Subdomain Takeover

Subdomain Takeover

Risk: medium

Description

Subdomain takeover attacks are a class of security issues where an attacker can seize control of an organization's subdomain via cloud services like GitHub, AWS, or Azure. They commonly happen when the third-party service is not needed anymore, but the subdomain DNS entries are not cleaned.

If an attacker can control one of your subdomains, they can perform multiple types of attacks. Depending on the third-party service provider's capabilities.

• Perform cross-site scripting
• Phishing attacks
• Stealing Broadly Scoped Cookies
• Clickjacking

Recommendation

• remove the DNS record for the subdomain
• regularly check your inventory and ensure the subdomain is still in use and you are still in control of everything your subdomains point to.
• choose your service provider wisely, and ensure they provide enough security measures to protect your subdomains.

Links

• Subdomain takeover
• CWE-16

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_3
  • REQ_11_3