A subdomain takeover vulnerability is when a DNS subdomain of a parent domain is pointing to a web service that has either been deleted or taken down. These are typically CNAME records that point to a service that has lapsed or expired.
Our Demonstration Setup:
For example, the subdomain we will take over in this example is: repository.in-secure.org
Disclaimer: I setup my own repository at heroku.com to use for this demonstration. Everything shown in this demonstration I own myself – none of this was done illegally.
After I setup my repository at heroku.com, I was automatically assigned a DNS name for my new app -> test-app2077.herokuapp.com
Next, we will need to create a CNAME DNS record from our DNS provider to point the test-app2077.herokuapp.com to our subdomain – repository.in-secure.org
After that, we can browse to repository.in-secure.org and we see our Heroku app is setup using our custom DNS name.
The “host” command verifies our CNAME record is setup correctly.
Now to finish the preparation of this demo, I will delete the Heroku app, and leave the DNS subdomain repository.in-secure.org in place. If we issue the ‘host’ command like we did above we will still get the same results.
As you can see, it appears the webpage for this site has been deleted, but the administrator probably forgot to delete the DNS subdomain, which is the ‘repository’ portion of the parent DNS address ‘repository.in-secure.org’.
We can hijack this subdomain by creating a DNS CNAME record to a website that we control.
Hijacking the Subdomain
If you read above in the demonstration section, we are going to be hijacking the repository.in-secure.org subdomain. In this scenario, the administrator created a CNAME DNS record and pointed repository.in-secure.org to the DNS record provided from Heroku, which was originally test-app2077.herokuapp.com.
Now, the app has been deleted, and the administrator should have also deleted the subdomain ‘repository.in-secure.org’. This error will allow us to hijack the subdomain.
I will create a new Heroku account to hijack the domain. This situation would be similar if this was a Github site or some other web service with a subdomain CNAME record pointed at it. Never mind that this new Heroku account is another one of mine, anyone at this time could hijack this with their Heroku account.
After I register my domain on Heroku as ‘repository.in-secure.org’, I now am in control of the subdomain and have added my Heroku web page to this subdomain.
< Under Construction >