Subdomain takeovers and how to prevent them by Matthew Marji at BSides Toronto 2020

and welcome to the next talk my video's flickering so i'm gonna be fast in my transition uh just to note that the auction for the sector tickets is ending soon and thank you matthew margie for your talk on subdomain takeovers take it away please thanks max hey everyone thank you for taking the time to be here and to listen to my presentation and today i'm going to be speaking about subdomain takeovers the goal here for all of us is to start at the foundations so it doesn't matter your background in security or not in security the the goal here is this will be a guide for all of us to learn what subdomain takeovers are how to

exploit them and really most importantly how to prevent them so why don't we jump in let's first start about who i am who i am is a bit of a dad joke i'm i work at zero so identity and access management i am i am okay so that will be the first and last that joke that i do today um my name is matthew margie i am a product security engineer at aut00 i was or i am born and raised in toronto canada um i am a big fan of espresso uh the art and science around it uh is something that is definitely a hobby for me um i always like to kind of read two

books kind of one non-technical and one technical so i'm currently reading why we sleep um definitely because i need to learn how to get proper sleep and secure by design which is a great great book on architecting systems with security in mind from the beginning in general i really do love to share what i know and what i learned with others and empower others and hopefully that's the goal today so before we really get into the details of subdomain takeovers i think it's really important for us to go over some of the details of dns and the domain name servers and how that works so first and foremost what is dns so the acronym dns stands for domain name

server i'm sure you remember from back in the day the book of yellow pages that we used to get essentially the domain name server dns is the yellow pages of the internet what was the yellow pages for us mapped a business of some sort to a phone number dns is tasked with translating domain names to ip addresses so it's a very quick example besides to.ca is mapped to a number of ip addresses that your browser will go to to load the page or to load the application we will learn that dns exists at different levels so it's not as straightforward as we may think yellow pages for example is just a book and it has a very quick translation dns

works a little bit differently dns has a number of different levels so if we take an example which we will continue to see throughout this presentation let's say we're looking for xyz.wordpress.com notice the dot at the end the dot at the end is the root domain every domain that we want to resolve and that's the term that we're going to be using resolve which is translating the domain to an ip it starts at the root domain the root domain will ask the next step how do i get to dot com when i get to dot com which we can see is called a tld or top level domain when you when we get there we'll ask how do

we get to wordpress and then so on and so forth let's dig in a little bit more let's make sure we have the terminology locked down a recursive search means that we are going to request essentially a domain and go step by step down the chain of the different dns levels until we find what we're looking for the ip address and work our way back the recursive search is going to be handled by the dns server that we have set whether on our phone on our router etc cloudflare for example has a dns google has a dns our local isp will have dns that is essentially the first step that recursive search is handled by that

dns and it will go through this hierarchy that we see here so as we mentioned the first step is always the root name server and the root name servers know about all of the top level domains that exist so again the top level domains are those such as com dot ca etc second level domains are those such as what we said google wordpress etc and then once we get to those ones wordpress google etc they manage their own dns records which we will talk about in the near future of the sub domains so the subdomains such as xyz.com are managed and defined by the essentially the second level domain so wordpress for example manages where

xyz is located and what its ip address is so once again i really love to just make sure we really understand the concepts so again each level knows the next level in the hierarchy root name server up here knows about the tld and it's recursive because we work our way all the way down and once we get the ip address that we're looking for we work our way all the way back up to get to our our original request and get the answer so xyz.wordpress.com we have our recursive name server it goes to the root the root asks where is com the tld for com asks where is wordpress whoever at wordpress manages dns has a

record for where xyz maps to its ip address that is returned all the way up the chain and back to us in a visual sense again on our local machine phone etc we may have some sort of local cache if we've recently asked about this domain or subdomain we'll quickly check to see if it's there if it's not we continue on again to our dns server that we have um set up again cloudflare google opendns there are many options that we may have set that will start at the root dns server it'll get a response back go to com get a response back go to wordpress get a response back and then it will know the ip address of

xyz now let's get into a bit more of the meat and potatoes of dns so as we mentioned with dns there are record types so let's say for example we own wordpress.com we will have to manage the dns for that website there are different dns records that we can set up one of them that will be the focus of this talk will be the cname record type the cname very simply resolves one domain by looking up another so this is referred to as an alias so as an example maybe xyz.wordpress.com is an alias for some sort of other domain so once we see this server10.wordpress.com we will now have to for example go and resolve where this

