A subdomain takeover is a cybersecurity vulnerability where an attacker gains control of a subdomain associated with a main domain.
This vulnerability can lead to various security risks, including traffic redirection, phishing, or other malicious activities on the subdomain.
In this article, we’ll delve into the definition of subdomain takeover, when it occurs, and how to prevent it.
- A subdomain takeover occurs when an attacker exploits a vulnerability in a subdomain’s DNS configuration and takes over the subdomain or domain ownership
- This takeover can lead to various security risks, including traffic redirection, phishing, or other malicious activities on the subdomain, highlighting the importance of diligent DNS (Domain Name System) management and timely subdomain removal
- Subdomain takeover can occur during the provisioning and de-provisioning of web services, especially when DNS records are not properly managed or when services are no longer in use
- Subdomain takeover can be prevented through several practices such as defining standard processes when provisioning and de-provisioning resources, using only reliable web hosting services, engaging ethical hackers, and more
What Is Subdomain Takeover?
A subdomain takeover occurs when a hacker takes control of a subdomain that is a part of a larger domain.
Subdomains serve specific functions like hosting web apps or services. If an attacker seizes control of a subdomain, they can alter content, reroute traffic, or carry out attacks, potentially harming the parent domain’s reputation and security.
If subdomains are not properly maintained, they’re more prone to this cybersecurity vulnerability. Additionally, subdomain takeover can occur when a subdomain points to external services that are no longer under the control of the parent domain owner.
When Do Subdomain Takeover Vulnerabilities Occur?
Subdomain takeover usually occurs when a subdomain is configured to point to a particular service or platform such as Shopify, GitHub Pages, Heroku, and others, but the associated services or other content on the subdomain has been moved or deleted.
That opens a way for hackers to exploit this vulnerability and take advantage of your subdomain. It’s like having a signpost pointing to a location that no longer exists. Essentially, this creates a security gap that is easy to exploit.
How Are Subdomain Takeovers and DNS Records Related?
DNS (Domain Name System) records are configurations that map human-readable domain names to their corresponding IP addresses or provide other essential information about domain and email services. There are different types of DNS records such as “A” records, “AAA” records, CNAME records, and others.
Subdomain takeovers and DNS records are related because a subdomain takeover usually occurs due to a CNAME record that points to a destination that is no longer used or has been deleted. Malicious parties can exploit this vulnerability and claim control of the previously legitimate subdomain.
How Does Subdomain Takeover Happen?
Here’s how it occurs in both cases.
Subdomain takeover during the provisioning process is relatively rare but can still occur in certain scenarios. It typically happens when an attacker can influence or manipulate the initial setup of a subdomain for malicious purposes.
- You will set a blog.website.com subdomain.
- To set a subdomain for your main domain, you need to set up DNS records that will take the user to your blog.
- Finally, you need to create a virtual host via your hosting provider so that users can access the subdomain.
If you don’t create a virtual host in time, or your hosting provider doesn’t verify that the person who wants to create the virtual host is the owner of the subdomain, a hacker could take advantage of this vulnerability and perform a subdomain takeover.
Subdomain takeover during deprovisioning usually happens when website owners remove the virtual host but don’t remove the DNS record that points to the virtual host. This enables hackers to exploit the affected DNS record and set up their own virtual host on your behalf.
This will essentially allow the hacker to host malicious content on the subdomain you own.
The Risks of Subdomain Takeover: What Can Hackers Do with Subdomains?
Subdomain takeover poses several risks for your website and the content on it. We listed them below.
- Loss of control over the content of the subdomain—If hackers gain control over your subdomain, they can manipulate its content at will. They can insert malicious scripts, deface the website, or replace content with other harmful material. If you own an online business, this can lead to reputational risks.
- Cookie harvesting from unsuspecting visitors—Attackers can exploit subdomain takeovers to steal cookies from visitors to the compromised subdomain. Cookies may contain sensitive information about visitors such as session tokens, login credentials, and other personal data that can be exploited.
- Phishing campaigns—Subdomain takeovers provide an ideal opportunity to launch phishing campaigns. Attackers can use your domain to create convincing replicas of legitimate websites on the compromised subdomains, tricking users into providing sensitive information.
- DDoS attacks—The compromised subdomain can be used to initiate distributed denial-of-service (DDoS) attacks.
- Other attacks—Subdomain takeover could also allow hackers to distribute other malware or perform other attacks such as XSS, CSRF, CORS bypass, and more.
Subdomain Takeover Examples
Let’s observe the most common subdomain takeover examples on reputable websites and services. Continue reading to learn more.
