Feb 16 – 17, 2023 Workshop
Atlanta Marriott Marquis
US/Eastern timezone

DareShark: Detecting and Measuring Security Risks of Hosting-Based Dangling Domains

Feb 16, 2023, 2:00 PM
Imperial Ballrom (Atlanta Marriott Marquis)

Imperial Ballrom

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
In-Person Standard Presentation Main Session OARC 40 - Day1


Xiang Li (Tsinghua University)


Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such threat is called hosting-based domain takeover. In recent years, a series of domain takeover incidents with severe impacts are continuously reported, and even high-profile websites such as Microsoft are affected. However, until now, there still lacks an effective detection system to identify these vulnerable domains on a large scale.

In this paper, we introduce a novel framework, DareShark, for effective domain takeover detection. Compared to previous works, DareShark expands the detection scope and improves the detection efficiency by: 1) systematically identifying vulnerable hosting services with a semi-automated method; and 2) detecting vulnerable domains by passively reconstructing domain resolution chains. We evaluate the effectiveness of DareShark and eventually detect 10,351 Top-1M’ subdomains vulnerable to domain takeover, which are over 8 times more than previous findings. Specifically, DareShark allows us to detect the subdomains of Tranco Top-1M sites on a daily basis. In addition, we perform an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suit of new insights, including flawed implementation of domain validation. Following the responsible disclosure policy, we have reported details to affected vendors, and some of them have adopted our mitigation.

Primary authors

Ms MingMing Zhang (Tsinghua University) Xiang Li (Tsinghua University) Prof. Baojun Liu (Tsinghua University) Mr Jianyu Lu (Qi An Xin Group Corp.) Ms Yiming Zhang (Tsinghua University) Prof. Jianjun Chen (Tsinghua University) Prof. Haixin Duan (Tsinghua University) Prof. Shuang Hao (University of Texas at Dallas) Mr Xiaofeng Zheng (Tsinghua University)

Presentation materials