Global AppSec Dublin 2023

At OVO Energy we have a complex hybrid cloud environment, with multiple autonomous development teams who manage their own cloud accounts. Last year we started a private Bug Bounty program. The security researchers found a significant number of issues, over half of which were subdomain takeovers. To protect against malicious attackers and slow down ever-increasing reward payments, we developed and open-sourced a new tool to prevent subdomain takeovers: OWASP Domain ProtectOWASP Domain Protect uses serverless functions to automate scans of our DNS environments in AWS, GCP and Cloudflare, test for vulnerabilities, and create Slack and email alerts. This substantially reduced the number of subdomain takeover issues reported through our Bug Bounty program.However new subdomain vulnerabilities can arise at any time, and we noticed that some Bug Bounty researchers were quickly taking over the organisation's subdomains after new vulnerabilities arose, before they were even detected by Domain Protect, let alone fixed. To combat this, we increased our scan frequency and introduced automated takeover of resources in our central security account, to stop anyone else from doing so.In this presentation, I’ll review the basics of domain takeover, talk about the Bug Bounty program findings, describe the system architecture of OWASP Domain Protect, and give a live demonstration of vulnerable domain detection followed by automated takeover.

Dates

Author

Conferences

Tags

Preventing subdomain takeover with OWASP Domain Protect

tldr - powered by Generative AI