Subdomain Takeover Writeup
This post is published by Prial Islam on his blog at Medium and published here as a contributor on our blog .Note that the post is written by Prial Islam, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through our Platform just Signup on blog and you can post freely.
Hi Readers ,
Today I will write about Subdomain takeover . It’s a common Security issue what is actually developers mistake when they left a Unused/unclaimed 3rd party Service DNS CNAME record for a subdoamin of theirs and Hackers can claim those subdomains with the help of external services it pointing to what could lead to serious issues . You can learn more about Subdomain takeover from detectify blog .
While testing flock.com I got a domain flock.co what is under flock company . So I stared looking at it’s subdomains and got subdomain newdev.flock.co . When I visited the subdomain in browser I got a error like below screenshot :-
This took my attention . So I checked the DNS record for this domain .
R3liGiOus_HuNt3r$ dig newdev.flock.co
; <<>> DiG 9.10.6 <<>> newdev.flock.co ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;newdev.flock.co. IN A
;; ANSWER SECTION: newdev.flock.co. 299 IN CNAME cname.readme.io. cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 22.214.171.124 readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 126.96.36.199
;; Query time: 69 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Mon Jul 09 04:58:06 +06 2018 ;; MSG SIZE rcvd: 175
from above record we can say the subdomain is pointing to CNAME cname.readme.io . So I start looking at custom domain documents on readme.io website to understand how they works . From their document I understand that :-
- You need a subdomain pointing to your readme.io subdomain [yoursubdomain.readme.io] .
- Your subdomain should be configured in domains settings in following page https://dash.readme.io/project/<project
So to takeover I need to check if cname.readme.io is alreday claimed of not . But Unfortunately it was already claimed 🙁 . But I have seen many such services doesn’t force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there’s a hope .
I opened a account in readme.io and I got a subdomain newdev.readme.io . Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes .
This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from newdev.readme.io project page .
How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .
If you find a security vulnerability feel free to contact them via email@example.com
Thank You For Reading Subdomain Takeover Writeup.More Bug Bounty Writeup Coming Soon.Stay With Us.Follow On Social Network Get Notification.If You Are New Bug Hunter Or Web Penetration Tester This Blog Site Help To You.And Also Share This Blog Post Your Friends Of Friends.Happy Hunting Be Smile.
Follow My Twitter Get New Post Notification.
Follow Twitter:- Follow Now || Click Here
Like My Facebook Page Get New Post Notification.
Like Page:- Like Now || Click Here
Writeup Submit: Prial Islam Khan
Blog Author: Md Hridoy
Copyright By © Bug Bounty TuT