Missing CAA Record

Missing Certificate Authority Authorization Record

Overview of the Vulnerability

Certificate Authority Authorization (CAA) allows an owner or DNS resource holder to specify the types of Certificate Authorities (CA) allowed to issue certificates for the domain. The application is missing a CAA record which can allow an attacker to issue certificates on behalf of the DNS resource owner for their domains.

Business Impact

This vulnerability can result in reputational damage and indirect financial loss to the business through the impact to customers’ trust.

Steps to Reproduce

Use {{software}} to gathering information about the DNS
Observe the missing CAA record in the output:

Proof of Concept (PoC)

The following screenshot show the DNS resource record and CAA rule:

Recommendation(s)

It is recommended to enable an appropriate CAA record for the DNS server.

For more information, please see the following: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-an-appropriate-certification-authority-for-the-applications-user-base

PreviousHigh Impact Subdomain Takeover NextZone Transfer

Last updated 1 year ago