cloudfront takeover is not possible anymore

[Avileox]

AWS finally started mitigating subdomain takeovers on CloudFront. When you try to register Alias (CNAME) for your CloudFront distribution, it refuses to do so if the DNS zone file has CNAME to different CloudFront domain.
This is a type of verification from cloudfront that you can't takeover any subdomain even both (http OR https) port (80 and 443) shows error.
If the DNS zone file has CNAME to different CloudFront domain.

so,from cloudfront bye bye bug bounty

When you try to takeover subdomain you will get this as a further alert!

[BlackFan]

It is still possible to takeover in cases:
www.cf.example.com CNAME cf.example.com
cf.example.com CNAME d1234567890abc.cloudfront.net

But this is a rare case.

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net.
If such record exist - subdomain takeover isn't possible.
But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

[MuhammadKhizerJaved]

Okey! so i found a sub that's giving the save bad request error on both http & https and have a CNAME as site.com tried takeover successfully added to cloudflare dist but the error remains the same so i guess it's indeed fixed

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

[MuhammadKhizerJaved]

@Sp1d3r Indeed i was wrong i played a little and was able to takeover the subdomain successfully!

Gotcha, congrats with the vuln!

[t1t4nm33r]

@MuhammadKhizerJaved What was your solution, How did you manage to takeover it

[El-t0ro]

@MuhammadKhizerJaved hey can you please tell us how you manage to takeover it?

[Ninja-Pandit]

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

hello @Sp1d3r @MuhammadKhizerJaved can you please explain , how you able to takeover ..?

[BlackFan]

It seems that CloudFront is no longer vulnerable to a subdomain takeover.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

To add an alternate domain name (CNAME) to use with a CloudFront distribution, you must attach to your distribution a trusted, valid SSL/TLS certificate that covers the alternate domain name. This ensures that only people with access to your domain's certificate can associate with CloudFront a CNAME related to your domain.

[Avileox]

Goodbye to CloudFront subdomain takeover.
https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/