This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
2. detectify
Frans Rosén
Security Advisor @detectify ( twitter: @fransrosen )
HackerOne #5 @ hackerone.com/leaderboard/all-time
Blog at labs.detectify.com
Talked here last year!
"The Secret life of a Bug Bounty Hunter"
9. detectify
Response from services
Heroku:
“We're aware of this issue”
GitHub:
“My apologies for the delayed response.
We are aware of this issue”
Shopify:
“I had already identified that this is
a security issue”
53. detectify
Flow
Resolve
* Check NOERROR for patterns
* SERVFAIL/REFUSED, Check NS for patterns
* NXDOMAIN, traverse up to apex, check:
NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
55. detectify
Flow
Analyze unknowns
* Collect titles of all sites (or EyeWitness!)
* Filter out common titles + name of company
* Generate screenshots, create a image map
https://github.com/ChrisTruncer/EyeWitness
88. detectify
Recap
• Know your DNS Zone file
MX, CNAME, A, AAAA, ALIAS. Everything.
• AUTOMATION, probably the only proper solution
• will.i.am loves this