! Recently, I seem to and Starbucks and by Chance, the continuous discovery of its two sub-domain name hijacking vulnerability, the balloon won$4000 dollars. Wherein, the first vulnerability is based on Microsoft's Azure cloud service discovery, this time the second vulnerability is also very similar, I am using Azure cloud service in a Traffic Manager Traffic Manager to discover. This article, I'll come and share about this based on the Azure Traffic Manager the subdomain hijacking vulnerability discovery process. ! Find NXDOMAIN in response A Monday morning, I noticed that Starbucks subdomain wfmnarptpc. starbucks. com analysis appeared can't find the CNAME NXDOMAIN response, which is the domain name of the alias record does not exist in the authoritative server. But in fact it is interesting that in the ANSWER SECTION of the message, but there is a record, 它做了CNAME指向s00149tmppcrpt.trafficmanager.net the. With my experience, I think this is the case there may be a subdomain hijack vulnerability. Because I'm on a subdomain hijacking vulnerability, but also because of Azure's private IP address in the CNAME parsing occurs when a NXDOMAIN response. I think, here in all likelihood also be the case. $ dig a wfmnarptpc.starbucks.com ; > DiG 9.10.6 > a wfmnarptpc.starbucks.com ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 20251 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;wfmnarptpc.starbucks.com. IN A ;; ANSWER SECTION: wfmnarptpc.starbucks.com. 33165 IN CNAME s00149tmppcrpt.trafficmanager.net. Azure cloud services; is a flexible, enterprise-class public cloud platform, providing Database, Cloud Services, cloud storage, artificial intelligence, Internet, CDN, etc. efficient, stable, scalable cloud service. Before, I didn't mentioned trafficmanager.net there may be sub-domain hijacking is possible, Microsoft Azure Traffic Manager Traffic Manager is such a description of their function: Azure Traffic Manager is a DNS-based traffic to the load balancer, may be at the global Azure region in the best way to service the distribution of traffic, while providing high availability and responsiveness. Traffic Manager according to the traffic routing method and endpoint health, the use of DNS client requests are directed to the most appropriate service endpoint....... that Can be in the Azure external or non-Azure services-side environment to deploy using the traffic Manager. Test subdomain of the Register of Above this description, as I mean to understand, in short, is not to say that there are some domain names pointing to the trafficmanager.net non-existent subdomains? Here, the just and the emergence of the NXDOMAIN response to the situation, then Starbucks to use the Azure Traffic Manager service, but there may be a subdomain hijack vulnerability. In order to prove this guess, we need to see if you can re-register s00149tmppcrpt.trafficmanager.net this subdomain. Fortunately, Azure not to register any domain ownership authentication. From my previous description and research point of view, this step may also not explain the problem. Because Azure will exist a sub-domain name to disable the configuration, that is, to the domain name, seemingly the presence of the subdomain hijacking vulnerability, but may actually create the time of registration and not. No matter so much, I was the first to sign up, first in the Azure control panel to register a new traffic Manager configuration users: ! Successful achievement of the subdomain hijacking Good to see the green tick, you can pass! Then the sub-domain name hijacking must be present. In other words, I can put the domain name s00149tmppcrpt.trafficmanager.net registration for himself, then for the relevant hijacking vulnerability testing. After successful registration, I need to put this domain name to point to my own server: ! After that I just need in my server to create a virtual host on the line: ! Then, this domain points to becomes a I can control the website: !