.png)
2 weeks ago
33 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, fellow Security Enthusiasts and Bug Bounty Hunters!
I’m Joel here to share a critical yet often overlooked security issue. This time, we’re exploring a niche yet critical security misconfiguration – Vercel Subdomain Takeover. While researching this topic, I noticed a lack of comprehensive resources, which motivated me to share my findings and experiences with you all.
So, let’s get started…
A subdomain takeover occurs when a subdomain points to an external service that is no longer active or has been misconfigured. This misalignment allows malicious actors to claim control over the subdomain, enabling them to host unauthorized content or execute malicious activities under the trusted domain name.
Vercel is a popular platform for deploying frontend applications, offering seamless integration with services like GitHub. Users can link custom domains or subdomains to their Vercel projects. However, if a project is deleted or the domain is unlinked without updating the DNS records accordingly, the subdomain remains pointed to Vercel’s infrastructure. This dangling DNS record can be exploited by attackers to take control of the subdomain.
Example Scenario:
sub.domain.com is configured to point to cname.vercel-dns.com via a CNAME DNS record, directing traffic to a Vercel-hosted application.
The application on Vercel is removed, but the DNS record sub.domain.com CNAME cname.vercel-dns.com remains unchanged.
An attacker notices that sub.domain.com returns a 404: NOT_FOUND error. They then create a project on Vercel and add this sub.domain.com to their project. Since the DNS still points to Vercel, the attacker now controls sub.domain.com
Access the subdomain via a web browser or command-line tools like curl to observe the HTTP response.
Specific response indicators suggest a potential takeover vulnerability. Messages such as 404: NOT_FOUND or DEPLOYMENT_NOT_FOUND indicate that the subdomain points to Vercel, but no active deployment exists. Pages displaying Vercel branding with messages about missing deployments suggest the subdomain is configured on Vercel but lacks an active project.
Utilize DNS lookup tools (like dig or Google Toolbox) to inspect the DNS records of the subdomain. A subdomain configured to use Vercel typically has a CNAME record pointing to cname.vercel-dns.com.
Sign up on Vercel using your preferred method (e.g., GitHub, GitLab, email). Create a new repository on GitHub and upload your static site’s files, ensuring the index.html is in the root directory. Use Vercel’s dashboard to deploy this project.
Navigate to the project’s Settings > Domains section in the Vercel dashboard. Click on “Add Domain” and input the vulnerable subdomain. If the subdomain’s DNS still points to Vercel (cname.vercel-dns.com) and no other Vercel project has claimed it, the subdomain will be successfully added to your project.
Vercel verifies domain ownership by checking DNS records. If a subdomain points to cname.vercel-dns.com and isn't claimed by another project, Vercel allows you to associate it with your project without additional verification.
After adding the subdomain, access appdev.redacted.com in a browser. If the takeover is successful, the subdomain will display the content of your deployed project, confirming control over the subdomain.
To prevent subdomain takeovers utilize Vercel’s domain verification methods, such as adding TXT records, to prevent unauthorized claims. Learn more about domain verification.
When discontinuing a service, ensure associated DNS records are promptly updated or removed. Periodically review DNS records to identify and remove those pointing to unused services.
While Vercel has implemented measures to mitigate subdomain takeovers, the responsibility also lies with domain owners to maintain vigilant DNS management practices.
I hope this sheds light on Vercel subdomain takeovers and emphasizes the importance of security measures. Stay curious and happy hacking!
Bengali (Bangladesh) · 
English (United States) ·