Project Resonance Wave 1: Internet-Wide Analysis of Subdomain Takeover
At RedHunt Labs, we regularly perform various internet-wide studies under Project Resonance, to keep up with ever-changing cyberspace as well as to enrich our product NVADR. This blog post is about one of our recent studies related to misconfigured CNAME records that can cause subdomain takeovers on a massive scale.
Introduction to Subdomain Takeover
DNS is the backbone of the internet. It is often called the internet’s phone book as it maps human-perceivable domain names to IP addresses that computers understand. Without DNS, there wouldn’t be online websites that can be remembered. There’s no google.com, twitter.com, or redhuntlabs.com, just a weird sequence of numbers.
A domain can be pointed to an IP address or another domain/host using DNS records such as A, CNAME, DNAME, etc. A domain/subdomain cannot be taken over, when both the DNS record and the resource it points to (IP or another domain), is under control. If the owner of the domain loses ownership of the resource the DNS record points to, the resource itself might become claimable.
Here are a few HackerOne reports showing how attackers claimed the resources pointed by stale DNS records of famous companies. Searching for it on HackerOne gives 100+ such reports. Few reports show how attackers were able to exploit / bypass other web app functionalities with the help of this vulnerability.
How does it work?
Let’s say a developer wants to create a web app for his newly created organization. A decade ago, this process would be something similar to this: buy/lease an IP address, host your website on the server and point the DNS record to this IP. This process remained the same even if you wanted to host a static website or a landing page.
With the increase of Cloud and other SaaS services, now all the developer needs to do is use a service to host the website and point the DNS record to the resource. For example, at Heroku, such a domain/subdomain would take the form “newproject.herokuapp.com”. The developer will ultimately want the web app to appear to be hosted on a domain/subdomain (say, app.neworg.com) of his own organization’s domain. Therefore, he makes use of a CNAME record which is configured to forward all queries to his organization’s subdomain, i.e. app.neworg.com, to the cloud provider’s subdomain, newproject.herokuapp.com, where the web app is hosted.
Now the potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is retained. The attacker simply now re-registers the host at the cloud provider, adds the organization’s subdomain as an alias, and thus controls what content is hosted. Since the stale CNAME records originally have not been removed, app.neworg.com starts serving the attacker-controlled content.
What we did.
Our motivation was to perform a survey and analyze the status quo of vulnerable domains/subdomains in the present cyberspace. We conducted an internet-wide survey consisting of approximately 220 million hosts collected by our thousands of bots collecting various kinds of asset information from all over the internet. A database was created which contained CNAME records and related fingerprints of several vulnerable platforms, many of which we ingeniously studied to see if they can be taken over (if added as a service) as well as picked some of them that are already known to be vulnerable.
An automation setup was designed to effectively perform the task of checking whether the domains/subdomains were vulnerable to takeover.
The entire setup consisted of mainly 3 components:
- DNS Resolving: This component was mainly entitled to the task of mass resolving domains to their CNAME records by making DNS queries. It took input from the input-queue consisting of domains/subdomains and generated an output compatible with the HTTP component.
- HTTP Response Grabbing: The output from the DNS resolving entity was fed into this element, which did with the task of making mass HTTP queries to the domains and look for potential takeovers.
- Filtering & Analysis: This component took the load of filtering out false positives from the results obtained through several layers before flagging a domain as vulnerable. This constituent also performed an analysis of the data obtained.
The system was designed to intelligently detect possible takeovers while handling all kinds of exceptions and keeping in mind other complications of the HTTP protocol. The tool was also suited to follow the pattern of the database which was created. The flowchart below defines the overall logic around which the tool functioned:
Taking a deep dive at the statistics generated by our research, surprised us by the massive numbers. The first thing that came to our notice was the fact a total of 33 services that (unintentionally) allowed for potential subdomain takeovers, were identified. Interestingly, a large percent (62%) of vulnerable DNS records pointed to Shopify. This also indicates that most of the vulnerable domains belonged to the E-commerce industry, signifying that e-commerce still remains largely affected by security issues.
In the other half of results, Unbounce (landing pages creator) ranked second highest in the vulnerable share consuming about 14% of vulnerable domains, followed by Heroku (9%), GitHub Pages (4%), Bigcartel (2%), Tumblr (1%), Webflow (1%) and Pantheon (1%). The remainder 20% of the shares consisted mostly of WordPress, Surge.sh, AWS, etc, with HelpJuice comprising the least of the shares (just 15 takeovers).
