Subdomain Takeover (SDTO) Attack and Bug Bounty Scanning Resources

Check and mate.

Subdomain Takeover (SDTO) attacks are popular for their ease of exploitation and inherent severity. Essentially they take advantage of forgotten, uncommitted or mismanaged CNAME records that point from a victim domain or subdomain to another domain or subdomain which has expired and become available, or the service once located there has lapsed and been deactivated by a service provider that is still operating, who then makes the target address available for re-use, including by malicious actors. Controlling a subdomain on a target domain provides access and capabilities too numerous to list here, but they start at session hijacking (cookie stealing) and run the gamut from there.

Ideal, lapsed endpoints belonging to still-running service providers take the form of things like web hosts, cloud service providers, content delivery networks, reverse proxy services and DoS protectors, countless SaaS and free webapps that are individualized by company or organization and served up or validated at registration, periodically authenticated etc. at an address under the victim's own subdomain. This includes applications like mass mailing services, analytics platforms, ad managers, blog services, online stores and virtually anything else you can think of.

Additional details and demonstrations that I have found particularly useful and have something unique to teach you about the topic can be found at pages contained in the following curated list:

At present writing the previous list only contains links to articles with general information, be sure to check back as I begin to implement automated scanning, exploitation and begin uncovering undiscovered instances of this vulnerability all my own.

Bug bounty hunters and malicious actors alike are automatically scanning the web to uncover easy targets. The biggest part of doing this successfully is maintaining a list of popular products and service endpoints to scan for (or leverage legitimately for the benefit of your own entrepreneurial endeavors... just... don't leave the keys in the ignition when you're done with them...). In particular we want to focus on providers that are squatting or parking a domain but will allow us to purchase the whole domain outright OR SaaS/web applications and hosting providers that: 1) are still operational 2) will allow previously registered URLs to be registered again in the same location 3) provide an easy way for us to upload or manipulate content at that location. As usual, this is a living list I am maintaining for personal use and sharing with you; you can expect to see continuous updates into the future so check back now and then and be sure to update your copy if you end up using it for anything. It would also be great to hear from you in the Telegram group.


There are no comments for this item.