What is subdomain takeover and why does it matter?

Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization's subdomain via cloud services like AWS or Azure. They commonly happen when web projects are ended but the subdomain DNS entries are not fully shut down.

When webpages are hosted at cloud providers, the webpage is usually created on a subdomain at the cloud provider first. For example, at Azure, such a subdomain would have the form webproject.azurewebsites.net. The customer will ultimately want the project to appear to be hosted on a subdomain of the customer's own domain. Therefore, queries to the customer's subdomain -- for example, webproject.example.org -- would be forwarded to the subdomain hosted in the cloud -- in this case, webproject.azurewebsites.net.

To effect this change, a CNAME domain name system (DNS) record -- a record for a canonical name -- is configured to forward all queries to the customer's subdomain, e.g., webproject.example.org, to the cloud provider's subdomain, webproject.azurewebsites.net, where the web project is hosted.

The potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is kept. There's a reason for this common occurrence: While hosting at the cloud provider costs money, having a stale DNS entry is usually free. Thus, while there's an incentive to delete obsolete webpages, the DNS entries are often forgotten.

An attacker can now reregister the host at the cloud provider, add the organization's subdomain as an alias and thus control what content is hosted. Variations of this attack involve NS records -- records for authorized name servers -- where the control of a domain is delegated to the cloud provider's DNS service.

A similar, indirect subdomain takeover attack can happen when one includes web resources that are accessed on a third-party service. Consider when a website uses a JavaScript file hosted on GitHub: If the corresponding GitHub username gets deleted, an attacker can claim that name and replace the JavaScript with the attacker's own code.

The vulnerabilities related to subdomain takeovers continue to be an issue, despite them first being reported in 2014 by Frans Rosén, knowledge advisor at the Stockholm-based website vulnerability scanner company Detectify. Detectify first found 17 service providers where subdomain takeover was possible, but after the initial discovery, more people started looking into the issue and found over 100 services vulnerable to such attacks.

The best defense against subdomain takeover is to remove unused DNS entries. Ideally, organizations should also regularly monitor and test where each subdomain is being used. Indirect subdomain takeovers can be prevented by regularly monitoring the presence of all web resources and making sure that no invalid web resources are referenced from webpages.