search

anshumanbh / tko-subs

A tool that can help detect and takeover subdomains with dead DNS records
MIT License
741 stars 137 forks source link

Check if a domain is vulnerable whether it has a CNAME or not #24

Closed mhmdiaa closed 6 years ago

mhmdiaa commented 6 years ago

The current workflow is:

  1. Check if the domain has a CNAME record pointing to a known provider.
  2. Ony If it does, make an HTTP request to the subdomain and look for the string that indicates it can be taken over (providers-data.csv -> string column).

So if a domain points to a provider indirectly (vuln.example.com -> foo.example.com -> bucket.s3.amazonaws.com), tko-subs won't check if it's vulnerable.

Also, a domain doesn't have to be pointing to something.s3.amazonaws.com to be vulnerable. If you have an A or AAAA record pointing to an IP used by S3, you can claim it too.

So the new workflow should be:

  1. Make an HTTP request to the subdomain and check if it looks vulnerable.
  2. Check if there is a CNAME and include it in the output (backward compatibility).

Note: The usage of S3 in the examples above is for explanatory purposes - the issue applies to all providers. Thanks to Nick Jenkins for pointing out the issue.

proabiral commented 6 years ago

I was here to write same thing :)