Subdomain takeover or subdomain hijacking refers to a technique by which "unused" subdomains can be made to point to a location of the attacker's choice.
Technically, you could call it "domain hijacking," but that term has a broader meaning with the default connotation being a domain name's registration being overtaken by an attacker.
Now, this is clearly problematic. If an attacker could show their webpage in lieu of
subdomain.yoursite.comBut how could this be?
If you own
example.comSubdomain hijacking has to do with domains not currently in use. In other words, you created a subdomain and set its DNS record to point to a shared hosting account (which, by the way, includes services like, Amazon AWS, Azure, Tumblr, GitHub Gist pages, blogs, and other hosting platforms).
Later on, you deleted the hosted set up on the shared hosting end, but forgot to remove the DNS entry pointing to the shared hosting account.
Under normal circumstances, your subdomain would be unreachable and won't show up anything. No harm done:
Shared for One, Shared for All
The problem arises when an attacker is able to also set up an account on the same shared hosting provider.
After all, as the name implies, a "shared hosting" service is shared among many customers, and the same server is open to multiple parties for use, and abuse.
Prior to letting you add a domain to a hosting account, most hosting providers do validate if a domain's DNS points to them correctly - I can at least speak for cPanel-powered shared hosts. But they typically skip validating the domain ownership (which can be a time-consuming process in some cases or just puts an additional hurdle for the honest customer).
If your
subdomain.example.comsubdomain.example.comIn case of subdomain hijacking, an attacker would typically not have the power to alter DNS records set up by you.
Instead, by simply, adding the subdomain to their hosting account hosted on the same IP as your subdomain, would now redirect visitors to their web root directory.
Whereas, previously your subdomain would've been unreachable, accessing it now would show the attacker's landing pages. Subdomain successfully hijacked!
Notable Case Study: Snapchat
Not too long ago, this happened when Snapchat was undergoing a branding makeover, transitioning to a shorter name, "Snap."
They had removed their Tumblr blog but forgot to reroute (or remove altogether) the DNS entry for
blog.snapchat.comAn actor who could create a Tumblr blog could simply use the subdomain takeover trick to point Snap's dangling subdomain to their Tumblr!
Security researcher Jake Reynolds wasted no time in responsibly reporting this domain to the company with an innocuous demonstration of how this scenario could've been exploited by phishers:
Rather, in Snapchat's case it was a case of domain hijacking!
The
blog.snapchat.comsnapchat-blog.comReynolds was therefore able to link this "custom domain" to his Tumblr account, after Snapchat had deleted their Tumblr.
With no other accounts on Tumblr using the domain, Tumblr let Reynolds "reuse" this domain, thereby leading to a successful hijacking.
Pentesting and Recon(naissance) Tools
Preventing subdomain hijacking is simple. It doesn't hurt to validate your DNS records from time to time. As an example, here are the DNS records for my
axsharma.comOf course, unlike with my personal website, a DNS zone file of a real-world corporation with several AWS buckets, for example, would be massive. So auditing DNS records manually is error-prone and impractical.
Thankfully, pentesting and recon tools exist which can help you identify subdomains which can be taken over.
One such tool I've enjoyed over the last few years is aquatone. Created by security researcher Michael Henriksen, the "domain flyover" tool has undergone a lot of improvements and iterations.
Aquatone provides an easy way to both lookup dangling DNS entries for subdomains, and predict if these subdomains are vulnerable to being hijacked.
A blog post provided by HackerOne further lists tools, tips and tricks on automating the overall workflow.
One such tool, Altdns offers an effective way of brute-forcing vulnerable subdomain too:
"In order to recursively brute force subdomains, take a look at Shubham Shah's Altdns script. Running your custom word list after fingerprinting a target through Altdns can be extremely rewarding. I like to use Altdns to generate word lists to then run through other tools."
Practicing regular DNS audits and frequently assessing your hosting infrastructure to unmask dangling subdomains before they become problematic can save your company's reputation from phishing attacks.
Warning: only use these tools for security research purposes and for sites that you have permission to use them on, either via a professional engagement, or as a part of their bug bounty program.
© 2020. Ax Sharma. All Rights Reserved. Originally produced for Hacker Noon.