‘The same-site security boundary is becoming more and more relevant’
The underrated threat of related-domain attacks can enable malicious actors to circumvent many advanced website protection mechanisms, a group of researchers at the Technical University of Vienna (TU Wien) and Ca’ Foscari University of Venice have found.
Published in a paper (PDF) that was presented at the annual Usenix Security Symposium this week, the researchers’ findings show that more than 800 high-traffic websites could be compromised through other sites hosted on a related domain.
Much of the work in web security focuses on establishing site boundaries. That's because web security researchers are concerned about malicious actors compromising a website from the outside.
Accordingly, many recent security upgrades to web protocols and browsers are centered on preventing cross-site attacks while placing more trust on sites that share a domain.
Some of these security-focused upgrades include SameSite cookies, Site Isolation, and HTTP cache partitioning.
“The same-site security boundary is becoming more and more relevant,” Marco Squarcina, postdoctoral researcher at TU Wien, told The Daily Swig.
“This inherent trust in same-site content inspired us to evaluate the presence of same-site threats and understand the security import on web applications.”
Taking over subdomains
Squarcina and his colleagues investigated how attackers can enter the trust zones of targeted websites in order to attack them.
Known as ‘related-domain attackers’, these adversaries operate a malicious website that is hosted on a domain that shares a suffix with that of the target website.
Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website.
In their paper, the researchers list possible causes of subdomain takeover. One key vulnerability vector is dangling DNS records, records in the authoritative DNS servers of a domain that point to expired resources that can be acquired by an adversary.
“The most common cause of a takeover vulnerability is due to dangling records,” Squarcina said.
“As an example, consider a subdomain of example.org, like foo.example.org, pointing to an expired domain name (e.g., fooexample.org) via a CNAME DNS entry. Attackers could simply register fooexample.org to fully control the page served at foo.example.org.”
In their paper, the researchers also explore subdomain hijacking on corporate networks and roaming services, hosting providers and dynamic DNS services, and compromised hosts and websites.
A successful subdomain takeover can lead to an array of threats, including phishing and malware distribution, Site Isolation protection circumvention, same-site request forgery, cookie confidentiality bypassing, Content Security Policy bypassing, and cross-origin resource-sharing abuse.
“For instance, the SameSite cookie attribute is an effective countermeasure against CSRF attacks, but it does not apply to requests originating from a page that is cross-origin but same-site to the target application.”
In their research, Squarcina and his colleagues examined the top 50,000 domains in the Tranco list.
According to their findings, 15% of large domains (more than 50,000 subdomains) were vulnerable.
The researchers found subdomain takeover vulnerabilities on news websites like cnn.com and time.com, university portals like harvard.edu and mit.edu, government websites like europa.eu and nih.gov, and IT companies like lenovo.com and cisco.com.
Interestingly, most of the discovered vulnerabilities could be fixed by routinely checking the validity of DNS records, which speaks to how little attention domain-related attacks are getting.
“Overall, we identified 887 sites among the top 50,000 with takeover vulnerabilities,” Squarcina said.
“This is, however, an under-approximation that does not take into account vulnerabilities caused by deprovisioned cloud resources. Therefore, we estimate takeover vulnerabilities to be even more pervasive than captured by these numbers.”
YOU MIGHT ALSO LIKE Google to bolster Chrome privacy protections with HTTPS-First Mode