5 Best Ways to Check for Subdomain Takeover in TypeScript
Introduction
Subdomain takeover is a critical security vulnerability that occurs when a subdomain points to an external service (like GitHub Pages, Heroku, or AWS S3) that has been removed or is no longer claimed by the organization. Attackers can claim the unassigned subdomain, leading to unauthorized control over it.
In TypeScript-based Enterprise Resource Planning (ERP) systems, such vulnerabilities can compromise sensitive data and disrupt business operations.
This guide explores how to check for subdomain takeover in TypeScript-based ERP systems. We’ll provide effective detection methods and practical coding examples for developers.
What is Subdomain Takeover?
Subdomain takeover vulnerabilities arise when DNS entries point to external services that are no longer active or claimed.
For example, if a subdomain erp.example.com is configured to point to a GitHub Pages site that has been deleted, an attacker could create a repository with the same name and take control over erp.example.com.
Common Causes of Subdomain Takeover
- Orphaned DNS Records: DNS entries that point to services no longer in use.
- Third-Party Services: Subdomains pointing to external platforms where the resource has been removed.
- Expired Hosting Accounts: Domains pointing to hosting services with expired accounts.
1. Automated Subdomain Enumeration
Automating the process of subdomain enumeration helps identify vulnerable subdomains. We can use DNS libraries in TypeScript to fetch DNS records.
TypeScript Code Example
import dns from 'dns';
const domain = 'example.com';
dns.resolveNs(domain, (err, nameservers) => {
if (err) {
console.error(`Error resolving NS records for ${domain}:`, err);
return;
}
console.log(`Nameservers for ${domain}:`, nameservers);
nameservers.forEach((ns) => {
dns.resolveCname(ns, (err, cnames) => {
if (err) {
console.error(`Error resolving CNAME for ${ns}:`, err);
return;
}
console.log(`CNAME records for ${ns}:`, cnames);
});
});
});This script retrieves nameservers for a domain and checks CNAME records for potential misconfigurations.
2. Monitoring DNS Changes
Regular monitoring of DNS records can detect unauthorized changes or orphaned records.
TypeScript Code Example
import dns from 'dns';
import nodemailer from 'nodemailer';
const domain = 'example.com';
let previousRecords: dns.MxRecord[] = [];
const checkDnsRecords = () => {
dns.resolveMx(domain, (err, records) => {
if (err) {
console.error(`Error resolving MX records for ${domain}:`, err);
return;
}
if (JSON.stringify(records) !== JSON.stringify(previousRecords)) {
console.log('DNS records have changed:', records);
sendAlertEmail(records);
previousRecords = records;
} else {
console.log('No changes in DNS records.');
}
});
};
const sendAlertEmail = (records: dns.MxRecord[]) => {
const transporter = nodemailer.createTransport({
service: 'gmail',
auth: {
user: 'your-email@gmail.com',
pass: 'your-password',
},
});
const mailOptions = {
from: 'your-email@gmail.com',
to: 'admin@example.com',
subject: 'DNS Records Changed',
text: `The DNS records for ${domain} have changed: ${JSON.stringify(records)}`,
};
transporter.sendMail(mailOptions, (error, info) => {
if (error) {
return console.error('Error sending email:', error);
}
console.log('Alert email sent:', info.response);
});
};
// Check DNS records every hour
setInterval(checkDnsRecords, 3600000);This script monitors MX records and sends an email alert if any changes are detected.
3. Validating DNS Configurations
Ensure all DNS entries point to active and claimed resources. Regular validation helps identify orphaned DNS records that could be taken over.
TypeScript Code Example
import dns from 'dns';
const subdomains = ['erp.example.com', 'shop.example.com'];
subdomains.forEach((subdomain) => {
dns.resolveCname(subdomain, (err, cnames) => {
if (err) {
console.error(`Error resolving CNAME for ${subdomain}:`, err);
return;
}
cnames.forEach((cname) => {
// Check if the CNAME points to an active service
dns.resolve4(cname, (err) => {
if (err) {
console.warn(`Potentially unclaimed CNAME target: ${cname}`);
} else {
console.log(`CNAME target ${cname} is active.`);
}
});
});
});
});This script checks if CNAME records point to active services to detect unclaimed subdomains.
4. Using Security Tools
Leverage security tools to scan for subdomain takeover vulnerabilities automatically.
Example: Using subjack Tool
import { exec } from 'child_process';
const subdomains = ['erp.example.com', 'shop.example.com'];
subdomains.forEach((subdomain) => {
exec(`subjack -w ${subdomain} -t 10 -ssl`, (error, stdout, stderr) => {
if (error) {
console.error(`Error executing subjack for ${subdomain}:`, error);
return;
}
console.log(`Subjack scan results for ${subdomain}:`, stdout);
});
});This script integrates subjack, a powerful tool for detecting subdomain takeovers.
Screenshot from Our Free Security Tool
🔹 Below is a screenshot of our free website security scanner tool. It helps detect subdomain takeover and other vulnerabilities.
Screenshot of a Website Vulnerability Assessment Report
🔹 Below is a screenshot of a vulnerability assessment report generated using our free security tool to check Website Vulnerability.
Related Blog Posts
For more cybersecurity insights, check out our latest blog posts:
- Prevent NoSQL Injection in OpenCart
- Prevent NoSQL Injection in TypeScript ERP
- Understanding HTTP Parameter Pollution in TypeScript
- Best Practices for Transport Layer Protection in TypeScript
- SQL Injection (SQLi) in Laravel: Prevention Guide
- Explore more on our Cybersecurity Blog
Conclusion
Detecting subdomain takeover in TypeScript-based ERP systems is essential for preventing unauthorized access and protecting sensitive business data.
By implementing automated subdomain enumeration, DNS monitoring, validation, and security tools, developers can secure their applications against this threat.
Would you like a free security check for your website? Try our free website security tool today! 🚀
Pingback: Best 7 Ways to Prevent NoSQL Injection in TypeScript ERP