The vulnerability we will be talking about in this chapter is so tricky that it is more like a configuration management error than a vulnerability. However, there are bounty platforms, such as HackerOne, that include it as vulnerability, so it's still worth discussing.
The problem in this case arises when someone registers a new domain to point to another domain. So, we will cover the following topics in the chapter:
- Sub-domain takeovers
- Internet-wide scans
In a vulnerability example, the sub domain (hello.domain.com
) uses a canoninal name (CNAME) record to point to fulanito.com. A CNAME record is a domain name service (DNS) register, and it allows us to specify an alias for a domain name to a user. For example, if we have the Mexican domain, mitiendita.com.mx
, we can create a CNAME register to point it to mitiendita.com.cl
using the same server or the same IP address.
These registers are useful when we need to point to external domains, and are very common within...