SESSION ID: CSV-R02 Same Thing We Do Every Few Minutes, Pinky – Try to Take Over All Your Subdomains! Alun Jones application security engineer Global Application Security, Starbucks Coffee Company @ftp_alun #RSAC Sidebar – an intro to DNS #RSAC DNS – Domain Name Service Record types: – A – maps from a name to an address – “example.com” -> “192.168.0.1” – CNAME – maps from a name to a name – “example.net” -> “example.org” – NS – tells you where to go for name service #RSAC What is subdomain takeover? Friendly name: pie.starbucks.com Traffic Manager: s314159.trafficmanager.net CNAME pie.starbucks.com -> s314159.t….net Hacker's web sites Web servers What is subdomain takeover? Friendly name: pie.starbucks.com Web site: s314159.azurewebsites.net CNAME pie.starbucks.com -> s314159.az….net Hacker's web site #RSAC Why is it bad? – last year’s news! #RSAC Why is it bad? Aside from the bad PR… Subdomains have access to… – Read/write broadly scoped cookies (even HTTPOnly, Secure) – Provide data access through crossdomain.xml/CORS assignments – Embed iframes from other subdomains Subdomains look trustworthy – In phishing attacks – To developers & partners #RSAC Why can’t cloud providers simply make it not a thing? Cloud just means “someone else’s computer” In the abstract, this is just another example of: – Knowing more about dev than ops. And yet, I don’t absolve cloud providers of responsibility #RSAC So what did/do we do? #RSAC #RSAC Paying bounty – too much Do we tell them how much? Can we graph it? #RSAC Scan better every hour – not just for NXDOMAIN A bigger PowerShell script running on my laptop #RSAC #RSAC Devs cause subdomains to be open to takeover Train devs to prevent subdomain takeover risk Bounty report of subdomain takeover comes in while teaching Bounty report of subdomain takeover comes in while teaching How did a takeover happen during training? During the course of the ONE HOUR training: – Devs stopped using a website, deleted the resource – Hacker spotted the resource was available Subdomain enumeration – ‘amass’ nslookup to verify absence – Hacker claimed the resource – Hacker wrote up and submitted a report So what did we learn? – The hackers are fast #RSAC Talking to the developers Why did they do this in the first place? Are our devs like your devs? – Our cloud provider says our devs are special – Our cloud provider got subdomains taken over #RSAC #RSAC Disclosure leads to heightened interest, confusion 2019-08-28, Hacker “parzel”s report disclosed 2019-08-29, News site “BC” posts news story – About parzel’s 2019-08-28 report – Linking to HackerOne report disclosed 2018-06-25 from “0xpatrik” 2019-08-29, News site “SC” posts news story – Built from 0xpatrik’s report – As news – but not referencing BC’s story – From over a year ago August SDTOs: 11, 2 valid September SDTOs: 33, 1 valid #RSAC It would be nice if hackers would at least check NXDOMAIN is necessary, not sufficient Several reports come in where we’re actually still using the domain – e.g. our virtual desktop servers, would be noticed if they went down – An entire country’s Starbucks front page Sometimes, it’s not even our domain – “Secret menu” sites – Review sites – etc #RSAC We can no longer afford manual processes Automated scans happen within minutes Scanning once an hour is not enough Taking manual steps is not fast enough – We can not afford to contact teams and ask – We can not “just delete the CNAME” (Q: Why not?) #RSAC How do we get better? Faster? Knowledge - we know stuff hackers don’t Don’t have to wait for NXDOMAIN – [Is there a CNAME? Did we own its target? Do we now?] We can take over the domain with impunity – External impunity – it belonged to Starbucks, still does – Internal impunity – it belongs to the security team, not a hacker #RSAC