Find Your First Bug —#1 Subdomain Takeover
Hey guys, I know you are probably reading this because you want to find your first bug. I am planning to write a series regarding this which will show you vulnerabilities that can be found out easily and hope I can do this and you will like the series
I am not a pro hacker to teach you, but I like to give back to the community since I learned from this community. So let’s get straight into the subject.
A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization’s subdomain via cloud services like AWS or Azure. … The potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is kept.
So insimple words a subdomain that is used by the company which are under services like aws, bouncepages, github … and when they remove the original content but forget to remove the pointing that is CNAME so that may be when an attacker visit that subdomain it will show the cname or you can find that by just typing dig https://victim.domain.com in the terminal it will show that the subdomain’s cname is something.com so that if that subdomain is not yet claimed by anyone you can go-to something.com and buy that. I can’t explain whole procedure here since it’s different for diff services. easiest methods for finding cnames
- dig subdomain.domain.com on the linux terminal
- https://mxtoolbox.com/DNSLookup.aspx — search your subdomain here
- https://toolbox.googleapps.com/apps/dig/#CNAME/ search subdomain here
So what you have to look is that if the subdomain has cname pointing to somewhere and not yet claimed ( i.e mostly a 404 ) then search google for “something.com subdomain takeover” here something.com is the cname. If you can’t find the result you need you just go-to https://something.com and mostly that cloud website will teach to how to connect to a website.
For easy my method is by
- Enumerating all the subdomains using massdns, amass, sublist3r, certspotter.com, crtsh etc.
- Combine all the subdomains found using above tools
- Find live subdomains using httprobe from the list of all subdomains
- Then I use nuclei by project discovery which is an awesome tool by
- cat livesubdomains.txt | nuclei -v -o output.txt -t /nuclei-templates-directory/subdomain-takeover
- That’s all it will find you mostly the takeoverable websites if any.
- The bug is P2 if the subdomain is an important one and P3 for other subdomains. So don’t feel bad to find that it’s simple but hard to get one. and if you are lucky and work hard on various domains you might get it all the best buddy
I reported 3 subdomain takeover to various programs. 1 accepted, 1 duplicate and 1 not yet triaged, may be next week will get triaged.
Connect me on LinkedinIn