I had previously read about Subdomain hijacking, but in all honesty I didn’t really “get it”.
All that changed starting with this Security Fest talk by Frans Rosén entitled: DNS hijacking using cloud providers:
Or more accurately I really started to get this going through Frans’s slides of the talk:
I don’t want to explain the premise of this to you as it’s one of those you have to investigate yourself to really get to grips with it.
But what I will do to (hopefully) bring your learning time down is detail below all of the links Frans mentions plus those from my own knowledge mining:
Detecify – Hostile Subdomain Takeover using Heroku/Github/Desk + more
Detectify – Hijacking of abandoned subdomains part 2
Detectify – The story of EV-SSL, AWS and trailing dot domains
Jonathan Claudius – ‘Deep Thoughts’ on Subdomain Takeover Vulnerabilities
Bishop Fox – Fishing the AWS IP Pool for Dangling Domains
White Hats Nepal – Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]
Sweepatic – The Principles of a Subdomain Takeover
SecurityTraining – How to find subdomain take over
See my Discovering Subdomains post
Below is yaworsk demonstrating how to find subdomains vulnerable to takeover:
In Frans’s talk he mentions automating the discovery of subdomains vulnerable to hijacking and has email alerts sent to him. I’m assuming he is focusing on specific targets and he was kind enough to tell me he uses a tool called Zapier to aid him in this.
Unfortunately the setup for this is beyond me and if anybody does know how to set this up, please do let me know.
I hope this helps in your learning process, if I’ve missed anything or you would like an resource added please let me know on Twitter.