Find Your First Bug —#1 Subdomain Takeover

4 years ago 158
BOOK THIS SPACE FOR AD
ARTICLE AD

iamj0ker

Hey guys, I know you are probably reading this because you want to find your first bug. I am planning to write a series regarding this which will show you vulnerabilities that can be found out easily and hope I can do this and you will like the series

Image for post

Image for post

Picture taken from https://smaranchand.com.np/2019/12/subdomain-takeover-via-pantheon/

I am not a pro hacker to teach you, but I like to give back to the community since I learned from this community. So let’s get straight into the subject.

A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization’s subdomain via cloud services like AWS or Azure. … The potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is kept.

So as simple words a subdomain that is used by the company which are under services like aws, bouncepages, github … and when then remove the original content but forget to remove the pointing that is CNAME so that may be when an attacker visit that subdomain it will show the cname or you can find that by just typing dig https://victim.domain.com in the terminal it will show that the subdomain’s cname is something.com so that if that subdomain is not yet claimed by anyone you can go-to something.com and buy that. I can’t explain whole procedure here since it’s different for diff services. easiest methods for finding cnames

dig subdomain.domain.com on the linux terminalhttps://mxtoolbox.com/DNSLookup.aspx — search your subdomain herehttps://toolbox.googleapps.com/apps/dig/#CNAME/ search subdomain here

So what you have to look is that if the subdomain has cname pointing to somewhere and not yet claimed ( i.e mostly a 404 ) then search google for “something.com subdomain takeover” here something.com is the cname. If you can’t find the result you need you just go-to https://something.com and mostly that cloud website will teach to how to connect to a website.

For easy my method is by

Enumerating all the subdomains using masscan, amass, sublist3r, certspotter.com, crtsh etc.Combine all the subdomains found using above toolsFind live subdomains using httprobe from the list of all subdomainsThen I use nuclei by project discovery which is an awesome tool bycat livesubdomains.txt | nuclei -v -o output.txt -t /nuclei-templates-directory/subdomain-takeoverThat’s all it will find you mostly the takeoverable websites if any.The bug is P2 if the subdomain is an important one and P3 for other subdomains. So don’t feel bad to find that it’s simple but hard to get one. and if you are lucky and work hard on various domains you might get it all the best buddy

I reported 3 subdomain takeover to various programs. 1 accepted, 1 duplicate and 1 not yet triaged, may be next week will get triaged.

If you like this feel free to share to your hacking community. and if you are rich to give me something you can buy me a coffee here https://www.buymeacoffee.com/iamj0ker

Connect me on twitter iamj0ker ( new to twitter )

My other write-ups

My Journey into Bug Bounty(as a beginner)

After Two Months in Bug Bounty

Read Entire Article