Public Preview: Creating Web App with a Unique Default Hostname

  • Thread starter Thread starter YutangLin
  • Start date Start date
Y

YutangLin

App Service now allows you to create web apps with unique default hostnames to avoid a high-severity threat of subdomain takeover.



This feature is currently in Public Preview and is only available for web apps on multi-tenants. App Service Environment (ASE) resources are not supported. Functions and Logic Apps (Standard) are currently out of scope, but we have plans on supporting them soon, so stay tuned.



This feature would require you to “opt-in” to create a site with a unique default hostname. This means that when you create a site through the portal, you will need to select the option to enable the feature; Azure Portal will be fully deployed by June 7th, 2024. When you create a site through ARM, you will need to provide your deployment templates with new parameters. You will not be able to update pre-existing web apps to create unique default hostnames; unique default hostnames can only be opt-in during web app resource creation.



This article will go over the following:

  1. What are dangling DNS and subdomain takeover
  2. How the unique default hostname feature works
  3. How to create new web app with a unique default hostname

What are dangling DNS and subdomain takeover?

One of the most common scenarios for subdomain takeover is when a customer forgets to clear the DNS entries after deleting a pre-existing web causing dangling DNS. A bad actor could come in and create a web app with the same name and use the pre-existing DNS records to takeover domains because the web app will still have the same default hostname as the previously deleted one. You can learn more about dangling DNS and subdomain takeover here.



How does this feature work?

The unique default hostname will have a different format than the original global default hostname in two ways. The unique default hostname will include:

  1. A random hash appended to the web app name with a dash “-”
  2. A region name

Comparing the format between the global (original) default hostnames and the unique (new) default hostnames, here is how the general format would look like:




Global (Original)

Unique (New)

Default Hostname Format

<AppName>.azurewebsites.net

<AppName>-<RandomHash>.<Region>.azurewebsites.net

SCM Endpoint Format

<AppName>.scm.azurewebsites.net

<AppName>-<RandomHash>.<Region>.scm.azurewebsites.net



As an example, if you create a site called “test” in East US:


Site Name

test

Unique Default Hostname

test-a6gqaeashthkhkeu.eastus-01.azurewebsites.net



SCM Endpoint

test-a6gqae9sh1hkhk8u.scm.eastus-01.azurewebsites.net



How does the hash in the unique default hostname work

The hash used for the unique default hostname would be a 16-character hash. This hash could be configured to a given “scope”, which ensures the degree of how unique you would like default hostname to be.



You can choose to generate the hash based on the following “scopes”:

  1. Tenant Reuse
  2. Subscription Reuse
  3. Resource Group Reuse
  4. No Reuse

So as an example, for my site called “test”, I could choose to generate a hash that could be shared across my subscription if I selected the “Subscription Reuse”. What this means is that anyone in my subscription who tries to create a web app called “test” in any region using the “Subscription Reuse” will end up with the same hash as I would. Anyone else outside of my subscription who tries to create a site name called “test” will not end up with the same hash as I would.



If your team tends to redeploy web apps in different environments for testing, it could be helpful to select a scope that is shared between environments. As an example, I have both Subscription AA (test subscription) and Subscription AB (production subscription) under Tenant A, and I tend to redeploy resources from Subscriptions AA to AB. What I should do is to deploy a site with the unique default hostname that uses the “Tenant Reuse” in Subscription AA because both subscriptions share the same tenant. Then when I need to delete and redeploy in Subscription AB, I should keep using Tenant Reuse. This ensures that the site I create will still have the exact same default hostname. More importantly, during the period that I try to delete and redeploy my resource, no one else outside of my tenant would be able to recreate another site with the exact same default hostname as my own site, which protects me from the threats of subdomain takeovers.



Hash and deployment slots


Your deployment slots will also follow the same format as your production site. However, each of your deployment slots will contain a different set of hashes from the production site and other deployment slots. Your slots will always be created with the same scope as the production site.



Comparing the format for slots between the global (original) default hostnames and the unique (new) default hostnames, here is how the general format would look like:




Global (Original)

Unique (New)

Default Hostname Format

<AppName>-<SlotName>.azurewebsites.net

<AppName>-<SlotName>-<RandomHash>.<Region>.azurewebsites.net

SCM Endpoint Format

<AppName>-<SlotName>.scm.azurewebsites.net

<AppName>-<SlotName>-<RandomHash>.<Region>.scm.azurewebsites.net



As an example, if you create a site called “test” and a slot called “slot” in East US:


Site Name

test (production site)

slot (deployment slot)

Unique Default Hostname

test-a6gqaeashthkhkeu.eastus-01.azurewebsites.net



test-slot-ekcda0qhg9em5yc9.eastus-01.azurewebsites.net

SCM Endpoint

test-a6gqae9sh1hkhk8u.scm.eastus-01.azurewebsites.net

test-slot-ekcda0qhg9em5yc9.scm.eastus-01.azurewebsites.net



You will notice that the hashes from the production site and the deployment slot are different, and this is the expected behavior. If you created site called “test” with “Tenant Reuse” and then created a slot called “slot”, anyone within your tenant who creates the same resources with those names will also get the same hashes that correspond to “test” and “slot”.



How does the region in the unique default hostname work

The region in the unique default hostname would be based on the region where the site is located. Since the unique default hostname is now regionalized, you will be able to create a site called “test” in different regions. The site name however still must be regionally unique, which means that there can only be one site called “test” in East US regardless if they have different hash values.



You will notice that the region name is appended by a number (ie. “-01”). You should expect that this number could change at any time in the future, and you should not have any hard dependencies or hard code the number appended to the region.



How to create a web app with a unique default hostname?

You can create a web app with a unique default hostname through Azure Portal, API, or ARM. CLI is currently not supported. This can only be done during resource creation, meaning that you will not be able to update your pre-existing web apps to have a unique default hostname. You will have to decide during resource creation to create a site with a unique (new) default hostname or a global (original) default hostname format – it's one or the other.



Azure Portal

Any site created with a unique default hostname through Azure Portal will be created using the “Tenant Reuse” level (for more information, refer to section “How does the hash in the unique default hostname work”). Azure Portal will be fully deployed by June 7th, 2024.



If you would like to create a web app with a different scope for the hash, kindly use ARM or API.



To create a new web app with unique hostname on Azure Portal:

  1. Go to the Web App Create page
  2. Toggle option to enable “unique default hostname”
    1. medium?v=v2&px=400.png
  3. Fill out the required fields and click “Review + create”



ARM or API

If you are creating a web app using ARM or API, you can use this method to deploy your web app with a unique default hostname. You can also select the scope you would like to create your hash with.



In your API or ARM request, you need to add the following property to your site properties in the payload.



"AutoGeneratedDomainNameLabelScope": "TenantReuse"



For the different scope level for your hash, you can choose from:

  • TenantReuse
  • SubscriptionReuse
  • ResourceGroupReuse
  • NoReuse

Sample API Call



Code:
PUT https://management.azure.com/subscriptions/<SUBSCRIPTIONID>/resourceGroups/<RGNAME>/providers/Microsoft.Web/sites/<SITENAME>?api-version=2022-03-01  
{ 
    "location": "Central US", 
    "kind": "app", 
    "properties": { 
        "serverFarmId": "<AppServicePlan", 
        "AutoGeneratedDomainNameLabelScope": "TenantReuse", 
        ... 
        ... 
    } 
}





Ending Note

We will continue to support pre-existing web apps that were created with the original global default hostnames. However, we highly encourage all customers to start creating web apps with the unique default hostnames to protect your organization from the threats of subdomain takeovers.

Continue reading...
 
Back
Top