Theater Hall - E.T.I. (HiP main stage)
Subdomain takeover, the use after free of the internet
Most bug bounty platforms list subdomain takeover as "not in scope", but could it be interesting anyways? Yes! This talk will show you what this kind of problem is and how it can be mitigated at scale (and where it isn't).
On a boring evening, I thought of playing around with automated scanning using long bash one-liners. The next morning, a one-liner consisting of 17 pipes was born which found a few hundred valid subdomains prone to subdomain takeover. This wasn't really complicated, but by automating such a process, I had the chance to dive deeper into the whole topic and found quite a weird ecosystem.
This talk is there to give you the whole context: from the basic "what is subdomain takeover?" to further "well how can it be found?" until the essential "well how to we solve this once and for all?".
Additional information
| Live Stream | https://streaming.media.ccc.de/jev22/hip1 |
|---|---|
| Type | Talk/panel 30 min |
| Language | English |
More sessions
| 12/27/22 |
Welcome to Hacking in Parallel. Lets fire this up.
|
| 12/27/22 |
We'll look at the role IT and software play in modern manufacturing, with a twist on the semiconductor industry. Since I'm a security guy, we'll mostly focus on the sorry state of that.
|
| 12/27/22 |
Das US-Militär hat massenhaft Geräte zur biometrischen Erfassung von Menschen in Afghanistan genutzt. Einige Geräte wurden beim hastigen Abzug der NATO-Truppen zurückgelassen. Wir haben bei Analysen solcher Geräte große Mengen an biometrischen und weiteren personenbezogenen Daten gefunden. In den falschen Händen bedeuten diese Daten Lebensgefahr für Menschen in Afghanistan und Irak.
|
| 12/27/22 |
In IT security we have been preoccupied with failures, with things that go wrong, and so we count the negatives -- the times when we failed. How about we seriously started counting the positives? More importantly, what if by adding more and more constraints to avoid the holes we have found, we are also removing the positive capacities in the system, thereby hurting our chance of success more than we hurt our chance of failure? In this talk, I will try to highlight how IT security could be done ...
|
| 12/27/22 |
The C programming language first appeared in 1972 and became enormously popular. It has this magical combination of features that allows developers to quickly write portable code that can be reused and easily ported to different architectures. It has been the foundation of most operating systems and systems programming in the past 50 years.
|
| 12/27/22 |
The "Enhanced Border Security Partnership" poses an unprecedented threat to civil liberties in Europe.
|
| 12/27/22 |
We summarize howto secure Kubernetes clusters in critical infrastructure and give insights from the machine rooms.
|
