Parked Subdomain Attack Risk

TL;DR

Yes, a parked subdomain can be used to attack your main website if it’s configured incorrectly and points to a different host. This is because attackers can exploit the shared domain name for phishing, cookie stealing, or even more serious attacks like cross-site scripting (XSS). Proper DNS configuration and security measures are crucial.

Understanding the Risk

A parked subdomain typically means you’ve registered a subdomain (e.g., blog.example.com) but haven’t actively built a website on it yet. Often, these subdomains are pointed to a parking page service or a different web host than your main site (www.example.com). The danger arises when this separate host is compromised or malicious.

How an Attack Could Happen

1. Phishing: An attacker could put up a fake login page on the parked subdomain that looks identical to your main website’s login. Users might unknowingly enter their credentials, which are then stolen.
2. Cookie Stealing: If both domains share cookies (often due to misconfigured DNS or shared resources), an attacker on the parked subdomain could potentially access a user’s session cookie for the main domain.
3. Cross-Site Scripting (XSS): A compromised parked subdomain can host malicious JavaScript code that injects itself into your main website when visited by users who have previously visited the parked subdomain, especially if there are shared resources or vulnerabilities in your main site’s code.

Steps to Protect Your Website

1. Verify DNS Records: Regularly check your DNS records for all subdomains. Ensure they point to trusted hosts and that the configuration is correct.
   • Use a tool like dig or an online DNS lookup service (e.g., What’s My DNS) to check your records.

   dig blog.example.com

2. Separate Hosts: Ideally, keep the web hosts for your main domain and any parked subdomains separate. This limits the impact of a compromise on one host.
3. Content Security Policy (CSP): Implement a strong CSP on your main website to control which sources scripts can be loaded from. This helps mitigate XSS attacks.
   • Example CSP header: Content-Security-Policy: default-src 'self'. Adjust this based on your needs.
4. Cookie Attributes (HttpOnly & Secure): Ensure all cookies set by your main website have the HttpOnly and Secure attributes.
   • HttpOnly prevents JavaScript from accessing the cookie, reducing XSS risk.
   • Secure ensures the cookie is only transmitted over HTTPS.
5. Subdomain Isolation: If possible, use a separate session management system for each subdomain to prevent cookie sharing.
6. Regular Security Scans: Perform regular vulnerability scans on both your main website and any associated subdomains.
7. Monitor Subdomain Activity: Keep an eye on the content hosted on your parked subdomains, even if they are just parking pages. Look for unexpected changes or malicious files.
8. HTTPS Everywhere: Ensure all domains and subdomains use HTTPS with valid SSL/TLS certificates.

Checking Cookie Sharing

You can check if cookies are being shared between your main domain and a parked subdomain using your browser’s developer tools.

1. Open the developer tools in your browser (usually by pressing F12).
2. Go to the Application or Storage tab.
3. Under Cookies, check if cookies for your main domain are also present when you visit the parked subdomain.