The underrated threat of related-domain attacks can enable malicious actors to circumvent many advanced website protection mechanisms, a group of researchers at the Technical University of Vienna (TU Wien) have found.
Published in a paper (PDF) that was presented at the annual Usenix Security Symposium this week, the researchers’ findings show that more than 800 high-traffic websites could be compromised through other sites hosted on a related domain.
Same-site boundaries
Much of the work in web security focuses on establishing site boundaries. Web security researchers are concerned about malicious actors compromising a website from the outside.
Accordingly, many recent security upgrades to web protocols and browsers are centered on preventing cross-site attacks while placing more trust on sites that share a domain.
Some of these upgrades include SameSite cookies, Site Isolation, and HTTP cache partitioning.
“The same-site security boundary is becoming more and more relevant,” Marco Squarcina, postdoctoral researcher at TU Wien, told The Daily Swig.
“This inherent trust in same-site content inspired us to evaluate the presence of same-site threats and understand the security import on web applications.”
Taking over subdomains
Squarcina and his colleagues investigated how attackers can enter the trust zones of target websites to attack them.
Known as ‘related-domain attackers’, these adversaries operate a malicious website that is hosted on a domain that shares a suffix with that of the target website.
Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website.
In their paper, the researchers at TU Wien list possible causes of subdomain takeover. One key vulnerability vector is dangling DNS records, records in the authoritative DNS servers of a domain that point to expired resources that can be acquired by an adversary.
“The most common cause of a takeover vulnerability is due to dangling records,” Squarcina said.
“As an example, consider a subdomain of example.org, like foo.example.org, pointing to an expired domain name (e.g., fooexample.org) via a CNAME DNS entry. Attackers could simply register fooexample.org to fully control the page served at foo.example.org.”
In their paper, the researchers also explore subdomain hijacking on corporate networks and roaming services, hosting providers and dynamic DNS services, and compromised hosts and websites.
Related-domain attacks
A successful subdomain takeover can lead to an array of threats, including phishing and malware distribution, Site Isolation protection circumvention, same-site request forgery, cookie confidentiality bypassing, Content Security Policy bypassing, and cross-origin resource-sharing abuse.
“The privileged position controlled by RDAs enables a set of exclusive XSS, CSRF, Session Hijacking, and SOP bypass attacks that are not available to a standard web attacker,” Squarcina said.
“For instance, the SameSite cookie attribute is an effective countermeasure against CSRF attacks, but it does not apply to requests originating from a page that is cross-origin but same-site to the target application.”
Vulnerable domains
In their research, Squarcina and his colleagues examined the top 50,000 domains in the Tranco list.
According to their findings, 15% of these domains were vulnerable. The researchers found subdomain takeover vulnerabilities on news websites like cnn.com and time.com, university portals like harvard.edu and mit.edu, government websites like europa.eu and nih.gov, and IT companies like lenovo.com and cisco.com.
Interestingly, most of the discovered vulnerabilities could be fixed by routinely checking the validity of DNS records, which speaks to the little attention domain-related attacks are getting.
“Overall, we identified 887 sites among the top 50,000 with takeover vulnerabilities,” Squarcina said.
“This is, however, an under-approximation that does not take into account vulnerabilities caused by deprovisioned cloud resources. Therefore, we estimate takeover vulnerabilities to be even more pervasive than captured by these numbers.”
Source: https://portswigger.net/daily-swig/research-hundreds-of-high-traffic-web-domains-vulnerable-to-same-site-attacks