Question

Let’s start your hunt for SSO vulnerabilities by finding some subdomain takeovers. The best way to reliably discover subdomain takeovers is to build a system that monitors a company’s subdomains for takeovers. But before you do that, let’s look at how you can search for subdomain takeovers manually.

让我们开始搜索 SSO 漏洞，找到一些子域接管。可靠地发现子域接管的最佳方法是构建一个监控公司子域的系统以寻找接管。但是在这之前，让我们看看您如何手动搜索子域接管。

Step 1: List the Target’s Subdomains

First, you need to build a list of all the known subdomains of your target. This can be done using tools mentioned in Chapter 5 . Next, use a screenshot application like EyeWitness or Snapper to see what is hosted on each subdomain.

首先，您需要建立一个包含目标所有已知子域的列表。可以使用第 5 章提到的工具完成此操作。接下来，使用像 EyeWitness 或 Snapper 这样的截图应用程序，查看每个子域托管的内容。

Step 2: Find Unregistered Pages

Look for third-party pages indicating that the page isn’t registered. For example, if the third-party page is hosted on GitHub Pages, you should see something like Figure 20-3 on the subdomain.

寻找第三方页面，查看是否指示该页面尚未注册。例如，如果第三方页面托管在 GitHub 页面上，您应该在子域上看到类似于 Figure 20-3 的东西。

Even if you’ve found a dangling CNAME, not all third-party hosting providers are vulnerable to takeovers. Some providers employ measures to verify the identity of users, to prevent people from registering pages associated with CNAME records. Currently, pages hosted on AWS, Bitbucket, and GitHub are vulnerable, whereas pages on Squarespace and Google Cloud are not. You can find a full list of which third-party sites are vulnerable on EdOverflow’s page on the topic ( https://github.com/EdOverflow/can-i-take-over-xyz/ ). You can find a list of page signatures that indicate an unregistered page there too.

即使您已找到了悬挂的 CNAME，不是所有第三方托管提供商都容易被接管。一些提供商采用措施来验证用户身份，以防止人们注册与 CNAME 记录相关的页面。目前，AWS、Bitbucket 和 GitHub 上托管的页面易受攻击，而 Squarespace 和 Google Cloud 上的页面则不受影响。您可以在 EdOverflow 关于此主题的页面上（https://github.com/EdOverflow/can-i-take-over-xyz/）找到哪些第三方站点易受攻击的完整列表。您也可以在那里找到指示未注册页面的页面签名列表。

Figure 20-3 : An indicator that this page hosted on GitHub Pages is unclaimed

图 20-3：指示此页面托管在 GitHub Pages 上未被声明的指示。

Step 3: Register the Page

Once you’ve determined that the page is vulnerable to takeovers, you should try to register it on the third-party site to confirm the vulnerability. To register a page, go to the third-party site and claim the page as yours; the actual steps required vary by third-party provider. Host a harmless proof-of-concept page there to prove the subdomain takeover, such as a simple HTML page like this one:

一旦确定页面容易被接管，你应该尝试在第三方网站上注册以确认此漏洞。要注册一个页面，请前往第三方网站并声明该页面为您的所有权；具体步骤因第三方供应商而异。在第三方网站上托管一个无害的概念验证页面，以证明子域接管，例如这样一个简单的 HTML 页面：

<html>Subdomain Takeover by Vickie Li.</html>

Make sure to keep the site registered until the company mitigates the vulnerability by either removing the dangling DNS CNAME or by reclaiming the page on the third-party service. If you don’t, a malicious attacker might be able to take over the subdomain while the bug report is being processed.

确保在公司解决漏洞之前，保持站点注册，可以通过删除悬空的 DNS CNAME 或在第三方服务上重新获取页面来解决漏洞。如果不这样做，则在漏洞报告正在处理时，恶意攻击者可能会接管子域。

You might be able to steal cookies with the subdomain takeover if the site uses cookie-sharing SSO. Look for cookies that can be sent to multiple subdomains in the server’s responses. Shared cookies are sent with the Domain attribute specifying the parents of subdomains that can access the cookie:

如果该网站使用共享 Cookie 的单点登录（SSO）功能，并且在服务器的响应中寻找可发送到多个子域的 Cookie，则可以通过子域接管来窃取 Cookie。共享 Cookie 是通过指定可以访问该 Cookie 的子域的父域作为 Domain 属性来发送的。

Set-Cookie: cookie=abc123;     Domain=example.com ; Secure; HttpOnly

Then, you can log in to the legitimate site, and visit your site in the same browser. You can monitor the logs of your newly registered site to determine whether your cookies were sent to it. If the logs of your newly registered site receive your cookies, you have found a subdomain takeover that can be used to steal cookies!

然后，您可以登录到合法网站，并在同一浏览器中访问您的网站。您可以监视您新注册的网站的日志，以确定是否将您的 Cookie 发送到该网站。如果您新注册的网站的日志接收到您的 Cookie，则表示您发现了可以用来窃取 Cookie 的子域接管！

Even if the subdomain takeover you’ve found cannot be used to steal shared-session cookies, it is still considered a vulnerability. Subdomain takeovers can be used to launch phishing attacks on a site’s users, so you should still report them to the organization!

即使您找到的子域接管不能用于窃取共享会话 Cookie，它仍被视为漏洞。 子域接管可以用于对网站用户发起钓鱼攻击，因此您仍应向组织报告它们！