is located because we don't know the ip address of server 10. this is a very simple mapping and what's great about cname records are we'll see in the near future if we use heroku or azure or one of those websites where they have their own domain we can essentially hide that by saying well if you go to xyz.wordpress.com they don't really need to know that our application for example is at heroku.com the next record which is really important is an a record very simply put the a record is that translation that we talked about from the beginning it's a translation of the domain to a ip address now two other records that are important to note but we won't mention too much in

the rest of the the talk are the soa record this is the start of authority so when we were going down our hierarchy of dns to get from let's say the top level domain to the second level domain we would need something called a start of authority this tells us where do we go to get the definition of wordpress.com where is that hosted and so on and so forth so the startup authority and the ns records define the dns name servers that we have and it allows us to know where to go next to visualize that a little bit more let's take a look here so imagine the dot-com dns server we expect when we are looking for wordpress.com

we need to know where do we find this dns server where is that located that dns server will have again a start of authority and a number of ns records name server records that says oh don't worry you can find those servers at this particular location so now there is a way for us to know once we get wordpress.com and where to go we understand the mapping of how to find it now let's get into subdomain takeover specifically what if i told you that xyz.wordpress xyz.wordpress.com that ip addresses get resolved could be something that we could take over some domain takeovers are possible when a domain owner has potentially misconfigured records in their dns there are a number of different

subdomain takeover types and in this talk today we are going to be specifically focused on cname records so as you remember we mentioned that if i have an application let's say app.wordpress.com and that is really an application that lives in heroku such as app cinnamon 12 heroku well what if i didn't want someone to know that my app is in heroku i want it to be an official wordpress.com subdomain that i manage and really it's just a heroku application that loads that's the perfect application for a cname record but what if the heroku app no longer existed and then what if i told you that heroku allows for the reuse of app names so app

cinnamon 12 could be reused again and then what if i told you that we could manually on heroku select that app name again after it's been after the application has been destroyed well for the rest of this talk we're going to focus on a particular exploit that i found a subdomain takeover at odd0 and this has to do with a s a domain that we had a c name for slack dash logger.it.com and that was pointing to heroku application that we had running and very simply put this was a website that employees could go to to log in and set up slack logging for their heroku applications what i really like to do is make sure

that we have a step-by-step understanding or a checklist of how we know a subdomain can be taken over so as we mentioned for cname-based subdomain takeovers they are possible when we have three elements in place one the dns record for a cname is currently pointing to a non-existing application two the provider at which this record is pointing to allows for the reassignment of that name of that unique identifier and then three it's really about being able to find this gap and now creating an application with that same unique identifier name and essentially as we will soon see be able to control what we see but first let's briefly discuss the known providers that allow this reuse of

those identifiers as you can see heroku which is our focus is a rather large part of the set of different providers that allow essentially unique identifiers to be used wordpress as we mentioned with xyz that is another example um and we see some other ones here so this is what's really interesting here is heroku is not the only provider or application but there are many others that can be um that can be looked at and so if you can think about automation there are definitely ways to look for cnames and see where what the ending is which will allow us to determine whether or not we should look further into whether this application exists or not

so going back to our real life example of the vulnerable subdomain that i found let's take a look here again i'm we noted that the dns record this one existed but the heroku application was removed i was no longer being used the real tricky part about subdomain takeovers and why they're so rampant is that there's nothing obvious that this application was removed because the cname record in dns is not necessarily removed once we delete the application in heroku that two-part process might be forgotten you might have an engineer who deletes the application because it's no longer being used or someone from finance because they realize that it's a stale application and is no longer necessary

but no one may remove the dns record and so now that's where the gap is so the next question becomes how do we know if the heroku application exists and if so how do we even know if it's owned by us well simply put an application no longer exists at least for heroku if you go to it and it returns a screen that looks like this where it says there's nothing here yet if you were to do a request directly to the application you would receive a non 200 response if we wanted to automate this by going through all of our cname records for heroku and any other of those providers that we listed you could technically do that as

