AI agents building security tests – architecture and prompts
The Detectify AI Agent Alfred fully automates the creation of security tests for new vulnerabilities, from research to a merge request. In its first six …
Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.
The team at Detectify has recently identified a serious attack vector resulting from a widespread DNS misconfiguration. The misconfiguration allows an attacker to take full control over subdomains pointing to providers such as Heroku, Github, Bitbucket, Desk, Squarespace and Shopify.
This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.
In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.
Here’s an example of a DNS entry that could be used for this attack:
If x.example.com has no service attached to it, the subdomain could be taken over by an attacker. Below are examples of how some of the services will indicate the existence of this vulnerability:
We’ve identified at least 17 Service Providers which do not handle the subdomain ownership verification properly – allowing this vulnerability to be exploited, Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr.
We’ve also identified at least 200 organizations which are currently affected. In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains that basically allowed us to set up a Hello World on their domains.
We have notified both the affected Service Providers as well as the Domain Owners under responsible disclosure programs.
Our advice is to keep your DNS entries constantly vetted and restricted.
Update 2017-02-20: The original article states 17 services, we have now identified 100+ different ways that you can be vulnerable to a domain takeover
Surface Monitoring is a service for monitoring your subdomains for potential subdomain takeovers. It monitors changes within public DNS resolvers and warns you as soon as we detect any anomalies. Contact us on hello [at] detectify.com for more information.
The Detectify AI Agent Alfred fully automates the creation of security tests for new vulnerabilities, from research to a merge request. In its first six …
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to …