{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T01:09:52Z","timestamp":1777338592051,"version":"3.51.4"},"reference-count":66,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,2,27]],"date-time":"2023-02-27T00:00:00Z","timestamp":1677456000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62102218"],"award-info":[{"award-number":["62102218"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["U1836213"],"award-info":[{"award-number":["U1836213"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["U19B2034"],"award-info":[{"award-number":["U19B2034"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62272265"],"award-info":[{"award-number":["62272265"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2023,2,27]]},"abstract":"<jats:p>Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such a security threat is called \"hosting-based domain takeover''. In recent years, a large number of domain takeover incidents have occurred; even well-known websites like the subdomains of microsoft.com have been impacted. However, until now, there has been no effective detection system to identify these vulnerable domains on a large scale. In this paper, we fill this research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. Compared with previous work, HostingChecker expands the detection scope and improves the detection efficiency by: (i) systematically identifying vulnerable hosting services using a semi-automated method; and (ii) effectively detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. We evaluate the effectiveness of HostingChecker and eventually detect 10,351 subdomains from Tranco Top-1M apex domains vulnerable to domain takeover, which are over 8\u00d7 more than previous findings. Furthermore, we conduct an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suite of new insights, including flawed implementation of domain ownership validation. Following responsible disclosure processes, we have reported issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation.<\/jats:p>","DOI":"10.1145\/3579440","type":"journal-article","created":{"date-parts":[[2023,3,2]],"date-time":"2023-03-02T23:50:57Z","timestamp":1677801057000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["Detecting and Measuring Security Risks of Hosting-Based Dangling Domains"],"prefix":"10.1145","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9797-6875","authenticated-orcid":false,"given":"Mingming","family":"Zhang","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7388-1329","authenticated-orcid":false,"given":"Xiang","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9032-8063","authenticated-orcid":false,"given":"Baojun","family":"Liu","sequence":"additional","affiliation":[{"name":"Tsinghua University and Quan Cheng Laboratory, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2508-6608","authenticated-orcid":false,"given":"Jianyu","family":"Lu","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6774-5299","authenticated-orcid":false,"given":"Yiming","family":"Zhang","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7511-1117","authenticated-orcid":false,"given":"Jianjun","family":"Chen","sequence":"additional","affiliation":[{"name":"Tsinghua University and Zhongguancun Laboratory, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0083-733X","authenticated-orcid":false,"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University and Quan Cheng Laboratory, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2756-6015","authenticated-orcid":false,"given":"Shuang","family":"Hao","sequence":"additional","affiliation":[{"name":"University of Texas at Dallas, Dallas, TX, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7130-6029","authenticated-orcid":false,"given":"Xiaofeng","family":"Zheng","sequence":"additional","affiliation":[{"name":"Tsinghua University and QI-ANXIN Technology Research Institute, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,3,2]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2018. HackerOne: A Guide To Subdomain Takeovers. https:\/\/www.hackerone.com\/application-security\/guide-subdomain-takeovers."},{"key":"e_1_2_1_2_1","unstructured":"2020. 