Exploitation

The most important thing about the bug bounty hunter approach is to confirm that the takeover is possible and to then take evidence of that. There are major impacts derived from the sub-domain takeover; they are as follows:

  • Cookies: If the domain fulatino.com manages a cookie that is valid for that domain, a sub-domain (sub.fulanito.com) can create cookies that are also valid. So, if you create a malicious cookie to exploit an input validation vulnerability or session management error, for example, it will be accepted.
  • Cross-origin resource sharing: There is protection called same-origin policy, which restricts share resources that do not come from the same domain. However, if you have control of sub.fulanito.com, you can share resources with www.fulanito.com and other sub-domains included in *.fulanito.com, which could lead to a Cross-Site Request Forgery (CSRF) attack.
  • OAuth whitelisting: Oauth is another form of protection developed to share information about sessions between different applications. Oauth has control over where a session is created and where it is valid. Similar to the same-origin bypass, if you have an Oauth session that is valid for www.fulanito.com, it will be valid for all sub-domains included in *.fulanito.com.
  • Intercepting emails: If you can receive an email using an MX takeover, you can read sensitive information. This can lead to discovering confidential credentials or internal information, and even alerts, related to the services used in a company.
  • Content security policies: Content security policies are policies based on trust between applications working under the same domain. As previous examples have shown, we can trust sites included in *.fulanito.com.
  • Clickjacking: This is a technique where a user clicks on a malicious link without realizing. This is usually done with a transparent layer on the original site that uses JavaScript or CSS, but if you have control of a sub-domain that is trusted by the user, you can socially engineer users to click on the malicious link.
  • Password managers: There are password managers that work under trust, and so a user may fill in any form with the information stored in their database.
  • Phishing: Phishing makes it possible for you to copy complete sites and cheat users. An example would be directing bank.fulatino.com to fakebank.fulatino.com.
  • Black SEO: With black SEO, it is possible to create fake websites and use the SEO of the original domain to get points of reputation for the fake site.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.57.16