If your enterprise has a website (and one certainly would hope so in 2021!), it also has subdomains. These prefixes of your organization’s main domain name are essential for putting structural order to the content and services on your website, thus preventing online visitors from instantly fleeing in terror, disdain, or confusion.
Whatever value subdomains bring to enterprises–and they bring plenty–they present more targets for bad actors. Why, just last year the subdomains of Chevron, 3M, Warner Brothers, Honeywell, and many other large organizations were hijacked by hackers who redirected visitors to sites featuring porn, malware, online gambling, and other activities of questionable propriety.
“This has been an ongoing problem for Azure-hosted sites,” TechRadar wrote, referring back to March 2020, when exploit and vulnerability-alert service Vullnerability reported it found more than 670 vulnerable Microsoft subdomains through an automated scan. At fault, the company said, were Microsoft’s poor domain name service (DNS) practices. (Fun fact: Microsoft has an astounding 122,571 subdomains.)
Subdomain takeovers, Vullnerability wrote, can be enabled through expired hosting services or DNS misconfigurations. Once attackers have full privileges on the system after taking over the subdomain, they can upload files, create databases, monitor data traffic, and clone the main website. Worse, “it is not possible to detect that the subdomain” has been hijacked, leaving the enterprise’s system vulnerable to different types of attack.
In a new paper to be presented at the 30th USENIX Security Symposium, researchers from the Vienna University of Technology explore “related-domain” attacks and offer some tips for IT pros to protect against subdomain attacks.
In addition to DNS misconfigurations, subdomains can be exploitable if they are assigned to untrustworthy users, the paper says. “Dangling DNS records”–that is, records pointing to expired resources–can be vulnerable to being taken over by unauthorized parties. Discontinued third-party services can provide entry into a system as well.
The consequences can be even more dire, including session-hijacking attacks, session-fixation attacks, bypassing all web security, and facilitating phishing attacks, the researchers say. Honestly, they list so many ways subdomains can be used for attacks, you’ll just get depressed and possibly consider a career change. So let’s just focus on the helpful advice they give on their website, https://canitakeyoursubdomain.name/.
To determine which of your subdomains are vulnerable to being taken over, the researchers suggest “reviewing all the DNS records of type CNAME pointing to external domains, and all A/AAAA records pointing to IP addresses that are not directly controlled by your organization, e.g., those of services and cloud providers.” Should you determine that these are dead links, “you should remove the corresponding DNS entries.”
If you want to protect your web applications from being exploited, the researchers say, web developers should “write security policies according to the least privilege principle, that is, restrict the attack surface as much as possible.”
“Restrict the attack surface as much as possible” seems like pretty good advice, you have to admit!
Developers also are urged to “consider the usage of the __Host- cookie prefix if the cookies set by your web application do not need to be shared with other related domains.”
Despite this advice, the researchers found that six months after they reported potential vulnerabilities to the owners of live websites they had tested, “85% of the subdomains that we tested are still affected by leftover subdomain-takeover vulnerabilities.” People! Do better.
Bottom line: It’s easy to lose track of subdomains, especially if yours is a large enterprise. But you ignore them at your own peril.