Detect AWS Subdomain Takeover

What is the "Detect AWS Subdomain Takeover?" module?

The "Detect AWS Subdomain Takeover" module is designed to identify a vulnerability known as AWS Subdomain takeover. This vulnerability occurs when a subdomain, such as subdomain.example.com, is pointing to an AWS resource, like an S3 bucket or CloudFront distribution, that has been deleted or is no longer in use. The severity of this vulnerability is classified as medium.

Impact

If an AWS Subdomain takeover is successful, an attacker can gain control of the subdomain and potentially use it for malicious purposes.

How does the module work?

The "Detect AWS Subdomain Takeover" module works by performing specific HTTP requests and analyzing the responses for certain conditions. It uses a set of matching conditions to identify potential subdomain takeover vulnerabilities.

Here is an example of one of the matching conditions:

Part: Body
Type: Word
Words: ["The specified bucket does not exist"]
Condition: AND

This condition checks if the response body contains the phrase "The specified bucket does not exist". If this condition is met, it indicates a potential subdomain takeover vulnerability.

Other matching conditions include checking for the presence of certain headers or specific words in the response body.

Please note that this module is part of the Vidoc platform and is intended for scanning and detecting vulnerabilities, misconfigurations, or software fingerprints.