Diving deeper into the results obtained, our first and foremost observation was that amongst Alexa Top 1000 domains, we identified 139 possible takeovers.
A very significant pattern which we observed was that interestingly the most common vulnerable subdomain was ”www”, which means most of the stale records pointed to the “home subdomain” of the sites. The next popular subdomain name was “shop”, followed by “store” and “blog”.
Analyzing all the domains within our database, we also found ~200 non-functional .gov site subdomains prone to takeover. An extremely mind-boggling observation here was that one of the domains had implemented a wildcard CNAME record, and the service to which it was pointing was non-existent (i.e. claimable). The security impact of such a case is beyond comprehension because a wildcard CNAME entry implies that *.site.tld will resolve, signifying that once the service has been taken over, not only the existing ones but non-existent subdomains of the site will also resolve to the attacker-controlled service.
We also observed that several (around ~1K) subdomains were .edu sites that were vulnerable to takeover. Unbounce and Pantheon were among the top popular vulnerable services within the .edu domains. The results included subdomains from a lot of prestigious universities. This also sheds some light on the kind of infrastructure that some of the top educational sites use.
On the other hand, healthcare, wellness, and fitness sites too consumed a significant share of the vulnerable subdomains (around ~5K). In this case, Unbounce and Strikingly took the top places in vulnerable services. A worth noting point in this section is the diverse set of results that had been harvested, which ranged from sellers of pharmaceutical items to online consultancy services, from fitness centers to healthcare gear distributors, denoting that all of them were significantly affected by security issues.
The sports and gaming section too had around ~4K takeovers while the entertainment sector consumed a minor share (around 500). Similar to the health sector, this too affected a wide range of offerings, from several video game retailers to sport-specific training providers. The list is long and we can continue reading from our insights but we just decided to focus on the major ones for now.
Implications of a takeover.
Following an attacker’s perspective, such takeovers can be abused in several ways:
- Since a subdomain represents a part of the organization, a subdomain takeover can allow an attacker to serve malicious content or misguiding information and thus cause Brand Reputation loss, User Distrust and Negative PR.
- It has previously come to light that internal emails can be actively intercepted just by claiming a simple webhook of the third-party service (e.g. Sendgrid) which an application might be using for email marketing.
- OAuth whitelisting of a vulnerable subdomain might be a cause of trouble, because an attacker can redirect users to the vulnerable subdomain during the OAuth workflow, thus leaking their OAuth token.
- CORS can be abused by attackers to harvest sensitive information from authenticated users if a subdomain whitelisted by the CORS rule gets taken over.
- Clickjacking: By framing content from a whitelisted subdomain that has been taken over, an attacker can serve malicious content to the visitors of the site using IE, Edge, and Safari, due to browser behavior (well described in Cure53’s Browser Security Whitepaper).
- If any one of the whitelisted hosts within a CSP gets taken over, the attacker can freely execute malicious client-side code via the application.
First and foremost, looking at the insights, subdomain takeovers (i.e. security issues in general) affect an incredibly wide portion of the internet, from the e-commerce sector to education, healthcare, sports, and even the entertainment industry. This throws a flood of light on the security posture of the various sectors of the internet as a whole.
This study also raises a very crucial point which puts into consideration the discovery and tracking of assets, which in-spite of being an extremely vital task, is clearly not being feasibly done. Despite some bigger organizations having dedicated security teams, such a task becomes a monumental problem due to their ever-expanding infrastructure. As a company grows, the number of assets belonging to a company too starts increasing exponentially, and it agreeably becomes quite tedious to keep a track of these assets, continuously. This is also listed as one of the major challenges in our blog: CISO’s Guide to Attack Surface Management
Last but not the least, as security researchers we believe that our studies and insights deep into cyberspace are always for the betterment of the security community and industry leaders. Therefore as a small contribution, we hereby release a dataset consisting of the top vulnerable subdomain names that appeared in our results.
Complete list of Top Vulnerable Subdomain Names on our GitHub Repository: Download Link
How to monitor?
Attack surface management, especially subdomains, is crucial from a business as well as a security point of view because a subdomain can directly affect an organization’s reputation. Having subdomains compromised is a security incident and can potentially result in breaches, loss of user trust, and brand reputation loss along with potential compromise of confidentiality, integrity and availability.
As a solution to this, we at RedHunt Labs, help our clients continuously discover, monitor, and track subdomains (along with a variety of other untracked assets) owned by them and check for subdomain takeovers (along with several other security vulnerabilities) on a continuous basis using NVADR.