Phishing campaigns - Authentic-looking subdomains might be used in phishing campaigns. Valid SSL certificates grant them access to secure cookies and can further increase the perceived legitimacy of the malicious site. However, a threat actor can use the hijacked subdomain to apply for and receive a valid SSL certificate. A common misconception is that using SSL certificates protects your site, and your users' cookies, from a takeover. Threat actors can use subdomain takeover to build an authentic looking page, trick unsuspecting users to visit it, and harvest their cookies (even secure cookies).
Loss of control over the content of the subdomain - Negative press about your organization's inability to secure its content, as well as the brand damage and loss of trust.Ĭookie harvesting from unsuspecting visitors - It's common for web apps to expose session cookies to subdomains (*.), consequently any subdomain can access them. Malicious pages and services on an organization's subdomain might result in: If it hasn't been deleted, it's a "dangling DNS" record and creates the possibility for subdomain takeover.ĭangling DNS entries make it possible for threat actors to take control of the associated DNS name to host a malicious website or service. When a DNS record points to a resource that isn't available, the record itself should have been removed from your DNS zone.
Traffic being sent to the subdomain is now routed to the malicious actor's resource where they control the content. The threat actor provisions an Azure resource with the same FQDN of the resource you previously controlled. Using commonly available methods and tools, a threat actor discovers the dangling subdomain. The dangling subdomain,, is now vulnerable and can be taken over by being assigned to another Azure subscription's resource. This is the definition of a "dangling" DNS record. If the CNAME record isn't removed, it's advertised as an active domain but doesn't route traffic to an active Azure resource. The Azure resource is deprovisioned or deleted after it is no longer needed.Īt this point, the CNAME record should be removed from your DNS zone. You assign a CNAME record in your DNS zone with the subdomain that routes traffic to your Azure resource. You provision an Azure resource with a fully qualified domain name (FQDN) of. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity.Ī common scenario for a subdomain takeover: CNAME records are especially vulnerable to this threat. Such DNS records are also known as "dangling DNS" entries. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned Azure resource.
Subdomain takeovers are a common, high-severity threat for organizations that regularly create, and delete many resources. This article describes the common security threat of subdomain takeover and the steps you can take to mitigate against it.
0 kommentar(er)
