Companies often resort to using third-party services as it can help them reduce development time and costs while also taking advantage of the expertise the vendor has in a certain industry

Subdomain takeover vulnerabilities occur when a company's subdomain points to a third-party service that no longer exists... Allowing attackers to claim that same service and control what appears on the subdomain!

For a subdomain takeover to be possible, two key conditions must be met: • The third-party service (such as GitHub Pages, AWS S3, etc.) must not require domain verification • The service should allow you to select your own custom subdomain name

Some services, such as HubSpot or Atlassian Status Page, take proactive measures to mitigate subdomain takeovers and require you to verify your domain HubSpot, for example, auto-generates a random subdomain name for you under a region, which makes it impossible to take over. This will become more relevant during the exploitation phase, as it's worth noting that theoretical subdomain takeovers are often not accepted by bug bounty programs, so make sure to always include a working proof of concept in your submissions

Now that we understand what subdomain takeovers are, we can dive deeper into the exploitation part But before we do, if you'd like a more detailed article on identifying and exploiting subdomain takeover vulnerabilities, head over to our blog to read our most recent post! 👇 https://www.intigriti.com/rese...

Most subdomain takeover vulnerabilities can be identified with a simple DNS request (others will require you to examine the HTTP response) Tools like dig or host can help us with this task, as we simply need to check where a (sub)domain points to Next, we must check if that service (in this case GitHub Pages) exists

If we look at the example, we can see that the engineering subdomain points to a GitHub page Which (in this example) does not seem to exist:

To successfully exploit this subdomain takeover vulnerability, we can attempt to create a GitHub page with the same subdomain, 'example-engineering\.github\.io' This community-powered resource, 'Can I takeover XYZ' on GitHub, provides detailed steps for tens of third-party services 👇 https://github.com/EdOverflow/...

We've successfully taken over a subdomain, now follows the exploitation phase! 😎 Generally, most bug bounty programs want you to stop once you've proven that you have taken over a subdomain, which often involves creating a hidden page with an HTML comment:

However, if you're cleared to further escalate your current issue, you can attempt to further exploit it to: • Leak session cookies (if any of the secure cookies have a loose cookie policy set) • Leak OAuth/SSO (via open URL redirects) • Perform CORS attacks (if the subdomain is whitelisted) • Perform CSRF attacks • Bypass CSP to achieve XSS on the main domain

If you'd like to dive deeper into the exploitation phase, make sure to read our detailed article available on our blog! 👇 https://www.intigriti.com/rese...

That was it! We hope you've learned something new from this thread! If you have enjoyed this thread: 1. Follow us @INTIGRITI for more of these threads! 🐛 2. Retweet the first Tweet to share it with your friends 💙