Detecting and Measuring Security Implications of Entangled Domain Verification in CDN

TL;DR

This paper introduces DVAHunter, an automated system to detect and measure security vulnerabilities related to domain verification in CDNs, revealing widespread issues and proposing mitigation strategies based on large-scale measurements.

Contribution

The paper presents DVAHunter, the first tool for automated detection of DVA vulnerabilities in CDNs, and provides a comprehensive measurement of their prevalence and exploitation.

Findings

Most CDN providers do not verify domains, leaving them vulnerable.

Over 332,000 subdomains are susceptible to domain abuse.

Some providers have already implemented fixes based on our findings.

Abstract

Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.