670 Subdomains of Microsoft are Vulnerable to Takeover. https:\/\/vullnerability.com\/blog\/microsoft-subdomain-account-takeover."},{"key":"e_1_2_1_3_1","unstructured":"2020. American News Site's Subdomains Left Open for Takeover. https:\/\/www.wizcase.com\/blog\/cbslocal-vulnerabilty-research\/."},{"key":"e_1_2_1_4_1","unstructured":"2021. Alibaba Cloud. https:\/\/www.alibabacloud.com\/."},{"key":"e_1_2_1_5_1","unstructured":"2021. Amazon Web Services. https:\/\/aws.amazon.com\/."},{"key":"e_1_2_1_6_1","unstructured":"2022. 114 DNS. https:\/\/www.114dns.com\/"},{"key":"e_1_2_1_7_1","unstructured":"2022. 14 Day Trial Period Policy for Premium Plans. https:\/\/support.wix.com\/en\/article\/14-day-trial-period-policy-for-premium-plans."},{"key":"e_1_2_1_8_1","volume-title":"Retrieved","year":"2022","unstructured":"2022. CDN Usage Distribution in the Top 1 Million Sites. Retrieved May 20, 2022 from https:\/\/trends.builtwith.com\/cdn"},{"key":"e_1_2_1_9_1","unstructured":"2022. Cisco Umbrella Passive DNS. https:\/\/docs.umbrella.com\/investigate\/docs\/passive-dns."},{"key":"e_1_2_1_10_1","unstructured":"2022. Cloudflare. https:\/\/www.cloudflare.com\/."},{"key":"e_1_2_1_11_1","unstructured":"2022. GoDaddy. https:\/\/www.godaddy.com\/."},{"key":"e_1_2_1_12_1","unstructured":"2022. Internet hosting service. https:\/\/en.wikipedia.org\/wiki\/Internet_hosting_service."},{"key":"e_1_2_1_13_1","unstructured":"2022. Public Suffix List. https:\/\/publicsuffix.org\/"},{"key":"e_1_2_1_14_1","unstructured":"2022. Shopify. https:\/\/shopify.com\/."},{"key":"e_1_2_1_15_1","unstructured":"2022. Tranco List. Retrieved Dec. 14 2021 from https:\/\/tranco-list.eu\/"},{"key":"e_1_2_1_16_1","unstructured":"2022. University Domains and Names Data List. https:\/\/github.com\/Hipo\/university-domains-list"},{"key":"e_1_2_1_17_1","volume-title":"Retrieved","year":"2022","unstructured":"2022. Web Hosting Usage Distribution in the Top 1 Million Sites. Retrieved May 20, 2022 from https:\/\/trends.builtwith.com\/hosting"},{"key":"e_1_2_1_18_1","unstructured":"Adobe. 2022. Stringlifier. https:\/\/github.com\/adobe\/stringlifier."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3423623"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487552.3487816"},{"key":"e_1_2_1_21_1","unstructured":"Alibaba Cloud. 2022. Regions and endpoints. https:\/\/www.alibabacloud.com\/help\/en\/doc-detail\/31837.htm."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1298306.1298327"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417864"},{"key":"e_1_2_1_24_1","volume-title":"Retrieved","year":"2022","unstructured":"Amazon. 2022. AWS service endpoints. Retrieved July 22, 2022 from https:\/\/docs.aws.amazon.com\/general\/latest\/gr\/rande.html"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security '17)","author":"Antonakakis Manos","year":"2017","unstructured":"Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium (USENIX Security '17)."},{"key":"e_1_2_1_26_1","unstructured":"AWS Elastic Beanstalk. 2022. Your Elastic Beanstalk environment's Domain name. https:\/\/docs.aws.amazon.com\/elasticbeanstalk\/latest\/dg\/customdomains.html."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.52"},{"key":"e_1_2_1_28_1","unstructured":"David Bisson. 2017. Hacker defaces Donald Trump fundraising site via subdomain takeover attack. (2017)."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3232755.3232859"},{"key":"e_1_2_1_30_1","volume-title":"SANS White Paper (Aug","author":"Bruneau Guy","year":"2010","unstructured":"Guy Bruneau. 2010. DNS Sinkhole. SANS White Paper (Aug 2010). https:\/\/www.sans.org\/white-papers\/33523\/"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.61"},{"key":"e_1_2_1_32_1","unstructured":"CISA. 2022. Official .gov Domain List. https:\/\/github.com\/cisagov\/dotgov-data"},{"key":"e_1_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Dave Crocker Tony Hansen and Murray Kucherawy. 2011. RFC 6376: DomainKeys Identified Mail (DKIM) Signatures (Internet Standard). https:\/\/tools.ietf.org\/html\/rfc6376. (2011).","DOI":"10.17487\/rfc6376"},{"key":"e_1_2_1_34_1","unstructured":"Detectify. 