1. DNS/SubdomainTakeover

takeover: 「引取」あたりが中立的な意味だろう。-- ToshinoriMaeno 2019-04-20 06:38:26

../hijacking から分離した。-- ToshinoriMaeno 2020-11-09 23:46:11

5 Subdomain Takeover #ProTips https://securitytrails.com/blog/subdomain-takeover-tips

https://twitter.com/0xpatrik/status/1031952037301432321

https://0xpatrik.com/subdomain-takeover-impact/

/Azure 日本でも見られるようになった。-- ToshinoriMaeno 2020-07-13 06:35:38

/近日公開ページ

Hostile Subdomain Takeover using Heroku/Github/Desk + more October 21, 2014 https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

/provider

https://github.com/robotshell/subdomainTakeover

https://tutorgeeks.blogspot.com/2019/04/subdomain-takeover-in-velostrata-google.html

https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/

findsubdomains https://findsubdomains.com/subdomains-of/toyota.com

https://www.peerlyst.com/posts/hostile-subdomain-takeover-ron-hardy /hostile

Subdomain TakeOver Best Tools https://twitter.com/Alra3ees/status/1136019348475326466 https://twitter.com/Alra3ees/status/1136019491752726528

https://twitter.com/LSELabs/status/1135748125283553281

https://linuxsecurity.expert/tools/subover/ /subover SubOver is considered a hostile tool to take over a subdomain.

https://twitter.com/Alra3ees/status/1133938933241393153

https://twitter.com/cry__pto/status/1134765310026891264

Zendesk: https://exploit.linuxsec.org/zendesk-custom-domain-subdomain-takeover/

github 10000.txt https://github.com/antichown/subdomain-takeover/blob/master/subdomains-10000.txt

1.1. きっかけ

Hanno Böck : Subdomain Takeover: Microsoft loses control over Windows Tiles

https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

Sub-domain takeovers in the wild: https://hackerone.com/reports/181665 https://hackerone.com/reports/114134 https://hackerone.com/reports/325336 https://hackerone.com/reports/32825 https://hackerone.com/reports/175070 #BugBounty #bugbountytip #pentesting 19:15 - 2019年6月1日

1.2. hackerone

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records. https://github.com/EdOverflow/can-i-take-over-xyz

1.3. Patrik Hudak

../PatrikHudak https://0xpatrik.com/subdomain-takeover-basics/ Amazon CloudFront の解説もある。

https://0xpatrik.com/second-order-bugs/

https://0xpatrik.com/subdomain-takeover-candidates/

https://0xpatrik.com/subdomain-takeover-ns/

1.4. shopify

Subdomain Takeover - https://competition.shopify.com/

State   Resolved (Closed)
Disclosed       June 19, 2018 12:35pm +0900
Reported To     Shopify
Asset   
*.shopify.com
(Domain)
Weakness        Privilege Escalation
Bounty  $750

1.5. medium.com

/medium.com

How to do 55.000+ Subdomain Takeover in a Blink of an Eye

https://medium.com/bugbountywriteup/how-i-started-a-chain-of-subdomain-takeovers-and-hacked-100s-of-companies-770d8f84885e

1.6. heroku

https://www.freelists.org/post/bugbounty/Bug-bounty-tip-The-www-subdomain-takeover-trick

/herokudns https://www.mohamedharon.com/2019/04/herokudns-still-vulnerable.html

1.7. Detectify Labs

Hostile Subdomain Takeover using Heroku/Github/Desk + more October 21, 2014 https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

This article assumes that the reader has a basic understanding of the Domain Name System (DNS) and knows how to set up a subdomain.

https://docs.google.com/presentation/d/1FNQoISvffDOpGCjA-ie9AB1Qn8FLRrS4qs5h7SIVDUI/edit#slide=id.g569856b23d_0_25

1.8. 日本語

https://diary.shift-js.info/subdomain-takeover/


1.9. 事例

1.9.1. starbucks

https://0xpatrik.com/subdomain-takeover-starbucks/

Subdomain Takeover: Starbucks points to Azure

This post is the write-up about bug bounty report that I reported back in March 2018 to Starbucks. The report is now disclosed, and I was awarded $2,000 bounty.

Although I have written about subdomain takeover in multiple posts, this case was somehow different.

HackerOne Report

The domain in question was svcgatewayus.starbucks.com. The domain pointed to a non-existing resource in Microsoft Azure. I realized that I have never talked about Microsoft Azure as a potential vector for subdomain takeover.

Firstly, Azure provides multiple services. I look for two primary services:

    Azure Websites — .azurewebsites.net
    Cloud Apps — .cloudapp.net

The most significant difference compared to CloudFront and other similar services are, that Azure provides dedicated IP address to both of these services. The provided subdomain that points to it using A record. In other words, Azure doesn't utilize virtual hosts setup (as I described previously). This means that for potential subdomain takeover, you only need to look for DNS status being NXDOMAIN.

There are lots of misconceptions about when the subdomain takeover for Azure is possible. I recommend running a simple dig command:

dig -t A DOMAIN_TO_CHECK

Is the response status NXDOMAIN? If yes, great, the takeover might be possible. Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all! As I said before, the services have dedicated VPS. For successful subdomain takeover, DNS request should always return NXDOMAIN.

The subdomain in the report pointed to 1fd05821-7501-40de-9e44-17235e7ab48b.cloudapp.net. I needed to create a PoC which was a little bit tricky. The rough guideline of how I did it follows:

    Created a new Cloud Service in the portal. It asks for a custom domain name. Remember: This domain name needs to match since you are not dealing with virtual host anymore. You can confirm this theory by noticing that Cloud Service never asks for a domain name which you will use for CNAME.
    Created a Storage Account for the Cloud Service in the Azure portal.
    Azure requires a specific format for deployment of Cloud Services which is generated by Visual Studio. I created a simple ASP.NET web application and uploaded it to this Cloud Service using this tutorial.
    Because of DNS, the A record for svcgatewayus.starbucks.com is pointing to Azure, and so the HTTP request returns the content from the ASP.NET application I just deployed.

For Azure Websites, the process is much more straightforward and looks closer to traditional PaaS. To create PoC for Azure Websites, I recommend the following this tutorial. I tested that, and it works correctly.

I have to say that I find the Azure portal very messy. IMHO it is a lot more complex than AWS with no significant benefits.

Moin2Qmail: DNS/SubdomainTakeover (last edited 2021-03-03 21:05:36 by ToshinoriMaeno)