Domain-Protect Protect Against Subdomain Takeover
Domain-Protect Protect Against Subdomain Takeover

Domain-Protect: Protect Against Subdomain Takeover

Domain-Protect is an easy-to-use tool that protects your sites from subdomain takeovers. A subdomain takeover is when someone uses a URL that is similar to your domain and tries to redirect it to your website. This hurts your site’s SEO and is a major security issue. Domain-Protect checks to see if any sites on your server are being abused. If so, it will inform you about it.

  • scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
  • scan Cloudflare for vulnerable DNS records
  • take over vulnerable subdomains yourself before attackers and bug bounty researchers
  • automatically create known issues in Bugcrowd
  • vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
Screenshot of Domain-Protect usage
Screenshot of Domain-Protect usage

Requirements

  • Security audit account within AWS Organizations
  • Security audit read-only role with an identical name in every AWS account of the Organization
  • Storage bucket for Terraform state file
  • Terraform 1.0.x

Requirements for takeover

  • Creation of takeover resources in security account must not be blocked in some regions by SCP
  • S3 Block Public Access must not be turned on at the account level in the security account
  • Production workspace must be named prd or set to an alternate using a Terraform variable
  • See automated takeover for further details

Organisations with over 1,000 AWS accounts

  • A separate scanning Lambda function is started for every AWS account in the organisation
  • If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit

Installation

  • replace the Terraform state S3 bucket fields in the command below as appropriate
  • for local testing, duplicate terraform.tfvars.example, rename without the .example suffix
  • enter details appropriate to your organization and save
  • alternatively enter Terraform variables within your CI/CD pipeline
  • deploy development environment for detection only
  • default scan schedule for dev environment is 12 hours
terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION
terraform workspace new dev
terraform plan
terraform apply
  • deploy production environment for detection and automated takeover
  • default scan schedule for prd environment is 60 minutes
terraform workspace new prd
terraform plan
terraform apply

Adding notifications to extra Slack channels

Receive alerts by Slack or email
Receive alerts by Slack or email
  • add an extra channel to your slack_channels variable list
  • add an extra webhook URL or repeat the same webhook URL to your slack_webhook_urls variable list
  • apply Terraform

Architecture

Domain Protect Architecture

Domain Protect implements a completely serverless architecture:

Domain protect serverless architecture
Domain protect serverless architecture

How Domain Protect scans all AWS accounts in Organization:

Domain Protect scans all AWS accounts
Domain Protect scans all AWS accounts

Limitations

  • this tool cannot guarantee 100% protection against subdomain takeover
  • it currently only scans Amazon Route53 and Cloudflare, and only checks a limited number of takeover types
  • vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

Manual scans – AWS
Manual scans – CloudFlare