2022. Subdomain takeovers are on the rise and are getting harder to monitor. https:\/\/blog.detectify.com\/2022\/03\/22\/subdomain-takeover-on-the-rise-detectify-research\/. (2022)."},{"key":"e_1_2_1_35_1","volume-title":"Retrieved","author":"DNSDB","year":"2022","unstructured":"DNSDB 2022. Passive DNS historical internet database: Farsight DNSDB. Retrieved July 18, 2022 from https:\/\/www.farsightsecurity.com\/solutions\/dnsdb\/"},{"key":"e_1_2_1_36_1","volume-title":"Can I take over XYZ. https:\/\/github.com\/EdOverflow\/can-i-take-over-xyz. Last accessed","year":"2022","unstructured":"EdOverflow. 2022. Can I take over XYZ. https:\/\/github.com\/EdOverflow\/can-i-take-over-xyz. Last accessed: May. 12, 2022."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","unstructured":"Robert Elz and Randy Bush. 1997. Clarifications to the DNS Specification. RFC 2181. https:\/\/doi.org\/10.17487\/RFC2181","DOI":"10.17487\/RFC2181"},{"key":"e_1_2_1_38_1","volume-title":"Retrieved","author":"Security Farsight","year":"2022","unstructured":"Farsight Security. 2022. Research using Farsight DNSDB. Retrieved Apr 20, 2022 from https:\/\/www.farsightsecurity.com\/research\/"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3355369.3355566"},{"issue":"8","key":"e_1_2_1_40_1","first-page":"4","article-title":"Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates","volume":"1","author":"Forum Browser","year":"2022","unstructured":"CA\/Browser Forum. 2022. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Version 1.8.4. https:\/\/cabforum.org\/baseline-requirements-documents\/.","journal-title":"Version"},{"key":"e_1_2_1_41_1","volume-title":"Retrieved","year":"2020","unstructured":"GitHub. 2020. ZDNS: Fast CLI DNS Lookup Tool. Retrieved July 14, 2022 from https:\/\/github.com\/zmap\/zdns"},{"key":"e_1_2_1_42_1","unstructured":"Github Pages. 2022. Verifying your custom domain for GitHub Pages. https:\/\/docs.github.com\/en\/pages\/configuring-a-custom-domain-for-your-github-pages-site\/verifying-your-custom-domain-for-github-pages."},{"key":"e_1_2_1_43_1","volume-title":"Retrieved","year":"2022","unstructured":"HackerOne 2022. Hacktivity: subdomain takeover. Retrieved May. 12, 2022 from https:\/\/hackerone.com\/hacktivity?querystring=subdomain%20takeover"},{"key":"e_1_2_1_44_1","volume-title":"Ghost Domain Names: Revoked Yet Still Resolvable. In 19th Annual Network and Distributed System Security Symposium, NDSS 2012","author":"Jiang Jian","year":"2012","unstructured":"Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Hai-Xin Duan, and Jianping Wu. 2012. Ghost Domain Names: Revoked Yet Still Resolvable. In 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5--8, 2012. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2012\/ghost-domain-names-revoked-yet-still-resolvable"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879182"},{"key":"e_1_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Murray Kucherawy and Elizabeth Zwicky. 2015. RFC 7489: Domain-based Message Authentication Reporting and Conformance (DMARC) (Informational). https:\/\/tools.ietf.org\/html\/rfc7489. (2015).","DOI":"10.17487\/rfc7489"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.23005"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978387"},{"key":"e_1_2_1_49_1","volume-title":"Retrieved","year":"2022","unstructured":"Microsoft. 2022. Reference list of Azure domains (not comprehensive). Retrieved July 22, 2022 from https:\/\/docs.microsoft.com\/en-us\/azure\/security\/fundamentals\/azure-domains"},{"key":"e_1_2_1_50_1","volume-title":"RFC 1034: Domain Names - Concepts And Facilities (Standard). RFC","author":"Paul V.","year":"1987","unstructured":"Mockapetris, Paul V. 1987. RFC 1034: Domain Names - Concepts And Facilities (Standard). RFC (1987). https:\/\/datatracker.ietf.org\/doc\/html\/rfc1034"},{"key":"e_1_2_1_51_1","unstructured":"OWASP. 2022. amass. https:\/\/owasp.org\/www-project-amass\/."},{"key":"e_1_2_1_52_1","unstructured":"PCWorld. 2015. Lenovo Google websites hijacked by DNS attacks. https:\/\/www.pcworld.com\/article\/432090\/like-google-in-vietnam-lenovo-tripped-up-by-a-dns-attack.html."