Subdomain Takeover

Hi hacker,

Hope you are good, I am very excited to write this blog since this was my first blog. In this blog I will discusss how I find an subdomain takeover vulnerabilities, how to find is cname pointing to the hosting service is vulnerable or not and how to takeover the subdomain if cname pointing hosting service is vulnerable.

What is mean by subdomain takeover?

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.
If an attacker can do this, they can potentially read cookies set from the main domain, perform XSS, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.
A subdomain is like an electrical outlet. If you have your own appliance (host) plugged into it, everything is fine. However, if you remove your appliance from the outlet (or haven’t plugged one in yet), someone can plug in a different one. You must cut power at the breaker or fuse box (DNS) to prevent the outlet from being used by someone else.

Methodology to find subdomain takeover:

1. Go to virustotal.com and collect the information about subdomains and copy that subdomains (the subdomain information will be there in the relations navigation bar on virustotal).
2. Next go to httpstatus.io paste the subdomains and give check status. Now you will notice that the subdomains are listed with their status( like 200,404,etc…) and redirection. Up of the subdomains you have navigation bar to change the status, now change the status from all status to 404, you will notice that 404 status subdomains are listed.
3. Next go to mxtoolbox.com and copy the 404 subdomain one by one from httpstatus.io and past in mxtoolbox. Then you click mx lookup, you will, then you will get information about the DNS records. If the DNS record is pointing to cname, then there is some possibility to takeover the subdomain(Every subdomain pointing to cname cannot be takeovered, only vulnerable hosting service cname can be takeovered).
4. Now go to https://github.com/EdOverflow/can-i-take-over-xyz github page to check the hosting service is vulnerable or not . If vulnerable then there is sure possibility for subdomain takeover.
5. Now go to the following hosting service (where cname is pointing) and signin with your account and takeover the subdomain.

Extra information:

Subdomain takeover is possible only in 404 pages and not in working pages eventhough the working page is pointing to cname.

Impact:

By subdomain takeover you can takeover the subdomain and perform other attacks like Xss, account takeover ( putting sign in page instead of company), etc…

Thanks for reading the blog

Happy hacking!