Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such threat is called hosting-based domain takeover. In recent years, a series of domain takeover incidents with severe impacts are continuously reported, and even high-profile websites such as Microsoft are affected. However, until now, there still lacks an effective detection system to identify these vulnerable domains on a large scale.
In this paper, we introduce a novel framework, DareShark, for effective domain takeover detection. Compared to previous works, DareShark expands the detection scope and improves the detection efficiency by: 1) systematically identifying vulnerable hosting services with a semi-automated method; and 2) detecting vulnerable domains by passively reconstructing domain resolution chains. We evaluate the effectiveness of DareShark and eventually detect 10,351 Top-1M’ subdomains vulnerable to domain takeover, which are over 8 times more than previous findings. Specifically, DareShark allows us to detect the subdomains of Tranco Top-1M sites on a daily basis. In addition, we perform an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suit of new insights, including flawed implementation of domain validation. Following the responsible disclosure policy, we have reported details to affected vendors, and some of them have adopted our mitigation.