Subdomain Takeover

medium Web App Scanning Plugin ID 114146

Synopsis

Subdomain Takeover

Description

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management.

A subdomain takeover vulnerability exists when an attacker can gain control over a subdomain or even an entire zone of the target domain depending on the configuration. By exploiting this vulnerability, the attacker can then provide content which could looks legit to any customer or user of the target domain name and conduct further attacks.

Solution

As a first step, remove the DNS record from your DNS zone. Review the web application provisioning process to ensure that DNS records are created only when the target service is up and running as expected. When deprovisioning a service, first remove the DNS record before deactivating the service on the third party service.

See Also

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover

Plugin Details

Severity: Medium

ID: 114146

Type: remote

Published: 1/11/2024

Updated: 1/11/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information