Contents
Detecting and Measuring Security Risks of Hosting-Based Dangling Domains https://dl.acm.org/doi/10.1145/3579440
2.2 Dangling DNS Records Dangling DNS records are a collection of DNS RRs in which the targeted resources (i.e., the data fields) are invalid, having expired, been released, or never been deployed. Previous work has identified four categories of security-sensitive dangling records [48]: • Dangling A records. They occur if some domains point to an IP address that can be acquired by any person. For example, the IP address is in a shared IP pool of public cloud instances (e.g., Amazon EC2 and Microsoft Azure) and is deprovisioned. • Dangling CNAME records. They occur when a canonical domain in CNAME records expires or becomes available on a public hosting platform. • Dangling NS and MX records. They are also unsafe when name servers and mail servers can be controlled due to expiration or troublesome service hosting. The threats caused by dangling NS and MX records are more severe since all domains delegated to these vulnerable serverscan be taken over. By exploiting these unsafe dangling records, adversaries can manipulate the targeted resources in the DNS RRs and take over the domains that are not under their control.
[48] Daiping Liu, Shuai Hao, and Haining Wang. 2016.
All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records.
- In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security, Vienna, Austria, October 24-28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1414–1425. https://doi.org/10.1145/2976749.2978387
Abstract Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such a security threat is called "hosting-based domain takeover''. In recent years, a large number of domain takeover incidents have occurred; even well-known websites like the subdomains of microsoft.com have been impacted. However, until now, there has been no effective detection system to identify these vulnerable domains on a large scale. In this paper, we fill this research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. Compared with previous work, HostingChecker expands the detection scope and improves the detection efficiency by: (i) systematically identifying vulnerable hosting services using a semi-automated method; and (ii) effectively detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. We evaluate the effectiveness of HostingChecker and eventually detect 10,351 subdomains from Tranco Top-1M apex domains vulnerable to domain takeover, which are over 8× more than previous findings. Furthermore, we conduct an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suite of new insights, including flawed implementation of domain ownership validation. Following responsible disclosure processes, we have reported issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation.
1. history
Google Scholar 2020. 670 Subdomains of Microsoft are Vulnerable to Takeover.
https://vullnerability.com/blog/microsoft-subdomain-account-takeover Google Scholar
2020. American News Site's Subdomains Left Open for Takeover.
https://www.wizcase.com/blog/cbslocal-vulnerabilty-research/ .Google Scholar