You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[https://github.com/projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei) (use `-tags takeover` with nuclei-templates)
30
+
-[https://github.com/edoardottt/cariddi](https://github.com/edoardottt/cariddi) (takeover checks in crawling output)
29
31
30
32
### Subdomain Takeover Generation via DNS Wildcard
31
33
32
34
When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME...
33
35
34
36
For example, if `*.testing.com` is wildcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`.
35
37
36
-
However, if instead of pointing to an IP address, the sysadmin points it to a **third party service via CNAME**, like a G**ithub subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**.
38
+
However, if instead of pointing to an IP address, the sysadmin points it to a **third party service via CNAME**, like a **GitHub subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in GitHub in this case) and say that `something.testing.com` is pointing there. Because the **CNAME wildcard** will agree, the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**.
37
39
38
40
You can find an example of this vulnerability in the CTF write-up: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)
39
41
@@ -65,7 +67,7 @@ It might be possible that the compromised subdomain is allowed to be used in the
65
67
66
68
### CSP Bypass
67
69
68
-
It might be possible that the compromised subdomain (or eveyr subdomain) is allowed to be used for example the `script-src` of the CSP. This could be exploited by an attacker to **inject malicious scripts** and abuse potential XSS vulnerabilities.
70
+
It might be possible that the compromised subdomain (or every subdomain) is allowed to be used for example the `script-src` of the CSP. This could be exploited by an attacker to **inject malicious scripts** and abuse potential XSS vulnerabilities.
69
71
70
72
### **Emails and Subdomain Takeover**
71
73
@@ -89,6 +91,25 @@ Mitigation strategies include:
89
91
90
92
For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), have recognized this issue and implemented domain verification mechanisms.
91
93
94
+
## Detection techniques
95
+
96
+
-**Find dangling DNS records**: look for CNAME/A/AAAA/ALIAS/ANAME records pointing to non-existent resources (deleted buckets, apps, pages, load balancers).
97
+
-**Check provider error signatures**: match HTTP responses, TLS certs, or DNS errors to known takeover patterns (see can-i-take-over-xyz).
98
+
-**Look for orphaned cloud assets**: verify S3/CloudFront, Azure Websites, GCP App Engine/Storage, GitHub Pages, Heroku, Fastly, Netlify, Vercel, Zendesk, Shopify, Atlassian, and similar services.
99
+
-**Passive DNS and historical records**: old CNAMEs often reveal previously used third-party services that may still be vulnerable.
100
+
-**Wildcard pitfalls**: confirm wildcard DNS vs. explicit records to avoid false positives and understand takeover amplification.
101
+
102
+
## APIs and data sources
103
+
104
+
-[https://securitytrails.com/](https://securitytrails.com/) (historical DNS, passive DNS API)
0 commit comments