November 30, 2020 / blog yazısı

Subdomain Takeover Vulnerability

What is a Subdomain?

A subdomain is an additional part of a domain which comes before the main domain name. Subdomains’ contents are mostly independent of the main website, in this context, they are the best way of congregating and categorizing diferrent contents.

In order to find subdomains, there are many tools such as subfinder, sublist3r, assetfinder, amass etc. It is better to combine multiple tools so that we can hunt more subdomains. Here are some examples of the tools which can be used:

1.) Subfinder:

It discovers valid subdomains for websites by using passive online sources.

2.) Sublist3r:

Sublist3r is a python-based tool. It uses many search engines such as Google, Yahoo, Bing, Baldu and Ask in order to find out subdomains of websites using OSINT. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

3.) Assetfinder:

It detects domains and subdomains potentially related to a given domain.

4.) Amass:

The Amass tool developed by OWASP performs network mapping of attack surfaces and external asset discovery by using a wide range of information gathering techniques.

What is a Subdomain Takeover?

Subdomain takeover is the process of gaining control over a certain subdomain by unauthorized people. The attacker succeeding to take over the subdomain has full control over the subdomain and may upload her/his own files, create her/his own database, monitor the network traffic, or even create a clone of the main website and send phishing emails, etc.

Which Cases May Cause Subdomain Takeover?

1.)When a subdomain registration exists but the page is not currently in use for some reason, it is considered as possible. The subdomain takeover vulnerabilities may occur since the webmaster forgets to setup the webpage of a previously-created subdomain, it also may arise when an unnecessary/out of use subdomain is not deleted on time. Besides, if the expired services are not reactivated, subdomain takeover vulnerabilities are probable.

2.)Misconfiguration of DNS records or the server is one of the most common reasons for subdomain takeover. Especially for the multi-level subdomains, misconfiguration literally may cause subdomain takeover.

Here is a GitHub page to check up, where some error types pointing to an empty subdomain are compiled. It may assist to detect which error status is considerable for a certain third-party provider:

3.)Third-party providers’ (e.g. GitHub, WordPress, AWS, Heroku, etc.) pointing to a particular service not currently in use allow an attacker taking control over the subdomain. An adversary has the chance to set up a webpage on the service being used before and point it to that subdomain.

How to Detect Vulnerable Subdomains Manually?

Initially, there are two main facts we should consider when it comes to identify subdomain takeover vulnerability:

  1. The look of webpage when visit the subdomain’s website is an important identifier. Since some certain errors we saw on the webpage indicate that no content is being served under this subdomain and it may be vulnerable

  2. The knowledge of the DNS records is needed. It is crucial to define which provider we were being directed, as we set our takeover path according to this information

Whether we consider a subdomain as suspicious, we may try to give command to see how to respond at first. The “host” command seems appropriate for that. To give an example, let’s give a “host” command to “

For the instance above, the expression of “alias” stands out from the response. It means, in theory, takeover is feasible. However, for this instance, it is not possible to implement subdomain takeover since it is an active domain. Therefore, please do not mind this failure. In order to achieve subdomain takeover, the domain should not be currently in use and has to return a proper error page unique to the provider.

When a certain error page showed up on a subdomain’s webpage served by a certain third-party provider, it may mean that we came across a subdomain not in use.

Aquatone: A Tool That Can Be Used to Detect Subdomain Takeover

The tool called “Aquatone” may be useful to identify subdomain takeover vulnerabilities more easily.

Aquatone is defined as “Aquatone is a tool for visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.” on its GitHub page.

Once you start scanning a certain domain through this tool, it does both hunt subdomains of the domain through the “aquatone-discover” command and find out whether a subdomain takeover vulnerability exists or not for each subdomain by using the “aquatone-takeover” command. Subsequently, it files all of these results and saves them with both .txt and .json file extensions into the directory where it is already located. It also find outs open ports via “aquatone-scan” tool and takes screenshots via “aquatone-gather” tool.

Instead of checking each subdomain one by one manually, the usage of a tool like aquatone may help. For a simple subdomain takeover vulnerability discovery, we may use aquatone-discover and afterwards aquatone-takeover commands.

Let’s check the usage of the “aquatone-discover” and other scanning options of it:

Here is the example of how an aquatone-discover scan result looks like:

Now, so that we can identify whether subdomain takeover vulnerability exists for each subdomain found by aquatone-discover, we may use the aquatone-takeover command:

We can observe below that no subdomain takeover vulnerability found for the “” domain name.

How to Avoid Subdomain Takeovers?

As a domain owner:

  1. Remove all DNS entries which are active but out of use. Remove the CNAME record in the DNS zone file.
  2. If you are creating a new source, DNS record creation should be the last step you take in process.
  3. Continuously check your DNS entries to be sure that there no dangling records.