0x28 - Azure Subdomain Takeover at Scale
Did you know you can take over 300 Azure Subdomains in just a few minutes?
Writeup: https://tripla.dk/2022/07/23/how-i-made-300-github-repos-point-to-my-blog-using-azure-subdomains-takeover/
Azure allows anyone to easily register/unregister an azurewebsites.com
subdomain while deploying an application
But how many of these referenced subdomains are no longer active and can be re-registered?
It turns out Microsoft does not impose too many restrictions on registering a previously used subdomain
If it's available -> you get it
And out of the ~750 azurewebsites
references I found on Github?
Almost half of them were vulnerable
How to do it
1. Find reference to azurewebsites.com
subdomain in your target app
2. Login to your Azure Portal account
3. Proceed to create a new Web App and enter the found subdomain
4. If it's available -> register it and host your payload