search

Stratus-Security / Subdominator

The Internets #1 Subdomain Takeover Tool
https://www.stratussecurity.com
MIT License
210 stars 16 forks source link

elasticbeanstalk #4

Closed xElkomy closed 8 months ago

xElkomy commented 8 months ago

https://github.com/projectdiscovery/nuclei-templates/pull/6808

coj337 commented 8 months ago

Thanks for submitting an issue! Can you elaborate a little on this? There seems to be a bit of contention here about whether or not it's exploitable here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/194

Our current fingerprint checks any elasticbeanstalk.com domain, which can be further validated against the AWS API using the --validate flag.

xElkomy commented 8 months ago

Hello, @coj337 I mean now your tool get a big output in some website because it points to elastic and didn't resolve, but there is a case you can't take over the subdomain in it like:

[AWS/Elastic Beanstalk] rg01.qa-insurance-gateway.example.com - CNAME: qa-insurance-gateway.example.com., qa-blue-insurance-gateway.tcp2vzkpv3.eu-west-1.elasticbeanstalk.com.

If there is a random sub like tcp2vzkpv3 before the env name, you can't take over it

coj337 commented 8 months ago

This is an interesting case because there seems to be new versions of this. The auto-generated domains now seem to look like this:

<env>.eba-<id>.<region>.elasticbeanstalk.com

On the other hand, old ones look like your example:

<env>.<id>.<region>.elasticbeanstalk.com

Specifically, your example (insurance-gateway.tcp2vzkpv3.eu-west-1.elasticbeanstalk.com) is possible to take over if you register: 

tcp2vzkpv3.eu-west-1.elasticbeanstalk.com

You can then host your app there and any nested subdomains will still resolve to it.

So tl;dr; your example is vulnerable as long as you can register the random id directly but there's some new cases (e.g. anything that has eba- at the start of the ID), that aren't ever vulnerable.

To help with the false positives, I have added support in the --validate flag (v1.63) to check if the id is registerable. Just make sure you have AWS CLI configured and it will hit the API using the default key 😄

xElkomy commented 8 months ago

Ok, that is great if you sure you can takeover a one like this, please call me : qa-blue-insurance-gateway.tcp2vzkpv3.eu-west-1.elasticbeanstalk.com.

on discord: xelkomy

or telegram: xelkomy

I have a lot of those domains I can't take over them

coj337 commented 8 months ago

Configure AWS CLI and run through the list with --validate, it will tell you if they are vulnerable :)