domain protect v0.3.2 releases: Protect against subdomain takeover

domain protect

• scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
• scan Cloudflare for vulnerable DNS records
• take over vulnerable subdomains yourself before attackers and bug bounty researchers
• automatically create known issues in Bugcrowd
• vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

deploy to security audit account

scan your entire AWS Organization

receive alerts by Slack or email

or manually scan from your laptop

Supported DNS vulnerability types

AWS

Scans Amazon Route53 to identify:

• Alias records for CloudFront distributions with a missing S3 origin
• CNAME records for CloudFront distributions with a missing S3 origin
• ElasticBeanstalk Alias records vulnerable to takeover
• ElasticBeanstalk CNAMES vulnerable to takeover
• Registered domains with missing hosted zones
• Subdomain NS delegations vulnerable to takeover
• S3 Alias records vulnerable to takeover
• S3 CNAMES vulnerable to takeover
• Vulnerable CNAME records for Azure resources
• CNAME records for missing Google Cloud Storage buckets

CloudFlare

• NS subdomains
• CNAMEs pointing to missing resources, e.g. Elastic Beanstalk, Azure storage
• Cloudflare proxy configured with S3 origin in Free plan, directs to non-existent S3 bucket matching domain name

GCP

Vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

Changelog v0.3.2

• OSE-776 fix cyclical alerts by @paulschwarzenberger in #132
• OSE-776 fix cyclical alerts by @paulschwarzenberger in #133
• OSE-776 fix intermittent cyclical alerts by @paulschwarzenberger in #134
• OSE-776 fix intermittent cyclical alerts by @paulschwarzenberger in #135
• OSE-776 reverting change by @paulschwarzenberger in #136
• OSE-776 revert previous change and reduce update scan frequency by @paulschwarzenberger in #137
• OSE-776 revert recent changes and reduce update scan frequency by @paulschwarzenberger in #138
• OSE-776: log unhandled exceptions by @paulschwarzenberger in #139
• OSE-776 log unhandled exceptions by @paulschwarzenberger in #140
• OSE-796 replace CI/CD IAM user with OIDC by @paulschwarzenberger in #141
• OSE-796 update following Terraform version changes by @paulschwarzenberger in #142
• OSE-796 update Terraform workspace select logic by @paulschwarzenberger in #143
• OSE-796 replace CI/CD IAM user with OIDC by @paulschwarzenberger in #144
• OSE-850 gitkeep file for resources Lambda build folder by @paulschwarzenberger in #145
• OSE-850 gitkeep file for resources Lambda build folder by @paulschwarzenberger in #146
• OSE-850 support separate tf plan and apply stages by @paulschwarzenberger in #147
• OSE-850 support separate tf plan and apply stages by @paulschwarzenberger in #148
• OSE-850 replace CircleCI with GitHub Actions by @paulschwarzenberger in #149
• OSE-850 Remove tests trigger on pull requests by @paulschwarzenberger in #150

Install & Use

Copyright 2021 OVO Energy