Preventing subdomain takeover with OWASP Domain Protect


Authors:   Paul Schwarzenberger


The presentation discusses the implementation of a serverless architecture for continuous compliance in a large organization's AWS accounts using Lambda functions and other AWS services.
  • The organization has multiple AWS accounts for different purposes and teams
  • The Lambda function assumes a role into the organization management account and triggers a step function to orchestrate Lambda functions for each AWS account
  • Each Lambda function queries Route 53 records and writes to a DynamoDB database and SNS topic for notifications
  • The architecture is designed to be low cost, low operational overhead, and continuous
  • The use of serverless services allows for scalability and ease of maintenance
The speaker explains that the organization had initially started with scripts to discover vulnerabilities in their AWS accounts, but realized that a continuous compliance solution was needed. They chose to implement a serverless architecture using Lambda functions and other AWS services to keep the solution low cost and low operational overhead. The use of serverless services also allowed for scalability and ease of maintenance. The speaker emphasizes the importance of having a dedicated security tooling account and following AWS's recommendations for architecting multiple accounts.


At OVO Energy we have a complex hybrid cloud environment, with multiple autonomous development teams who manage their own cloud accounts. Last year we started a private Bug Bounty program. The security researchers found a significant number of issues, over half of which were subdomain takeovers. To protect against malicious attackers and slow down ever-increasing reward payments, we developed and open-sourced a new tool to prevent subdomain takeovers: OWASP Domain ProtectOWASP Domain Protect uses serverless functions to automate scans of our DNS environments in AWS, GCP and Cloudflare, test for vulnerabilities, and create Slack and email alerts. This substantially reduced the number of subdomain takeover issues reported through our Bug Bounty program.However new subdomain vulnerabilities can arise at any time, and we noticed that some Bug Bounty researchers were quickly taking over the organisation's subdomains after new vulnerabilities arose, before they were even detected by Domain Protect, let alone fixed. To combat this, we increased our scan frequency and introduced automated takeover of resources in our central security account, to stop anyone else from doing so.In this presentation, I’ll review the basics of domain takeover, talk about the Bug Bounty program findings, describe the system architecture of OWASP Domain Protect, and give a live demonstration of vulnerable domain detection followed by automated takeover.