.png)
3 years ago
212 BOOK THIS SPACE FOR AD
ARTICLE AD
Subdomain TakeOver vulnerabilities:
Here we address the basic issues of the Subdomain Takeover vulnerability and examine how this vulnerability existed in the cafebazaar and is now patched.
Subdomain Takover or subdomain acquisition is the process of registering a non-existent domain to acquire all existing domains, ie if this vulnerability is discovered, the main domain as well as all subdomains of an organization will be compromised.
To make the point clearer, let’s look at a basic topic in DNS.
Cafe Bazaar is an Iranian Android marketplace founded in April 2011, In April 2019 Cafe Bazaar announced it has surpassed 40 million users.
CNAME record:
Canonical Name Record is one of the DNS capabilities to build a pointer domain to another domain, so what does this mean? What is its use?
Consider the following scenario for example
scenario:
Consider that cafebazaar intends to launch a campaign for a limited time to receive user feedback about your organization’s website, now to design a survey form, you would prefer to use a survey form service system that has ready-made survey form templates. And it works in such a way that after registering in the website, you can easily design a survey form and then you can choose a domain address, but this domain is a subdomain of that company, for example, if the formmakers form system name. .com and you create an account for yourself in that system and choose a domain name, such as cafebazaar.
Now, if you come to your website, let people know that they go to cafebazaar.formmakers.com and fill out this form, but since in the field of SEO and credibility for your organization, the domain name plays an important role. It can and will increase your credibility both in terms of users and in terms of search engines, seeing the address cafebazaar.formmakers.com inside the browser address or search results is not as beautiful as form.cafebazaar.ir.
Using CNAME is useful here, you can create a CNAME record on your DNS server and say that every user who applied for form.cafebazaar.ir should be referred to cafebazaar.formmakers.com, but the difference is with redirecting the user What is it in? The difference is that it is true that the displayed content belongs to the address cafebazaar.formmakers.com, but the address shown in the browser is form.cafebazaar.ir, and this issue increases the credibility of the organization and creates more trust for the user. میاره. See the image below:
As you can see in the image above, I designed the process of entering the address form.cafebazaar.ir in the browser until the final result in the image above.
Now that we understand the importance of the CNAME record and the rest of the story, let’s look at how the vulnerability arises.
Follow the previous scenario we talked about. Now, cafebazaar will end its campaign and delete its account in the online form maker website, ie formmakers.com, and from now on, when people enter the address form.cafebazaar.ir Because the form-creating account related to the address cafebazaar.formmakers.com has been deleted, users will encounter the error “there is no such form-building account” and the site formmakers.com says that there is no such domain as cafebazaar.formmakers.com.
If you remember, at the beginning of the article we said that:
Subdomain Takover or subdomain acquisition is the process of registering a non-existent domain to acquire all existing domains, ie if this vulnerability is detected, the main domain as well as all subdomains of an organization will be compromised.
Did you understand? The site formmakers.com says that this account does not exist !!!! This means that we can create this account.
Now we have to get the name of the main account, Destination Domain, related to this Source Domain so that we can go and register it. To get the original name, the domain name registered on formmakers.com, we have to see that DNS Server has a market for the form domain. .cafebazaar.ir refers to which subdomain of formmakers.com, to do this, we must request the CNAME record in the DNS Server of cafebazaar and see its value so that we can go and register it, we must request an NS type for DNS Server Cafe Bazaar send:
This means that if we register on the formmakers.com website and select the cafebazaar address for ourselves when choosing the domain name that I mentioned at the beginning of the article, the formmakers.com website will come and register the cafebazaar.formmakers.com address for us. And delivers to us.
But does that mean that from now on we will give the address cafebazaar.formmakers.com to people? That it is very low level and the acquired domain does not end at cafebazaar.ir ?!
Answer: Because the DNS Server still has the old CNAME Record cafebazaar and is pointing to the address cafebazaar.formmakers.com and the value of this record is form.cafebazaar.ir, it means that we also own the form.cafebazaar.ir domain. And all this is due to the Misconfiguration applied to the DNS Server.
The following image is from the settings section of formmakers.com, where we mention the target domain name we want to takeOver:
Now why do we need to worry so much about subdomains? What happened now? Let me tell you what happened:
According to the browser cookie standard RFC6265, all cookies on a domain are sent to all subdomains, and all subdomains are readable.
Ability to read HTTPonly cookies by javascript
Ability to read secure cookies due to the presence of ssl on the acquired domain
Ability to submit a survey form and collect user information from the trusted domain form.cafebazaar.ir
Ability to exploit potential OpenRedirect vulnerabilities in Cafe Bazaar, which only allow redirects to YYY.cafebazaar.ir subdomains, and since we have acquired the form.cafebazaar.ir domain, we can replace YYY and according to the mechanism OAuth implemented in CafeBazaar, let’s start AccountTakeOver
Distribution of malicious applications by the largest market for distributing Android applications by the trusted domain form.cafebazaar.ir
Spreading false news and damaging the credibility of the trusted domain form.cafebazaar.ir
And take more action with respect to infiltrator creativity ……
Well, in relation to the first topic, I must summarize that you can read cookies set on a domain by its subdomains (in certain condition)
But there is a problem, and that is that we need the ability to execute JavaScript code on the acquired domain to read the cookies of other domains and apply more risks, and I could not do that with the theory that owning a domain, but no PoC I do not have to go forward and the next problem arose here that this form building system does not allow JavaScript code to enter 🙁 What to do? Am I worried ?! No.
To make this vulnerability critical and to address the security vulnerabilities mentioned above, I started to find ZeroDay XSS on this platform, and after finding 5 Reflected XSS vulnerabilities, after 3 days, I still have the level The vulnerability was low because a link containing XSS exploit had to be given to the user and I did not want to interact with the user because the vulnerability was low. what do we do? Shameless ?! No.
On day 7, after hours of testing, I was finally able to find the Stored XSS vulnerability, which was where the vulnerability was at its highest. Critical
After reporting the vulnerability to cafebazaar team, initially the’ve misunderstood the vulnerability was out of scope
What should we do now? give up? Noooooooo!
I started to check the In Scopes of CafeBazaar and realized the following:
As we talked about in the middle of the article, the vulnerability was not related to the form.cafebazaar.ir domain, but to the old DNS record, but it had to be fixed. The image above is the In Scope list, the image below shows that the DNS Server for the Market Cafe included this Range IP:
after sending the above information, they’ve approved and rewarded me, thanks cafebazaar ❤
Bengali (Bangladesh) · 
English (United States) ·