The vulnerability we will be talking about in this chapter is so tricky that it is more like a configuration management error than a vulnerability. However, there are bounty platforms, such as HackerOne, that include it as vulnerability, so it's still worth discussing.

The problem in this case arises when someone registers a new domain to point to another domain. So, we will cover the following topics in the chapter:

• Sub-domain takeovers
• Internet-wide scans

In a vulnerability example, the sub domain (hello.domain.com) uses a canoninal name (CNAME) record to point to fulanito.com. A CNAME record is a domain name service (DNS) register, and it allows us to specify an alias for a domain name to a user. For example, if we have the Mexican domain, mitiendita.com.mx, we can create a CNAME register to point it to mitiendita.com.cl using the same server or the same IP address.

These registers are useful when we need to point to external domains, and are very common within companies who use cloud services. One important thing to note about these registers is that a CNAME register helps to identify that the service is another domain's property.

These movements are totally transparent to the users because the pointing passes during the DNS resolution, as shown in the following diagram:

As time passes, the fulanito.com  domain expires. Anyone can register this domain as new because it is available. However, the CNAME register, hello.domain.com, is still pointing to fulanito.com. If someone enters hello.domain.com by mistake, the person will be redirected to fulanito.com; if a malicious user has claimed this domain, then they could upload malicious content and generate a negative impact on the domain owners.

The problem is currently widespread due to the extended number of users of cloud providers. In the cloud, it is very easy to create buckets (which are like instances) that use available domains, and in minutes, anyone can create fake sites that use them.