Contents
Don’t get confused between domain takeover and subdomain takeover. They are two separate vulnerabilities.
Exploitation Scenario 1: Chaining with Deep link
Exploitation Scenario 2: Accessing Sensitive Information and Email
Exploitation Scenario 3: Phishing / Domain Abuse
Exploitation Scenario 4: Extracting Sensitive Information Using LOGS
Exploitation Scenario 5: Login using SSO
Conclusion
There is no specific methodology to check for Domain Takeover,
but here are a few places where a pentester must look to discover potential domains:
Organization/Developers’ Github / Gitlab / Bitbucket public accounts
URLs in the application (current/historic)
Javascript files (regular/obfuscated)
Application Request/Response
Application 3rd party Requests
Once you have a list of possible domains,
search them for availability using bulk domain search tools such as https://www.namebright.com/BulkSearch.A successful domain takeover impacts organizations financially, technically as well as their reputation.
The best and easiest way to protect the organization from domain takeover is to set up monitoring for domain expiry and renew old domains even if they are not in use. Another complex method is to perform regular code/configuration review and change all the instances where the expired domain and its subdomain are used, and delete all the third-party accounts registered using the expired domain.