Subdomain Takeover

Subdomain Takeover

Risk: medium

Description

Subdomain takeover attacks are a class of security issues where an attacker can seize control of an organization's subdomain via cloud services like GitHub, AWS, or Azure. They commonly happen when the third-party service is not needed anymore, but the subdomain DNS entries are not cleaned.

If an attacker can control one of your subdomains, they can perform multiple types of attacks. Depending on the third-party service provider's capabilities.

• Perform cross-site scripting
• Phishing attacks
• Stealing Broadly Scoped Cookies
• Clickjacking

Recommendation

Below are recommendations to mitigate the risk of subdomain takeover attacks:

• Remove vulnerable subdomain: Remove the DNS record for the reported vulnerable subdomain
• Regularly audit and monitor subdomains: Routinely review all subdomains to ensure they are actively used and necessary.
• Remove unused third-party services: Eliminate unnecessary third-party services to reduce the risk of subdomain takeover.
• Choose your service provider wisely: Avoid providers with a track record of subdomain takeover issues.

Links

• Subdomain takeover
• CWE-16

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_3
  • REQ_11_3
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5