9

How to avoid subdomain takeover in Azure environments

 4 years ago
source link: https://www.csoonline.com/article/3601007/how-to-avoid-subdomain-takeover-in-azure-environments.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

How to avoid subdomain takeover in Azure environments

Active but unused subdomains in Microsoft Azure give attackers the opportunity to use them for malicious purposes. Here's how to identify and delete vulnerable subdomains before attackers do.

By Susan Bradley

Contributing Writer,

CSO | Dec 23, 2020 2:00 am PST

Have you set up a domain and pointed to a cloud resource and then deleted the site? Have you left behind the CNAME in your domain name services settings? Many admins have, and attackers know it. These lapses allow attackers to create a site in your subdomain records and take over these sites. Subdomain takeovers are too common especially in large organizations that create and delete many resources. CNAME records in particular are open to takeovers. Malicious actors often use these sites to redirect traffic and activity to various other sites. Even Microsoft isn’t immune to the problem.

Domain Name Service (DNS) is an often-misunderstood part of network infrastructure. Too often misconfiguration of DNS can lead to massive issues in your network. It can make it look like your website has been hacked when merely the records have been changed. It might also expose your assets to being used in attacks.

How attackers exploit subdomains

As Microsoft notes, exposing yourself to subdomain takeover starts when you set up and provision an Azure resource. Let’s say the name of the Azure resource is app-on-azure001.azurewebsites.net. You then assign a CNAME record in your actual DNS zone with a subdomain that routes the traffic to the Azure resource. Rather than sending users to app-on-azure001.azurewebsites.net, you can send them to easierurl.domain.com. Later, you determine that you do not need the subdomain. You deprovision or delete the website. At this time, you should remove the subdomain.yourdomain.com from the domain name services zone. If the CNAME is still in place, it’s advertising that it’s an active domain but it’s not routing traffic through an active Azure resource. This is what is deemed as a “dangling DNS record”.

Attackers use various tools and scripts to search for and find these subdomains. A basic DNS lookup easily tells an attacker of CNAME records that are now non-routing. The attacker then provisions an Azure resource with the same name you assigned to your now missing Azure resource. Their attack website is now called app-on-azure001.azurewebsites.net and your subdomain.domain.com is now routing their site through your domain name resources. Attacks will include loss of control over your content and harvesting of cookie and visitor information to the attacker’s site.

Volume 0%
This ad will end in 29

To continue reading this article register now

Learn More   Existing Users Sign In


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK