Tech Community Live: Microsoft Security
Dec 03 2024, 07:00 AM - 11:30 AM (PST)
Microsoft Tech Community
Identify Digital Assets Vulnerable to Subdomain Takeover
Published Jan 03 2023 10:56 AM 9,546 Views
Microsoft

Subdomain takeover vulnerabilities are, in most cases, the result of an organization using an external service and letting it expire. However, that expired subdomain is still a part of the organization's external attack surface, with domain DNS entries pointing to it. An attacker could then claim this subdomain and take control of it with little to no effort, a considerable blow to an organization's security posture.

 

How does this happen? For example, a company might enlist a service desk provider, "FreshDesk.' It would point a subdomain like "support.mycompany.com" to FreshDesk and then claim this domain with the Freshdesk service to activate it. However, a problem arises when the organization abandons the service because they migrate to other services or for some other reason. Meanwhile, after the service agreement expires, the subdomain remains pointing to the FreshDesk platform.

 

While this might not seem bad initially, the risk of allowing attackers to execute scripts under the subdomain enables them to obtain data from the main website. The risk becomes even more significant when this scenario involves a service that handles PPI, PHI, or trade secrets. Microsoft Defender External Attack Surface Management continuously maps the external-facing resources across your organization's attack surface to identify, classify, and prioritize risks, including subdomain expiration and takeover.

 

MDEASM Is Purpose-Built to Detect Expired Subdomains

 

Microsoft Defender External Attack Surface Management discovers your organization's digital assets exposed to the Internet through its unique crawling and scanning capabilities. It maintains a complete inventory of the internet-facing resources connected to your organization and the unique attributes of each. It also offers the necessary tools to manage this inventory for different assets, including hosts, IP addresses, web pages, domains, IP blocks, ASNs, SSL Certs, and contacts.

 

MDEASM Inventory enables querying for all available attributes (over 200 currently) with multiple search operators, including "Expired Service" and "Service." A service is a hostname making use of a service. An expired service is a hostname (possibly susceptible to takeovers) that previously pointed to an active external service via DNS but now does not resolve.

 

 Customers should use these two inventory filters in tandem because when a rule is written for an "Expired Service" category component, a "Service" category component is written concurrently to show when a service in question was in use and when it expired. This way, customers will always have visibility into the statuses of the services they use and can easily detect the presence of a working or inactive service.

 

Try it yourself: In MDEASM, query your approved inventory using the "Expired Service" search operator. It will return all digital assets matching this search criterion:

 

ajaykallur_0-1671730619531.jpeg

You can select each one of these assets - Host (server, Web Page, or IP Address, to see its full asset details and view all the available data and history:

 

ajaykallur_1-1671730619536.png


Below are some of the Web Component details for one of the above-searched assets:

 

 Service Name

Description

Google Cloud

Google cloud services for storage

GitHub Pages

GitHub static website hosting

Shopify

Hosted eCommerce Platform

Heroku

Cloud application platform

Statuspage

Status page hosting

Amazon S3

Cloud storage

Tumblr

Microblogging and social networking platform

Zendesk

Customer service software and support ticket system

Freshdesk

Customer support software and ticketing system

Fastly

Content delivery network

WPEngine

WordPress blog hosting

UserVoice

Product management software

Unbounce

Landing page builder and conversion marketing platform

Tictail

Social shopping platform

Teamwork

Project management, help desk, and chat software

SurveyGizmo

Online survey software

Pingdom

Website and performance monitoring

Instapage

Landing page platform

Help Scout

Customer service software and education platform

Helpjuice

Knowledge base software

Ghost

Publishing platform

FeedPress

FeedPress

Desk

Customer service and helpdesk ticket software

Cloudfront

Content delivery network

Cargo

Web publishing platform

Campaign Monitor

Email marketing

Pantheon

Hosted websites (Drupal, WordPress)

WordPress

Hosted WordPress installations

Surge

Static website publisher

Bitbucket

Project hosting

Intercom

Customer messaging platform

WebFlow

Website creation & Hosting

WishPond

Custom CMS for websites

AfterShip

Package tracking solution for eCommerce

Aha

Hosted Roadmap Service

BrightCove

Online video platform

BigCartel

Online shopping system

Acquia

Hosted SaaS for CMS

Simplebooklet

Online hosting for brochures

GetResponse

Marketing email/landing page solution

Vend

Retail Management software

JetBrains YouTrack

Online ticket tracking platform

Azure

Cloud hosting

Readme

Hosted Developer Hub software

Apigee

API management & analytics

Smugmug

Online store and video/audio/photography hoster

Kajabi

Online Business Platform

 

You should now be able to query for hosts susceptible to a subdomain takeover attack and search all associated services and their current state. You can discover your attack surface discovery journey today for free.

2 Comments
Co-Authors
Version history
Last update:
‎Jan 03 2023 10:56 AM
Updated by: