Configuration Management / Subdomain Takeover

Description

Subdomain Takeover is a type of vulnerability which occurs when a subdomain (subdomain.example.com) is pointing to a service (e.g. Azure, Heroku, Github Pages, etc.) that has been removed or deleted. This leaves the subdomain pointing to a service that no longer exists, resulting in a vulnerability. According to the CWE directory, this vulnerability falls under "Configuration Management" and affects "Web and API". (CWE-200: Information Exposure)

Risk

Subdomain Takeover can result in attackers gaining access to sensitive information, such as API keys and tokens, which can then be used to gain control of other services or to launch further attacks. The risk of this vulnerability depends on the services being used and the data stored within them. For example, if an attacker gains access to an API key stored on a vulnerable subdomain, they can use it to gain access to other services, leading to a serious security breach.

Solution

The best way to avoid Subdomain Takeover is to keep track of all subdomains that are pointing to external services, and to ensure that those services are kept up-to-date. If a service is no longer in use, the subdomain should be removed or updated to point to a different service. Additionally, it is important to ensure that all API keys and tokens are securely stored and not exposed on any vulnerable subdomains.

Example

An example of a Subdomain Takeover vulnerability is CVE-2020-16921. This vulnerability occurs when a subdomain is pointing to a service that no longer exists, such as a discontinued version of Microsoft Azure (in this instance). This leaves the subdomain pointing to a service that no longer exists, which can be exploited by an attacker.