},{"key":"e_1_2_1_53_1","unstructured":"projectdiscovery. 2022. subfinder. https:\/\/github.com\/projectdiscovery\/subfinder."},{"key":"e_1_2_1_54_1","unstructured":"RapidDNS. 2022. Rapid DNS Information Collection. https:\/\/rapiddns.io\/."},{"key":"e_1_2_1_55_1","unstructured":"Shivan Kaul Sahib Shumon Huque and Paul Wouters. 2022. Survey of Domain Verification Techniques using DNS. Internet-Draft draft-ietf-dnsop-domain-verification-techniques-00. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-sahib-domain-verification-techniques\/03\/ Work in Progress."},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2209.09603"},{"key":"e_1_2_1_57_1","volume-title":"Retrieved","year":"2022","unstructured":"SecurityTrails. 2022. amazon.com subdomains. Retrieved July 22, 2022 from https:\/\/securitytrails.com\/list\/apex_domain\/amazon.com"},{"key":"e_1_2_1_58_1","volume-title":"Exploring Same-Site Attacks in the Modern Web. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Squarcina Marco","year":"2021","unstructured":"Marco Squarcina, Mauro Tempesta, Lorenzo Veronese, Stefano Calzavara, and Matteo Maffei. 2021. Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2917--2934. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/squarcina"},{"key":"e_1_2_1_59_1","unstructured":"Shir Tamari and Ami Luttwak. 2021. A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms. https:\/\/i.blackhat.com\/USA21\/Wednesday-Handouts\/us-21-A-New-Class-Of-DNS-Vulnerabilities-Affecting-Many-DNS-As-Service-Platforms.pdf."},{"key":"e_1_2_1_60_1","unstructured":"The Wall Street Journal. 2015. Cybercriminals Are Misappropriating Businesses' Web Addresses. https:\/\/www.wsj.com\/articles\/now-cybercriminals-are-misappropriating-businesses-web-addresses-1426120840."},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2016.2558918"},{"key":"e_1_2_1_62_1","volume-title":"Usage statistics of content management systems. https:\/\/w3techs.com\/technologies\/overview\/content_management. Last accessed","year":"2022","unstructured":"W3Techs. 2022. Usage statistics of content management systems. https:\/\/w3techs.com\/technologies\/overview\/content_management. Last accessed: Oct. 6, 2022."},{"key":"e_1_2_1_63_1","volume-title":"Usage statistics of web hosting providers. https:\/\/w3techs.com\/technologies\/overview\/web_hosting. Last accessed","year":"2022","unstructured":"W3Techs. 2022. Usage statistics of web hosting providers. https:\/\/w3techs.com\/technologies\/overview\/web_hosting. Last accessed: Oct. 6, 2022."},{"key":"e_1_2_1_64_1","unstructured":"Wikipedia. 2022. HTTP 404. https:\/\/en.wikipedia.org\/wiki\/HTTP_404#Soft_404_errors."},{"key":"e_1_2_1_65_1","volume-title":"The Free Encyclopedia. https:\/\/en.wikipedia.org\/w\/index.php?title=Domain_generation_algorithm&oldid=1068669787 [Online","author":"Wikipedia","year":"2022","unstructured":"Wikipedia contributors. 2022. Domain generation algorithm - Wikipedia, The Free Encyclopedia. https:\/\/en.wikipedia.org\/w\/index.php?title=Domain_generation_algorithm&oldid=1068669787 [Online; accessed 13-October-2022]."},{"key":"e_1_2_1_66_1","volume-title":"The Free Encyclopedia. https:\/\/en.wikipedia.org\/w\/index.php?title=Entropy_(information_theory)&oldid=1115105228 [Online","author":"Wikipedia Wikipedia","year":"2022","unstructured":"Wikipedia contributors. 2022. Entropy (information theory) - Wikipedia, The Free Encyclopedia. https:\/\/en.wikipedia.org\/w\/index.php?title=Entropy_(information_theory)&oldid=1115105228 [Online; accessed 16-October-2022]."}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579440","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3579440","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:46:41Z","timestamp":1750178801000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579440"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,27]]},"references-count":66,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,2,27]]}},"alternative-id":["10.1145\/3579440"],"URL":"https:\/\/doi.org\/10.1145\/3579440","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,27]]},"assertion":[{"value":"2023-03-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}