Weird “Subdomain Take Over” pattern of Amazon S3

Thanks for huge response to my previous write-ups. Recently I participated in a Bug Bounty program and I have found “Sub-domain takeover” issue by leveraging the Amazon S3 hosting service.

Even though you have an idea on the subdomain takeover via AWS S3. In this write-up, I will show the non-typical way of S3 subdomain takeover and also show the OSINT process to find the s3 regions and finally how I found the correct region of the target.

Introduction — Sub-Domain & S3

Subdomain: A Subdomain is a domain that the part of a larger domain. For example blog.example.com, www.example.com are subdomains of example.com

AWS S3: S3 is Simple Storage Service provided by the AWS cloud platform. In which they provide the cloud object storage and that offers industry-leading scalability, data availability, security, and performance.

Subdomain Takeover:

Subdomain takeover is a process of registering a non-existing domain name to gain control over another domain.

Actually before going to understand the subdomain takeover we have to discuss “DNS & CNAME” record. The main logic behind subdomain takeover is tangled with the actual subdomain CNAME record. CNAME records can be used to alias one name to another.

Let’s illustrate the actual flow of subdomain takeover via S3:

1. If you have subdomains of a target and you gathered the domain CNAMEs.
2. Below Linux command gives the information of CNAME
3. Let us assume that the one of the domain CNAME is pointing to the Amazon S3

dig cname assets.flawdomain.com 

s3 subdomain takeover (secureitmania)

While visiting the ‘assets.flawdomain.com’ gives the below response. Then you can easily takeover that subdomain by creating the bucket name with ‘assets.flawdomain.com’ in the ‘US East (N. Virginia)’ region.