DareShark: Detecting and Measuring Security Risks of Hosting-Based Dangling Domains

Abstract

Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such a threat is called hosting-based domain takeover. There have been numerous domain takeover incidents in recent years that have had significant effects; even well-known websites like the subdomains of microsoft.com have been impacted. However, there is currently no effective detection system in place to identify these vulnerable domains on a large scale. In this paper, we present a novel framework, HostingChecker, for detecting domain takeovers. In comparison to previous works, HostingChecker expands the detection scope and improves the detection efficiency by: (i) systematically identifying vulnerable hosting services using a semi-automated method; and (ii) detecting vulnerable domains by passively reconstructing domain resolution chains. We evaluate the effectiveness of HostingChecker and eventually detect 10,351 subdomains from Tranco Top-1M apex domains vulnerable to domain takeover, which are over 8× more than previous findings. Specifically, HostingChecker enables us to detect the subdomains of Tranco sites on a daily basis. Furthermore, we conduct an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suite of new insights, including flawed implementation of domain validation. We have responsibly reported issues to the security response centers of affected vendors, and some of them have adopted our mitigation.

Publication
In Proceedings of the 2023 ACM Special Interest Group on Measurement and Evaluation. Orlando, Florida, June 19-23, 2023. (Acceptance rate: 55/342=16.1%, Acceptance rate in summer: 17/93=18.3%, Acceptance rate in fall: 26/119=21.9%, Acceptance rate in winter: 12/130=9.2%).
* Presented in OARC 40.
* Presented in APAC DNS Forum 2023 by Mr Alban KWAN

Overview

In this paper, we present a novel framework, HostingChecker (DareShark), for detecting domain takeovers.

Presentation

  • Presented in OARC 40
  • Presented in APAC DNS Forum 2023 by Mr Alban KWAN (Topic: Why care about Dangling Domain Hijacking, and how to Prevent the Threat?)
Xiang Li
Xiang Li
Associate Professor (Nankai University)

Xiang Li is an Associate Professor at the College of Cyber Science, Nankai University. He is the advisor of Nankai University’s CTF teams, an ACM member, CCF member, and CIC member. He serves as PC for top-tier venues like IMC 2025 and others like AsiaCCS 2025. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, network & protocol fuzzing, network vulnerability discovery & attack, web security, and underground economy with 18 research papers. As the first author, he has published many research papers at all top-tier security conferences, including Oakland S&P, USENIX Security, CCS, NDSS, and Black Hat (Asia, USA, and Europe). He applied for 11 patents (1 authorized and 5 in checking as the first author). He has obtained over 200 CVE/CNVD/CNNVD vulnerability numbers, more than $11,600 rewards, 370+ GitHub stars, multiple CERT reports, 100+ news coverage, and RFC acknowledgement. He got multiple prizes, such as 2024 ACM SIGSAC China Excellent Doctoral Dissertation Award, 2024 Pwnie Award Nominations (Hacker Oscar), 1st prize of IPv6 Technology Application Innovation Competition, 2nd prize of GeekCon 2023 DAF Contest, National Scholarship, Wang Dazhong Scholarship, Tsinghua Outstanding Scholarship, Outstanding Graduate, and Extraordinary Hacker of GeekCon International 2024.