Identify Digital Assets Vulnerable to Subdomain Takeover

[Guest ajaykallur]

Subdomain takeover vulnerabilities are, in most cases, the result of an organization using an external service and letting it expire. However, that expired subdomain is still a part of the organization's external attack surface, with domain DNS entries pointing to it. An attacker could then claim this subdomain and take control of it with little to no effort, a considerable blow to an organization's security posture.

 

 

 

How does this happen? For example, a company might enlist a service desk provider, "FreshDesk.' It would point a subdomain like "support.mycompany.com" to FreshDesk and then claim this domain with the Freshdesk service to activate it. However, a problem arises when the organization abandons the service because they migrate to other services or for some other reason. Meanwhile, after the service agreement expires, the subdomain remains pointing to the FreshDesk platform.

 

 

 

While this might not seem bad initially, the risk of allowing attackers to execute scripts under the subdomain enables them to obtain data from the main website. The risk becomes even more significant when this scenario involves a service that handles PPI, PHI, or trade secrets. Microsoft Defender External Attack Surface Management continuously maps the external-facing resources across your organization's attack surface to identify, classify, and prioritize risks, including subdomain expiration and takeover.

 

 

 

MDEASM Is Purpose-Built to Detect Expired Subdomains

 

 

 

 

Microsoft Defender External Attack Surface Management discovers your organization's digital assets exposed to the Internet through its unique crawling and scanning capabilities. It maintains a complete inventory of the internet-facing resources connected to your organization and the unique attributes of each. It also offers the necessary tools to manage this inventory for different assets, including hosts, IP addresses, web pages, domains, IP blocks, ASNs, SSL Certs, and contacts.

 

 

 

MDEASM Inventory enables querying for all available attributes (over 200 currently) with multiple search operators, including "Expired Service" and "Service." A service is a hostname making use of a service. An expired service is a hostname (possibly susceptible to takeovers) that previously pointed to an active external service via DNS but now does not resolve.

 

 

 

Customers should use these two inventory filters in tandem because when a rule is written for an "Expired Service" category component, a "Service" category component is written concurrently to show when a service in question was in use and when it expired. This way, customers will always have visibility into the statuses of the services they use and can easily detect the presence of a working or inactive service.

 

 

 

Try it yourself: In MDEASM, query your approved inventory using the "Expired Service" search operator. It will return all digital assets matching this search criterion:

 

 

 

 

You can select each one of these assets - Host (server, Web Page, or IP Address, to see its full asset details and view all the available data and history:

 

 

 

 

 

Below are some of the Web Component details for one of the above-searched assets:

 

 

 

Service Name	Description
Google Cloud	Google cloud services for storage
GitHub Pages	GitHub static website hosting
Shopify	Hosted eCommerce Platform
Heroku	Cloud application platform
Statuspage	Status page hosting
Amazon S3	Cloud storage
Tumblr	Microblogging and social networking platform
Zendesk	Customer service software and support ticket system
Freshdesk	Customer support software and ticketing system
Fastly	Content delivery network
WPEngine	WordPress blog hosting
UserVoice	Product management software
Unbounce	Landing page builder and conversion marketing platform
Tictail	Social shopping platform
Teamwork	Project management, help desk, and chat software
SurveyGizmo	Online survey software
Pingdom	Website and performance monitoring
Instapage	Landing page platform
Help Scout	Customer service software and education platform
Helpjuice	Knowledge base software
Ghost	Publishing platform
FeedPress	FeedPress
Desk	Customer service and helpdesk ticket software
Cloudfront	Content delivery network
Cargo	Web publishing platform
Campaign Monitor	Email marketing
Pantheon	Hosted websites (Drupal, WordPress)
WordPress	Hosted WordPress installations
Surge	Static website publisher
Bitbucket	Project hosting
Intercom	Customer messaging platform
WebFlow	Website creation & Hosting
WishPond	Custom CMS for websites
AfterShip	Package tracking solution for eCommerce
Aha	Hosted Roadmap Service
BrightCove	Online video platform
BigCartel	Online shopping system
Acquia	Hosted SaaS for CMS
Simplebooklet	Online hosting for brochures
GetResponse	Marketing email/landing page solution
Vend	Retail Management software
JetBrains YouTrack	Online ticket tracking platform
Azure	Cloud hosting
Readme	Hosted Developer Hub software
Apigee	API management & analytics
Smugmug	Online store and video/audio/photography hoster
Kajabi	Online Business Platform

 

 

 

You should now be able to query for hosts susceptible to a subdomain takeover attack and search all associated services and their current state. You can discover your attack surface discovery journey today for free.

 

Continue reading...