This project includes the source code for the tool developed as part of the research paper "Discovering and Measuring CDNs Prone to Domain Fronting" (Link).
The tool is designed to test the possibility of Domain Fronting in Content Delivery Networks (CDNs) by crafting special requests involving existing customers of a particular CDN. Through this tool, you can assess the extent of Domain Fronting in the wild despite mitigation measures taken by popular CDN providers. Our study reveals that it is possible for adversaries to misuse Domain Fronting to hide malicious communications and emphasizes the need for additional mitigation measures that can defend against such misuse.
The Source Code in the src folder is structured as follows:
Before using this tool, you need to specify information about the domains and the related CDNs in a CSV file with the following fields:
cdn: denotes the CDN namefull_domain: denotes the fully qualified domain name associated with a CDN according to the DNS recordsdomain_sld: eTLD+1 of the full_domain field
This CSV file should be passed to the tool as the parameter cdn_domain_mapping_file_path using config.ini. To map the domains associated with CDNs, we leverage Passive and (ActiveDNS) records in our research. While that code isn't made publicly available, we provide a list of CDN host names that we identified as associated to a CDN in the file "cdn_domain_mapper/cdn_domain_keywords.csv".
-
crawler_module: This module includes the code for crawling the eTLD+1 domains associated with different CDNs. The crawler visits the given domains, captures all the URLs, including those of its own subdomains and third-party domains, that were requested, and stores additional information such as the contacted IP address, HTML content, and screenshot of the visited webpage. The results are stored in the data folder. Finally, after crawling all the given domains, the module filters those URLs linked to domains associated with the CDNs. The outcome after filtering is a JSON file that lists the different resources associated with different domains and CDNs in a file specified using the parameter
domain_url_mapping_file_pathin the config file.To execute the crawler, run the command
# python crawl_urls.pyPython file
crawl_urls.py. This program requires as input (read from config file) the CDN_DOMAIN mapping CSV file that uses the columnscdnanddomain_sldto be crawled. -
fronting_tester_module: This module is responsible for crafting requests required to test domain fronting for a given set of domains for different CDNs. This file takes the filtered list of resources and starts by generating test tuples that contain the different information required for performing fronting tests. Finally, the results of "valid" test cases are stored in the JSON file specified using the parameter
test_details_file_pathin the config file. Additionally, further validation is performed to filter successful fronting test cases that verify if the fronting test case is accurate. These verified sucessful results are finally written in a JSON file specified using the parameterfronting_success_cases_file_pathin the config file.The tester can be executed in two different modes "single" or "batch" depending on the number of cases to test.
To execute the tester in batch mode, run the command
# python FrontingTester.py batchTo execute the tester in single mode, run the command
# python FrontingTester.py single -target_domain <Target_domain> -front_domain <Front_domain> -target_url <Target_Url>
For questions or feedback, you can reach us at:
- Email: [email protected]
If you use this project in your research or find it helpful, please consider citing the paper:
@misc{paper_link, title = {Discovering and Measuring CDNs Prone to Domain Fronting}, year = {2024}, howpublished = {\url{https://doi.org/10.1145/3589334.3645656}} }