Cloudfront Domain Hijacking

Any other cloudfront distribution that contains the specific domain in the host header will receive the request and respond to it normally.

Cloudfront domain hijacking. This tends to indicate that the domain is hijackable and that the attacker can create a new cloudfront instance and assign a cname of that domain to be able to serve content under that domain name. Cloudfront is a content delivery network cdn provided by amazon web services aws. Cloudfront users create distributions that serve content from specific sources an s3 bucket for example.

An attacker can discover abandoned cloudfront instances by fingerprinting the response from the cloudfront server when attempting to visit a domain but the resource is not available. There are many cases where a cloudfront user fails to list all the necessary domains that might be received in the host header. All of the domains using a specific distribution need to be listed in the alternate domain names cnames field in the options for that distribution.

In this scenario i was able to take over a sub domain of a company that was pointing to a non existent cloudfront cf domain. Don t call aws cloudfront hijacking problem a vulnerability a researcher has noticed the company is open to having its cloudfront service hijacked but amazon officials won t call it a vulnerability. Amazon cloudfront is a web service that works as a content delivery network cdn it speeds up.

Each cloudfront distribution has a unique endpoint for users to point their dns records to ex.