Subdomain Takeover GitHub
Subdomain takeover on GitHub is possible if:
- The hacker discovers that some resources hosted on GitHub pages are no longer used
- But still have DNS configuration for the vulnerable subdomain that links to them
Let’s suppose that there’s an organization that owns a website called “mywebsite.com” and has a GitHub Pages site hosted at “username.github.io” for their project.
Suppose that the organization decides that it no longer needs the GitHub repository associated with the domain, but forgets to delete the DNS records for the subdomain.
In the meantime, a hacker discovered that “project.mywebsite.com” still leads to the deleted GitHub repository, discovering a vulnerability. They create a new GitHub account and configure it to use “project.mywebsite.com” effectively taking control of the subdomain.
Now, hackers can use the subdomain to host malicious code and other content on the website, tricking or exploiting visitors.
Azure Subdomain Takeover
Microsoft Azure is among the most reputable and prominent cloud providers, which means vulnerabilities are not so easy to come by. Just like many cloud providers, it uses one-to-one mapping for its cloud services and virtual machines.
When creating a DNS record, Microsoft Azure performs ownership verification using TXT records for “A” DNS entries. However, the same doesn’t apply to a CNAME record which leaves room for the subdomain takeover threat.
Let’s assume that you provisioned an Azure resource with a fully qualified domain name (FQDN) but after you no longer needed it, you deprovisioned or deleted the resources. Unfortunately, you forgot to remove the CNAME record from your DNS zone which led to the canonical domain name still being seen as an active domain.
If a malicious party like a hacker discovers the dangling subdomain, they will provision a new Azure resource with the same FQDN of the resource you deprovisioned. They can now route traffic to the hacker’s resource where they can host malicious code and other content.
Subdomain Takeover with Expired Domain
A subdomain takeover can easily occur if you own a domain that expired and you forgot to renew it.
Let’s say that you owned the domain “example.com” and decided to set up a domain “blog.example.com” to host a blog on your website. The subdomain uses a CNAME record to link to the main domain
However, after some time, the domain expired but the CNAME record wasn’t deleted from the example.com DNS zone, meaning it became vulnerable to CNAME subdomain takeover.
A hacker decides to register blog.example.com and use it to host malicious content, misleading visitors and potentially scamming them.
How to Prevent Subdomain Takeover?
Preventing subdomain takeover is crucial because it safeguards your online presence and reputation. When subdomains are left vulnerable, attackers can misuse them to deceive users, steal sensitive information, or host malicious content.
To mitigate this risk, you should take proactive steps to prevent subdomain takeovers.
- Define standard processes when provisioning and deprovisioning hosts: During the provisioning process claim the virtual host first, and then create CNAME records or other DNS entries. When deprovisioning, remove DNS records first and then remove the virtual host.
- Choose hosting providers that carefully verify that someone who tries to claim the virtual host owns the source domain and subdomain
- Avoid wildcard subdomains: Avoid using wildcard DNS entries or indiscriminate URL redirects as they can inadvertently create subdomain takeover opportunities.
- Engage ethical hackers: Consider running bug bounty programs or hiring security professionals to assess and identify potential subdomain takeover vulnerabilities before hackers do.
- Use an inventory or asset management system: This can help you maintain a detailed and organized record of your digital assets.
Best Subdomain Takeover Tools and Scanners
Subdomain takeover tools and scanners are software or scripts used by cybersecurity professionals and ethical hackers to identify vulnerabilities in a domain’s subdomains. Here is a list of the best subdomain takeover tools and scanners.
- Subjack: Written in Go, ethical hackers can use Subjack for concurrent scanning of subdomains for bug bounty hunting.
- Tko-subs: This is another tool that uses Go and can help detect dangling subdomains. It can help you search for pointers to CMS providers and can identify links that point to hostnames that are no longer used or deleted. It can also help with DNS records with typos.
- Tenable: Tenable is a powerful vulnerability detection and analytics tool commonly used by ethical hackers who want to detect vulnerabilities in computer networks. It helps detect dangling DNS records and other issues that can lead to subdomain takeover.
- DNSTake: DNSTake is another tool that can quickly detect dangling DNS records, and check for missing DNS zones in order to prevent different vulnerabilities.
Subdomain takeover is a serious security risk that can be exploited by malicious actors to compromise web applications.
To prevent it, organizations should:
- Regularly monitor and manage their DNS records
- Promptly remove unused subdomains
- Implement proper access controls.
Vigilance and proactive measures are key to mitigating this potential threat and safeguarding online assets.
If you’d like to build a website for your online business, but don’t know where to start, check our compilation of best website builders and choose the best web hosting provider that meets your business needs.
Next Steps: What Now?
- Choose where to host your site – You need a hosting provider where to park your website.
- Customize your website– Here’s where you add the pages and content to your website.
- Optimize your pages for SEO – Choose the keywords your visitors would use to find your site.