing to. We need this information so we can register the domain through GitHub.

As shown above, a “dig” command can be used to gather the DNS records of the vulnerable domain. We can also see that the domain points to the GitHub page “ghostlulzvulntakeover.github.io.” If we can register this domain, we win! To figure out the process of registering a domain on GitHub, follow the tutorial in the subdomain takeover GitHub page as shown below:

Now that we know the steps to register a domain on GitHub, we just need to do it. First, I created a GitHub repo with the same name as the CNAME record:

After that, I created an “index.html” file in the repo as shown below:

Next, I set the repo as the main branch:

Finally, I specified the target domain I’m going after:

That's it! Now when I visit the target domain, I can see the page I set up.

I WIN! I successfully exploited the subdomain takeover vulnerability and got my page to appear on the target subdomain. Note that this is the process for GitHub; if your target is vulnerable to something else, you will have to follow the steps for that provider. Fortunately, this is all documented on the subdomain takeover GitHub wiki.

Conclusion

A few years ago, subdomain takeover was common, but it has recently started to die down. However, you will still find plenty of organizations vulnerable to this type of attack. It is extremely easy to pull off and it allows attackers to completely take over the target subdomain. If an attacker is looking for an easy, high severity finding, this is it. As this vulnerability is ephemeral, the best way to combat this vulnerability is to find it before the attackers do via a continuous scanning solution such as Red Sentry.