a way to determine whether or not it's worth looking into a little bit more but again the difficulty is that if the application did exist we may not necessarily even know if we own it or if it's been taken over by someone else and that's the real scary part about subdomain takeovers because you have applications that live in heroku that can be reused but you have your dns that is simply just a pointer to heroku you have a little bit of a struggle you really need to check both heroku and your dns to make sure that the application exists and the record exists or the application doesn't exist and the record is removed and no longer

exists so let's get into the nitty gritty and do the takeover so very simply put i created a heroku account i moved forward and created a new application and in heroku i just said hey i am very interested in taking odd zero dash slack logger i'd like that app name please and they said yeah no problem and therefore i'll take that and create an application on my behalf now that we own the app we will see here in our heroku dashboard for that application that the app that i own now can be accessed at aut00-slack-logger.herokuapp.com and when we go back to the cname record that odd0 is currently managing and has set up well slackdashlogger.it.zero.com

just simply points to what is now my application so what's great is i've essentially now taken over this app and at zero whether they notice it or not and most likely as we mentioned before they won't notice i've now have control over what will show up as an auteuro.com subdomain now what we need to remember from what we learned from dns is when we go to odd0-slack-logger this is now a a domain that needs to be resolved to an ip address so now that i've created this application we will still need to take a little bit of time for heroku app to create all of the necessary records such that it resolves to my application

let's take a look at that a little bit more if i check slash logger.it.otzero.com as we mentioned there is a cname record but now what we do is we wait because now heroku is now defining the ways that you can actually go to my application so while heroku is doing that and getting that set up and making sure that this is deployed to the public for dns to be able to pick up we're ready to deploy something so i just thought for the sake of simplicity what i would do is deploy a simple php app and all i did was create an html default page that would load and it would just say subdomain taken

over and i deployed it and lo and behold that was the case at slackdashlogger.ito.com i now was able to take over and manage whatever showed up here so there we go we saw an example very straightforward of how we could take over using cname type subdomain takeovers on providers that allow for the reuse of applications the way that i just deployed a simple page is very very straightforward but let's think about the type of damage that can be done using subdomain takeovers one you have general brand damage what if i went to social media twitter etc and just showed my opponent of odd zero and being able to take over one of their sub domains

what if i managed to use that as a phishing campaign i mean i do control an ontario.com subdomain now and so there are definitely ways to get creative i could create a replica zero login page request details for logging in and signing up that i can now store and i could even take this a step further if i wanted to understand what slack logger was doing i might be able to to listen in to attempt to find services that may still be relying on the subdomain and this could lead to further potential attacks what's really interesting here is that these subdomain takeovers are vulnerabilities that are rewarded via bug bounty and these subdomain takeovers have been

found and continue to be found across a large number of websites apple microsoft starbucks are some examples on hacker one that have paid out closer to the five thousand dollar range for subdomain takeovers on very important domains or they've led to further attacks where services rely on that subdomain still and there are ways for attackers to continue to do other steps and other attacks now last but not least the really important part here is how do we prevent this at the end of the day there's no magic tool for prevention it's really about having a process in place for reviewing adding and removing dns entries as we said we want to make sure that when an

application is removed in heroku that any matching record in our dns is also removed so things to ask for your organization or even for any dns that you manage whether it be for your website are you reviewing your entries regularly again when you remove an application on a provider are you checking your dns entry do you check dig as we saw in one of the screenshots previous to see what dns is returned to make sure that it's no longer pointing to heroku or that third-party application and also we mentioned from before you could create a tool that scanned your cname records and went to them and determined whether or not they returned a 200 response or

not and if they didn't that could be an alert for you to look into further so i hope this was a great opportunity for you to get a little bit of an insight into subdomain takeovers and hopefully demystifying it subdomain takeovers are very easy to find relatively easy to exploit and very easy with some process to prevent the cname record as i mentioned is one type of subdomain takeover there is another type called a name server takeover which i will be sure to share the details in our discord channel if you're interested in learning a little bit more but at the end of the day i hope that you were able to take away how to detect

exploit and prevent cname subdomain takeovers thank you all for your time take care awesome thank you very much for the talk thanks mike thanks um doesn't look like we have any questions just yet okay um so if you want to hop on over there's people talking about responses there their favorite response type i guess um uh yeah i'll let you hop over there perfect again hop on there