Hostile subdomain takeover
Description
A subdomain of the scanned domain is configured via DNS records to point to an external service (such as GitHub Pages, Heroku, AWS S3, or similar platforms), but the associated account or resource on that external service no longer exists, has been deleted, or has expired. This creates a vulnerability where an attacker can register or claim the same resource identifier on the external platform, effectively gaining control of content served from your subdomain. Attackers commonly exploit this to host phishing pages, distribute malware, or damage the organization's reputation.
Remediation
Take immediate action to remediate this vulnerability by following these steps:
1. Verify the vulnerability: Confirm that the subdomain points to an external service where you no longer control the associated resource. Check your DNS records (A, CNAME, ALIAS, or ANAME records) for the affected subdomain.
2. Choose a remediation approach:
Option A - Remove the DNS record (recommended if subdomain is unused):
Delete the DNS record for the subdomain entirely if it's no longer needed. This is the safest option for abandoned subdomains.
Option B - Reclaim the external resource:
If you still need the subdomain, recreate or reclaim the account/resource on the external service provider, then verify that you control the content being served.
Option C - Redirect to a controlled resource:
Update the DNS record to point to a server or service you actively control and configure it to serve appropriate content or redirect to your main domain.
3. Implement preventive measures:
• Maintain an inventory of all subdomains and their associated external services
• Implement a process to remove DNS records before decommissioning external services
• Regularly audit DNS records to identify dangling references
• Consider using DNS monitoring tools to detect subdomain takeover vulnerabilities
4. Verify remediation: After making changes, confirm that the subdomain either no longer resolves or points to a resource you control and serves expected content.