SubDomain TakeOver ~ Easy WIN WIN

Hello Community, Today I will be sharing my findings related to “P2 Bug- Subdomain takeover”. So lets see.

What is mean by Subdomain-

Subdivision of main domain like parent domain and child domain in layman language.

Also, there are two types of subdomain

1.Vertical correlation (all subdomain of apple.com like cloud.apple.com, istore.apple.com)

2.Horizontal correlation (Subsidiaries of Facebook like WhatsApp, live rail, onava and so on)

SubDivision of domain

What is mean by SubDomain TakeOver-

• Most of organisation are taking cloud hosting services to host their web pages, for this cloud service provider will create subdomain on their main domain for their customer. e.g. myshopify.com is main domain then it will create sub.myshopify.com subdomain and on that subdomain you can host your webpage/content to serve. CNAME record is configured to forward all queries to the customer’s subdomain.
• Domain name (e.g., sub.myshopify.com) uses a CNAME record to another domain (e.g., sub.myshopify.com CNAME anotherdomain.com).
• At some point in time, anotherdomain.com expires and is available for registration by anyone.
• Since the CNAME record is not deleted from sub.shopify.com DNS zone, anyone who registers anotherdomain.com has full control over sub.shopify.com until the DNS record is present.
• This happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.

So, to have all the subdomains I used GitHub repository called sub-finder. It will enumerate all the subdomain and stores output in list.txt

subfinder

To check whether subdomain is vulnerable to subdomain takeover/not, I use GitHub tool called subzy.

It shows me that particular subdomains are vulnerable to subdomain takeover. Then I check IP address of subdomain to whom it belongs to using whois command.

IP address and whois

I tried to open subdomain in browser. Then it give message like below. Message is nothing but fingerprint/pattern that are provided by different cloud providers. To know more about different fingerprint of cloud service providers go to https://github.com/shifa123/Can-I-take-over-xyz-v2

Fingerprint

For subdomain takeover I need to have account on that cloud hosting engine who provide cloud hosting service. In my case it was shopify. So I simply created account on shopify.com , which ask your basic info for account creation and it will provide you 14 days trial account, other service providers have different policy.
Once after creation of account of shopify,
1. Go to add domain
2. Click on Connect existing domain
3. provide vulnerable domain name only (sub.shofify.com)
4. click on verify connection.
5. You are able to host any contain (Malicious script/ phishing page and much more) on that subdomain.

After subdomain takeover

Tool Used

1. subfinder — Subdomain Enumeration
2. subzy — To verify domain is vulnerable to subdomain takeover/not.

I hope this will helpful. Thanks for reading.

I you found this as informative please do share and connect me on LinkedIn