0x28 - Azure Subdomain Takeover at Scale

Did you know you can take over 300 Azure Subdomains in just a few minutes?

Writeup: https://tripla.dk/2022/07/23/how-i-made-300-github-repos-point-to-my-blog-using-azure-subdomains-takeover/

Azure allows anyone to easily register/unregister an azurewebsites.com subdomain while deploying an application

But how many of these referenced subdomains are no longer active and can be re-registered?

It turns out Microsoft does not impose too many restrictions on registering a previously used subdomain

If it's available -> you get it

And out of the ~750 azurewebsites references I found on Github?

Almost half of them were vulnerable


How to do it


1. Find reference to azurewebsites.com subdomain in your target app
2. Login to your Azure Portal account
3. Proceed to create a new Web App and enter the found subdomain
4. If it's available -> register it and host your payload