DNS hijacking using cloud providers – No verification needed
- 2. detectify
Frans Rosén
Security Advisor @detectify ( twitter: @fransrosen )
HackerOne #5 @ hackerone.com/leaderboard/all-time
Blog at labs.detectify.com
Talked here last year!
"The Secret life of a Bug Bounty Hunter"
- 9. detectify
Response from services
Heroku:
“We're aware of this issue”
GitHub:
“My apologies for the delayed response.
We are aware of this issue”
Shopify:
“I had already identified that this is
a security issue”
- 17. detectify
What have we seen?
https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
- 53. detectify
Flow
Resolve
* Check NOERROR for patterns
* SERVFAIL/REFUSED, Check NS for patterns
* NXDOMAIN, traverse up to apex, check:
NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
- 55. detectify
Flow
Analyze unknowns
* Collect titles of all sites (or EyeWitness!)
* Filter out common titles + name of company
* Generate screenshots, create a image map
https://github.com/ChrisTruncer/EyeWitness
- 88. detectify
Recap
• Know your DNS Zone file
MX, CNAME, A, AAAA, ALIAS. Everything.
• AUTOMATION, probably the only proper solution
• will.i.am loves this