# Subdomain Takeover using a dangling Cloudfront
## Introduction
AWS S3 is a storage service by Amazon. Any kind of file. Permissions can be then given per object and per bucket. Most often than not, AWS S3 buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.
Organisations ofen use this property of S3 to host their static websites & attach it to the CloudFront. Amazon CloudFront is a web service that works as a content delivery network(CDN), it speeds up distribution of static and dynamic web content, such as HTML, javascript, CSS, PHP, and image files. Many sites and organisations use it as a service for distributing their content faster on servers local to users.
## What are we going to cover?
This chapter covers hijacking of a subdomain due to deletion of a S3 bucket, which is within Cloudfront distribution.
## Steps to setup
* There are maily 2 services involved in the lab.
* AWS S3
* AWS CloudFront
The userflow of the lab begins with creating a bucket & using this bucket to host the static web application. A CloudFront distribution is created & attached it to the static web application created via S3 bucket.
1. Now navigate to your AWS console & open S3 section.
2. Create a bucket with `www.unique-name.com` & in the bucket ownership enable the ACL's.
3. Disable the block all public access while creating the bucket.
4. Once the bucket is created, navigate to the properties.
5. Go to the bottom of the page, there is a `static website hosting`. Click edit & enable the option to host the webpage.
6. Now lets host the webiste with simple `html` file. Get your files by following command
`aws s3 cp s3://aws-training-modules/subdomain-takeover-files/ . --recursive`
7. After getting the files, upload the `index.html` to static website hosting.
8. Now, go to your permissions, Add the following policy to the bucket, basically this policy makes the data public.
9. Make sure that you replace the resource with your bucket `ARN`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::www.unique-name.com/*",
"arn:aws:s3:::www.unique-name.com"
]
}
]
}
```
**In case if you face any error while pasting the policy, Use** [**json beautify**](https://codebeautify.org/jsonviewer) **to rearrange**
10. We have successfully created the bucket, now configure the S3 bucket as the origin within Cloudfront.
11. Navigate to your `Cloudfront` section & create a distribution.
12. We will enable the redirect `HTTP to HTTPS`. Now click create distribution.
13. Now, select the `cachedisabled` in cache key and origin requests
14. Wait for some time, you will get the Cloudfront domain, Now open the domain in your browser.
We are done with the lab setup, Now follow the steps to attack
## Steps to attack
* Once the environment is ready. Open your browser & paste the domain name which is present in your AWS account > Cloudfront.
* Now on the other tab open your static website, you can get this from your S3 > bucket properties . You should see a welcome page on the website.
* Navigate to the cloudfront domain & you can see the welcome message.
* Delete the bucket, which you have created in the setup process with `unique-name`. To do that navigate to your S3 > buckets empty the bucket & delete the bucket.
Now, how an attacker can use this?
## How to Claim sub-domain via dangling CloudFront
* We can see that the error is disclosing the S3 bucket name. Now, wait for a minute and create a new bucket with same name.
* Once the bucket is created, Now, attacker changes the permissions & properties to host a static website. Attacker adds the custom bucket policy.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
}
]
}
```
* Now, enable the static website hosting & add entry file as `index.html`. Once you are done with the basic setup on the Cloudfront side, next is the step of creating your take over page. This can effectively be anything you want to host on either S3 bucket or your own web server. Use the following code to do that.
```html
Sub-domain Takeover
Sub-domain Hijack/Takeover Proof of Concept
```
* Once you upload the `index` file to the bucket, navigate to your bucket properties & `enable` static website hosting.
* Now, upload your files to your bucket & make sure you have `index.html`. Navigate to the cloudfront domain .
* It is a static page with a little JavaScript to highlight the domain that's being taken over/hijacked. We have successfully hijacked.
## Additional references
* [Subdomain Takeover Basics](https://0xpatrik.com/subdomain-takeover-basics/)
* [Enhanced Domain Protections for Amazon CloudFront Requests](https://aws.amazon.com/blogs/security/enhanced-domain-protections-for-amazon-cloudfront-requests/)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xcriminal.gitbook.io/about-me/cloudsec/subdomain-takeovers-in-aws-cloudfront/subdomain-takeover-aws-cloudfront.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.