1. DNS/SubdomainTakeover

takeover: 「引取」あたりが中立的な意味だろう。-- ToshinoriMaeno 2019-04-20 06:38:26

../hijacking から分離した。-- ToshinoriMaeno 2020-11-09 23:46:11

5 Subdomain Takeover #ProTips https://securitytrails.com/blog/subdomain-takeover-tips



/Azure 日本でも見られるようになった。-- ToshinoriMaeno 2020-07-13 06:35:38


Hostile Subdomain Takeover using Heroku/Github/Desk + more October 21, 2014 https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/





findsubdomains https://findsubdomains.com/subdomains-of/toyota.com

https://www.peerlyst.com/posts/hostile-subdomain-takeover-ron-hardy /hostile

Subdomain TakeOver Best Tools https://twitter.com/Alra3ees/status/1136019348475326466 https://twitter.com/Alra3ees/status/1136019491752726528


https://linuxsecurity.expert/tools/subover/ /subover SubOver is considered a hostile tool to take over a subdomain.



Zendesk: https://exploit.linuxsec.org/zendesk-custom-domain-subdomain-takeover/

github 10000.txt https://github.com/antichown/subdomain-takeover/blob/master/subdomains-10000.txt

1.1. きっかけ

Hanno Böck : Subdomain Takeover: Microsoft loses control over Windows Tiles


Sub-domain takeovers in the wild: https://hackerone.com/reports/181665 https://hackerone.com/reports/114134 https://hackerone.com/reports/325336 https://hackerone.com/reports/32825 https://hackerone.com/reports/175070 #BugBounty #bugbountytip #pentesting 19:15 - 2019年6月1日

1.2. hackerone


"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records. https://github.com/EdOverflow/can-i-take-over-xyz

1.3. Patrik Hudak

../PatrikHudak https://0xpatrik.com/subdomain-takeover-basics/ Amazon CloudFront の解説もある。




1.4. shopify

Subdomain Takeover - https://competition.shopify.com/

State   Resolved (Closed)
Disclosed       June 19, 2018 12:35pm +0900
Reported To     Shopify
Weakness        Privilege Escalation
Bounty  $750

1.5. medium.com


How to do 55.000+ Subdomain Takeover in a Blink of an Eye


1.6. heroku


/herokudns https://www.mohamedharon.com/2019/04/herokudns-still-vulnerable.html

1.7. Detectify Labs

Hostile Subdomain Takeover using Heroku/Github/Desk + more October 21, 2014 https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

This article assumes that the reader has a basic understanding of the Domain Name System (DNS) and knows how to set up a subdomain.


1.8. 日本語


1.9. 事例

1.9.1. starbucks


Subdomain Takeover: Starbucks points to Azure

This post is the write-up about bug bounty report that I reported back in March 2018 to Starbucks. The report is now disclosed, and I was awarded $2,000 bounty.

Although I have written about subdomain takeover in multiple posts, this case was somehow different.

HackerOne Report

The domain in question was svcgatewayus.starbucks.com. The domain pointed to a non-existing resource in Microsoft Azure. I realized that I have never talked about Microsoft Azure as a potential vector for subdomain takeover.

Firstly, Azure provides multiple services. I look for two primary services:

    Azure Websites — .azurewebsites.net
    Cloud Apps — .cloudapp.net

The most significant difference compared to CloudFront and other similar services are, that Azure provides dedicated IP address to both of these services. The provided subdomain that points to it using A record. In other words, Azure doesn't utilize virtual hosts setup (as I described previously). This means that for potential subdomain takeover, you only need to look for DNS status being NXDOMAIN.

There are lots of misconceptions about when the subdomain takeover for Azure is possible. I recommend running a simple dig command:


Is the response status NXDOMAIN? If yes, great, the takeover might be possible. Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all! As I said before, the services have dedicated VPS. For successful subdomain takeover, DNS request should always return NXDOMAIN.

The subdomain in the report pointed to 1fd05821-7501-40de-9e44-17235e7ab48b.cloudapp.net. I needed to create a PoC which was a little bit tricky. The rough guideline of how I did it follows:

    Created a new Cloud Service in the portal. It asks for a custom domain name. Remember: This domain name needs to match since you are not dealing with virtual host anymore. You can confirm this theory by noticing that Cloud Service never asks for a domain name which you will use for CNAME.
    Created a Storage Account for the Cloud Service in the Azure portal.
    Azure requires a specific format for deployment of Cloud Services which is generated by Visual Studio. I created a simple ASP.NET web application and uploaded it to this Cloud Service using this tutorial.
    Because of DNS, the A record for svcgatewayus.starbucks.com is pointing to Azure, and so the HTTP request returns the content from the ASP.NET application I just deployed.

For Azure Websites, the process is much more straightforward and looks closer to traditional PaaS. To create PoC for Azure Websites, I recommend the following this tutorial. I tested that, and it works correctly.

I have to say that I find the Azure portal very messy. IMHO it is a lot more complex than AWS with no significant benefits.

Moin2Qmail: DNS/SubdomainTakeover (last edited 2021-03-03 21:05:36 by ToshinoriMaeno)