Hostile Subdomain Takeover using HerokuGithubDesk + more

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

The team at Detectify has recently identified a serious attack vector resulting from a widespread DNS misconfiguration. The misconfiguration allows an attacker to take full control over subdomains pointing to providers such as Heroku, Github, Bitbucket, Desk, Squarespace and Shopify.

Attack Scenario

Your company starts using a new service, eg an external Support Ticketing-service.

Your company points a subdomain to the Support Ticketing-service, eg support.your-domain.com

Your company stops using this service but does not remove the subdomain redirection pointing to the ticketing system.

Attacker signs up for the Service and claims the domain as theirs. No verification is done by the Service Provider, and the DNS-setup is already correctly setup.

Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.

Three things that make this scenario dangerous

It’s SUPER easy. Sign up for a new account and claim the domain. Done.

It’s completely hidden. The Domain Owner won’t notice. The attacker won’t leave any traces for the Domain Owner. Good luck monitoring this in an IDS!

The Service Provider is unlikely to be able to fix this in a feasible way.

Now if this wasn’t bad enough, imagine this scenario

A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.

They forget to add the wildcard-entry to their Heroku-app.

Attacker can now claim any subdomain they want from the Domain Owner.

A Domain Owner will be unaware of the subdomain being exploited.

Technical Details

This attack vector utilizes DNS-entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.

In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

Here’s an example of a DNS-entry that could be used for this attack:

If x.example.com has no service attached to it, the subdomain could be taken over by an attacker. Below are examples of how some of the services will indicate the existence of this vulnerability:

Affected Service Providers and Domain Owners

We’ve identified at least 17 Service Providers which do not handle the subdomain ownership verification properly – allowing this vulnerability to be exploited, Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr.

We’ve also identified at least 200 organizations which are currently affected. In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains that basically allowed us to set up a Hello World on their domains.

We have notified both the affected Service Providers as well as the Domain Owners under responsible disclosure programs.

Recommendations

Check your DNS-configuration for subdomains pointing to services not in use.

Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.example.com

Our best advice to this is to keep your DNS-entries constantly vetted and restricted.

Detectify’s Red October Quick Test

We have built a simple quick test for Domain Owners.

The tool requires that your verify the ownership of the domain. This check is done to prevent malicious usage as the attack is rather trivial and does not even require technical skills from the individual, other than signing up for a new account with the Service Provider. This will test for the most common service providers. If you find more service(s) that allow this, reach out to us and we will update the test.

时间: 2024-09-30 22:55:27

Hostile Subdomain Takeover using HerokuGithubDesk + more的相关文章

红队之外网定向打点

情报收集与外网打点 因为起晚了..第一个议题没听着,有点遗憾,补张图 基础设施架构设计部署 普通架构:红队人员-->teamserver cs-->目标机 缺点:功能未分离.无潜伏通道.回连日志多.灵活性较低 演进架构:DNS/HTTP/HTTPS分离server tips:1~2cpu 2G内存 10G硬盘,回连数不超过5台,潜伏通道(根据实际目标环境优先) 完整架构: 域名和IP(VPS)teamserver(CS)前置机(redictor) CS ->teamservers 1/2

XSS for domain takeover

TLDR (with thanks to CapnWarhol for the summary) - If you can execute XSS code on a site, you can set cookies - If you can set cookies, there may be one which outputs in-page on every request - If you save script in that cookie, you can send <script>

BZOJ 3983 Takeover Wars 解题报告

我猜了一个结论,能合并就合并,到了必须要敌对交易的时候才进行敌对交易. 然后合并的话,肯定是拿最大的两个去合并. 至于敌对交易,肯定是干掉对方最大的公司才是有意义的. 于是各种分类讨论...看代码好了... #include <cmath> #include <queue> #include <cstdio> #include <cstring> #include <iostream> #include <algorithm> usi

Leetcode811 Subdomain Visit Count

由于不熟悉HashMap,这道Easy的题做出了Midium的感觉/笑哭. 大体思路没什么特别的,外循环对Input里的每一条进行处理,内循环把每个Subdomain挑出来,并计数到HashMap中. 方法1: class Solution { public static List<String> subdomainVisits(String[] cpdomains) { HashMap<String,Integer> map = new HashMap(); for(String

811.&#160;Subdomain Visit Count - LeetCode

Question 811.?Subdomain Visit Count Example 1: Input: ["9001 discuss.leetcode.com"] Output: ["9001 discuss.leetcode.com", "9001 leetcode.com", "9001 com"] Explanation: We only have one website domain: "discuss.

811. Subdomain Visit Count

题目描述: A website domain like "discuss.leetcode.com" consists of various subdomains. At the top level, we have "com", at the next level, we have "leetcode.com", and at the lowest level, "discuss.leetcode.com". When we

[LeetCode&amp;Python] Problem 811. Subdomain Visit Count

A website domain like "discuss.leetcode.com" consists of various subdomains. At the top level, we have "com", at the next level, we have "leetcode.com", and at the lowest level, "discuss.leetcode.com". When we visit

LeetCode 811 Subdomain Visit Count 解题报告

题目要求 A website domain like "discuss.leetcode.com" consists of various subdomains. At the top level, we have "com", at the next level, we have "leetcode.com", and at the lowest level, "discuss.leetcode.com". When we

[k8s]coredns/kube-dns配置subdomain

思想: kube-dns或coredns本质上是一个dns服务软件.都需要配置配置文件.要控制怎么查询,即控制他的配置文件即可. 本文先说下coredns怎么配置,然后在配下kube-dns(包含了外建dnsmasq搭建,模拟集群访问公司私有域情景) 参考: https://coredns.io/2017/03/01/coredns-for-kubernetes-service-discovery-take-2/ https://coredns.io/2017/05/08/custom-dns-