On many websites it was seen that the DNS entries contains bucket to aws S3 which is not taken or has expired which allows an attacker to claim the bucket and this host malicious page on sub domain legitimate site.
For example:
Here media.vine.co is legitimate site with sub domain media which is pointing to vines bucket in aws S3. So now if this vines.s3.amazonaws.com is not claimed by the site owner and still present in DNS record of vine.co then this can lead to sub domain takeover.
Some POC's
How to fix:
Just remove all those DNS entries which are active and unused or pointing to external services which you do not support anymore.
Read more at Detectify
For example:
media.vine.co is an alias for vines.s3.amazonaws.com.
Here media.vine.co is legitimate site with sub domain media which is pointing to vines bucket in aws S3. So now if this vines.s3.amazonaws.com is not claimed by the site owner and still present in DNS record of vine.co then this can lead to sub domain takeover.
Some POC's
VIMEO - status.vimeo.com CNAME hosted.statuspage.io.
Twitter - media.vine.co CNAME vines.s3.amazonaws.com.
How to fix:
Just remove all those DNS entries which are active and unused or pointing to external services which you do not support anymore.
Read more at Detectify
No comments:
Post a Comment
Feel Free to Share issues with me....