A subdomain takeover is a Web/App vulnerability that is exploited when an attacker registers a non-existent domain name in order to obtain control of an existing target domain. In doing so, the attacker could potentially damage the target by hosting malicious content, distributing exploits, bypassing content security policies, etc.
Let’s use the domain takeover.immunefi.com as an example.
- takeover.immunefi.com has a CNAME that points to another domain (e.g., not-immunefi.eth)
- For some reason, not-immunefi.eth expired and now an attacker is able to register it
- Because the attacker now owns not-immunefi.eth and the CNAME record has not been deleted from the DNS zone, they have full authority over takeover.immunefi.com
As you can see, such an attack has the potential to damage a project. However, not all subdomain takeovers lead to a serious impact on the project’s core application.
What is Immunefi’s policy regarding reported subdomain takeovers?
At Immunefi, we have a policy of always closing these reports as out of scope unless they are supplemented with more information on how the attack could be used to impact the project’s core application. Furthermore, the project must list subdomain takeovers as a valid impact in their bug bounty program.
Simply identifying that a domain is vulnerable to a subdomain takeover is not enough to warrant a reward. Instead, the whitehat must also connect this attack vector to an in scope impact as outlined in the project’s bug bounty program
There are two ways that someone could chain this attack to impact the in-scope domain. You can read more about these techniques in the following article here.