Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral

Alowaisheq, Eihal; Tang, Siyuan; Wang, Wenwen; Alharbi, Fatemah; Liao, Xiaojing

doi:10.1145/3372297.3417864

Cited by 15 publications

(8 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, abandoned banking domains have been used to target users who attempted to connect to those banks [13]. More recent research has shown how stale NS records for an active domain can serve as reactivated zombies in a resolver's cache [2].…”

Section: Ghost Domainsmentioning

confidence: 99%

See 1 more Smart Citation

Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

Syverson

Finkel

Eskandarian

et al. 2021

Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

View full text Add to dashboard Cite

Onion addresses encode their own public key. They are thus selfauthenticating, one of the security and privacy advantages of onion services, which are typically accessed via Tor Browser. Because of the mostly random-looking appearance of onion addresses, a number of onion discovery mechanisms have been created to permit routing to an onion address associated with a more meaningful URL, such as a registered domain name.We describe novel vulnerabilities engendered by onion discovery mechanisms recently introduced by Tor Browser that facilitate hijack and tracking of user connections. We also recall previously known hijack and tracking vulnerabilities engendered by use of alternative services that are facilitated and rendered harder to detect if the alternative service is at an onion address.Self-authenticating traditional addresses (SATAs) are valid DNS addresses or URLs that also contain a commitment to an onion public key. We describe how the use of SATAs in onion discovery counters these vulnerabilities. SATAs also expand the value of onion discovery by facilitating self-authenticated access from browsers that do not connect to services via the Tor network. CCS CONCEPTS• Security and privacy → Browser security; Web protocol security; • Networks → Naming and addressing.

show abstract

Section: Ghost Domainsmentioning

confidence: 99%

“…We developed a prototype implementation of our contributions by extending the prototype Firefox WebExtension already publically available [21]. The extension is available for download 2 .…”

Section: Figure 1: An Example Sattestation In Json Formatmentioning

confidence: 99%

Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

Syverson

Finkel

Eskandarian

et al. 2021

Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

View full text Add to dashboard Cite

show abstract

“…For this study, we use the Tranco list from 14 December 2020. 1 We evaluate our methodology on a subset of the Tranco list, consisting of a random sample of 100,000 domains taken from the top 500,000 ranked domains. The exact list of domains is available at our open source repository.…”

Section: Input Data Setsmentioning

confidence: 99%

“…Borgolte et al [6] investigated how DNS records pointing to cloud IP addresses can lead to domain takeover attacks because IP address use-after-free attacks on cloud infrastructure and they show that these attacks are practical and cost effective to execute on public clouds. Stale NS record types have been studied by Alowaisheq et al [1], who show how they can be exploited via DNS hosting providers, possibly allowing domain hijacking for 628 domains of the Alexa's 1M. Beyond DNS, Gruss et al [16] show that use-after-free attacks can also apply to email addresses.…”

Section: Orphaned Resourcesmentioning

confidence: 99%

Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale

Pletinckx

Borgolte

Fiebig

2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Security misconfigurations and neglected updates commonly lead to systems being vulnerable. Especially in the context of websites, we often find pages that were forgotten, that is, they were left online after they served their purpose and never updated thereafter.In this paper, we introduce new methodology to detect such forgotten or orphaned web pages. We combine historic data from the Internet Archive with active measurements to identify pages no longer reachable via a path from the index page, yet stay accessible through their specific URL. We show the efficacy of our approach and the real-world relevance of orphaned web-pages by applying it to a sample of 100,000 domains from the Tranco Top 1M.Leveraging our methodology, we find 1,953 pages on 907 unique domains that are orphaned, some of which are 20 years old. Analyzing their security posture, we find that these pages are significantly (𝑝 < 0.01 using 𝜒 2 ) more likely to be vulnerable to crosssite scripting (XSS) and SQL injection (SQLi) vulnerabilities than maintained pages. In fact, orphaned pages are almost ten times as likely to suffer from XSS (19.3%) than maintained pages from a random Internet crawl (2.0%), and maintained pages of websites with some orphans are almost three times as vulnerable (5.9%). Concerning SQLi, maintained pages on websites with some orphans are almost as vulnerable (9.5%) as orphans (10.8%), and both are significantly more likely to be vulnerable than other maintained pages (2.7%). Overall, we see a clear hierarchy: Orphaned pages are the most vulnerable, followed by maintained pages on websites with orphans, with fully maintained sites being least vulnerable.We share an open source implementation of our methodology to enable the reproduction and application of our results in practice. CCS Concepts• Security and privacy → Web application security.

show abstract

“…Furthermore, attackers have been found employing a technique called domain shadowing [7,32] to illicitly access the DNS control panel of active domains to distribute malware from arbitrary subdomains. Alowaisheq et al recently discovered that stale NS records [4] could be also abused by attackers to take control of the DNS zone of a domain to create arbitrary DNS records. Controlling the DNS of a domain is the highest privileged setting for a related-domain attackers, since they can point subdomains to hosts they fully control and reliably obtain TLS certificates.…”

Section: Compromised Hosts/websitesmentioning

confidence: 99%

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Squarcina¹,

Tempesta²,

Veronese³

et al. 2020

Preprint

View full text Add to dashboard Cite

Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

show abstract

Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral

Cited by 15 publications

References 21 publications

Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Contact Info

Product

Resources

About