Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
  1. Weekly Tips

Week 12 - Subdomain Takeovers

PreviousWeek 11 - XS-Search: Cross-Origin EnumerationNextWeek 13 - XSS Keylogger

Last updated 2 years ago

Finding Subdomain Takeovers

In week 12 of the Web Hacking series, we’ll be mixing it up a little and covering a DNS-related issue. Are you part of an organization that has a large web presence, often involving blogs, repositories, and shops? Depending on your DNS settings, you may be vulnerable to Subdomain Takeover. Subdomain Takeover occurs when an attacker can completely own and write content to one of your organization’s subdomains. This can be accomplished because admins often remove a blog/repository/shop from a subdomain but forget to also remove the DNS CNAME record, which the service uses to verify the subdomain. So how can we exploit it? My favorite way to approach Subdomain Takeover is to start with enumeration. I use tools like Sublist3r, Knockpy, and VirusTotal to thoroughly enumerate existing subdomains. I then determine if the subdomains return a valid response, or just trigger a timeout/gateway error. Assuming you receive a valid response, the next step is to assess what that response looks like and if it’s vulnerable. Especially focus on if the response appears to be issued from a popular service (Shopify, Github, Wordpress, etc). The best way to accomplish this is to consult EdOverflow’s GitHub repo linked in the comments, as it shows you what services are vulnerable to Subdomain Takeover and which ones are not. It also links documentation and discussion on each service for further study. If a site appears to be vulnerable, all you have to do is register an account on the service the domain points to (Shopify, Github, Wordpress, etc), and claim the subdomain. Since the subdomain is already pointing to their service, no further verification is required. You can completely own it! Now there are many potential attack vectors (phishing) with owning a victim subdomain, but an interesting one is using it to bypass CORS! That’s right, in most cases you won’t need to worry about finding a CORS misconfiguration since subdomains are often within the allowed origin. Check out my previous week’s posts for an in-depth discussion of CORS exploitation.

Page cover image