Saved in:
Bibliographic Details
Main Authors: Lin, Ziyu, Lin, Zhiwei, Guo, Run, Chen, Jianjun, Zhang, Mingming, Liu, Ximeng, Yang, Tianhao, Cao, Zhuoran, Deng, Robert H.
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2409.01887
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929484342493184
author Lin, Ziyu
Lin, Zhiwei
Guo, Run
Chen, Jianjun
Zhang, Mingming
Liu, Ximeng
Yang, Tianhao
Cao, Zhuoran
Deng, Robert H.
author_facet Lin, Ziyu
Lin, Zhiwei
Guo, Run
Chen, Jianjun
Zhang, Mingming
Liu, Ximeng
Yang, Tianhao
Cao, Zhuoran
Deng, Robert H.
contents Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.
format Preprint
id arxiv_https___arxiv_org_abs_2409_01887
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Detecting and Measuring Security Implications of Entangled Domain Verification in CDN
Lin, Ziyu
Lin, Zhiwei
Guo, Run
Chen, Jianjun
Zhang, Mingming
Liu, Ximeng
Yang, Tianhao
Cao, Zhuoran
Deng, Robert H.
Cryptography and Security
Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.
title Detecting and Measuring Security Implications of Entangled Domain Verification in CDN
topic Cryptography and Security
url https://arxiv.org/abs/2409.01887