P1 Bug Bounties: Subdomain Takeover Bug Hunting

TL;DR- A guide to subdomain takeover, critical vulnerabilities associated with insecure protections, and its potential for critical bug bounties.

Introduction

A subdomain is a second-level domain that is part of a larger domain. For example, www.grahamzemel.com would be a subdomain of grahamzemel.com. In this case, www would be the subdomain, grahamzemel would be the root domain, and com would be the top-level domain (TLD).

Subdomains can be used for a variety of purposes, such as blog hosting, e-commerce, or even an entirely different website from the root domain.

They’re often used to separate all kinds of services or functionalities within an organization, including authorization pages, landing pages, and the app pages themselves.

What are Subdomain Takeovers?

Subdomain takeovers require discovering subdomains for a given domain. This can be done using subdomain enumeration, which can be used for a variety of purposes, including:

Here are a couple of popular tools for subdomain enumeration:

Sublist3r is a great Python tool that can enumerate subdomains of websites using OSINT (Open Source Intelligence). It assists penetration testers and bug hunters in collecting and gathering subdomains for the target domain. Sublist3r enumerates subdomains using a variety of search engines, such as Google, Yahoo, Bing, Baidu, and Ask.

TheHarvester is a simple, yet powerful tool designed for advanced reconnaissance. Through OSINT, the tool gathers names, emails, IPs, subdomains, and URLs (including subdomains!) by using multiple public resources.

Gau is a phenomenal tool that fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain.

Locating Vulnerable Subdomains

To check for vulnerable subdomains, you can try to register the subdomain on the service it is pointing to. If the subdomain is available for registration, it is likely that it is vulnerable to subdomain takeover.

In a real-world example, one might test if the subdomain test.example.com is pointing to GitHub pages. Then, you can try to register the subdomain by creating a new repository on GitHub with the name test.example.com.

If the repository is created successfully, it means that the subdomain is likely vulnerable to subdomain takeover.

It’s also a good idea to check the documentation for the service that the subdomain is pointing to (e.g. GitHub pages, Heroku, etc.), in order to see if there are any specific requirements or configurations required for the subdomain to work properly.

If you find a subdomain that you think may be vulnerable to takeover, you can verify the vulnerability by setting up a test page on the service and pointing the subdomain to it. If the subdomain can access the test page, you’ve verified the subdomain is in fact vulnerable.

Consequences of Subdomain Takeovers

Here are some potential consequences of subdomain takeovers:

If an attacker is able to gain access to a subdomain that contains sensitive information, they may be able to exfiltrate data and use it for malicious purposes. This could result in a data breach and significant damage to the company or organization whose subdomains were targeted.

A subdomain takeover or other security incident involving subdomains can damage the reputation of the company or organization affected, potentially leading to lost customers or revenue.

Depending on the laws and regulations in the jurisdiction where the attack took place, attackers who exploit subdomain takeovers may face legal consequences, including fines and prison time. If you’re a bug hunter, make sure to report your findings to the proper authorities and organizations.

Mitigating Subdomain-Based Attacks

Here are a few steps in mitigating the risks associated with subdomain enumeration and exploitation:

Regularly scan and monitor: By regularly scanning and monitoring subdomains, you can identify and fix any vulnerabilities that may exist before they are exploited.

Use strong, unique passwords: Using strong, unique passwords for all subdomains can help prevent unauthorized access.

Implement access controls: Implementing access controls, such as multi-factor authentication, can help prevent unauthorized access to subdomains.

Regularly review and update configurations: Regularly reviewing and updating subdomain configurations can help ensure that they are properly configured and secure.

Educate employees: Educating employees on the importance of subdomain security and best practices can help prevent accidental or intentional security incidents involving subdomains.

Thanks for reading about subdomain enumeration bounties! If you enjoyed this post, check out The Gray Area for similar articles on cybersecurity and bug bounties.

Support my content by subscribing to a Medium membership using my referral link. It gives you access to all of my posts, and all of the other posts on Medium!

Thanks!