Subdomain takeovers are not new, as a matter of fact, they have been explained many, many, many. However, even though a spotlight has been shone on this issue, even tech giants such as Uber and Microsoft have felt the heat. With so much coverage, why does this continue to be a problem?
The answer is quite simple: DNS records are free, payment plans are not. When a paid SaaS is no longer needed, like an AWS S3 Bucket from a dead project, it is easy to remember to cancel that service to avoid draining the account balance. The CNAME, however, is more likely to be forgotten as there is no immediate extrinsic motivation to remove it. Unless the DevOps team actively audits zone files, this DNS record will be lost with time. This results in a subdomain that is pointing to a third-party service not in control of the root domain.
When an individual can claim this third-party service, the subdomain is practically theirs, as they can now serve arbitrary content – i.e. subdomain takeover.
To combat this issue, Rupert was developed, a tool to automatically enumerate and fingerprint for subdomain takeovers. This program is built with Python 3 and includes a wrapper for the tool “subfinder” by ProjectDiscovery.
Using subfinder, subdomains are gathered using a variety of techniques ranging from search engine indexing to DNS dumpsters. An HTTP GET request is sent to each of these subdomains, and the response is parsed for takeover fingerprints.
Rupert is very simple, but very, very, effective. A request is made to the web application, and if the response contains one of the fingerprints, it is detected as a possible subdomain takeover. Automating this process resulted in over 1,000 unique subdomain takeovers. Plenty .gov’s, .edu’s, Fortune 500s, and news sites.
Example domains helped by this tool:
- Jaggar Henry
- Antero Nevarez-Lira
- Donald Connors
- Evelyn Griffin