Abandoned IP addresses
TLDR
Bad/Stale DNS configuration (domain to IP mapping) can cause data breaches. Ensure DNS configuration is updated before releasing IP based on TTL.
Background
Since the start of the modern web (think 2004-2006 time range), one of the common ways for multiple services (usually hosted on subdomains of a domain) to share user information without re-authenticating a user is through cookies.
Back in early 2010s, there were very few ways to get an SSL certificate. Each certificate usually goes through a manual verification process and takes about 1-2 days to obtain the signed certificate. LetsEncrypt(Certificate Authority) has revolutionised by automating the certificate issuance through ACME protocol. A website owner can get an SSL certificate by adding a single file into a directory to recieve the certificate.
The Feature
With the (r)evolution of the cloud and the dynamic nature of shared resources(specifically IP addresses), there are a few problems that started creeping up for domain owners from a security angle.
The bug
A stale sub-domain to IP mapping is not a new problem. Whenever you provision a VPS, you can also get an IP address with it. The attacker needs to get the specific IP address from the VPS provider which is not so easy unless you get to convince the customer service provider. With cloud providers like AWS opening up their IP address ranges, you can get assigned any IP address of your choice as long as its free.
Feature + Mis-configuration = Security Issue
- Feature: Easily getting an SSL certificate
- Mis-configuration: Sub-Domain pointing to an IP address which is not under their control
If an attacker can figure out if a sub-domain is pointing to an IP address that is free to be grabbed, they can host a website with SSL certificate and convince a customer to login into the website and steal their PII and use it on the original site.
A solution
- Keep track of subdomain to IP address mappings
- Try to use Elastic IP or Floating IP which is tied to your account.
- Have a checklist before releasing an IP address which you use from your cloud/VPS provider.
- Prefer pointing your domain to a managed service which is usually tied to your cloud account.
- The total attack surface can be reduced if you/your company owns the IP addresses which you host with. With great power comes great responsibility.
A handful percentage of bug-bounty reward goes for identifying stale sub-domains. This attack is usually called sub-domain takeover.
The goal of DomainList is to provide automated solutions and actionable guidelines for domain and website owners based on evolving web standards.Drop an e-mail to hello@... to get notified of the beta and the public release of DomainList