You may have heard of Domain Fronting, and some of the work that I’ve previously done. https://vincentyiu.co.uk/domain-fronting-via-cloudfront-alternate-domains/

Then https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not all are validated as they can have invalid certificates.

The benefit of using Domain Fronting is that as far as the victim’s side proxy is concerned, you are making the SSL exchange with the legitimate server you are using as a front. Fantastic.

I’ve kept this private for a long time now, and since someone else has already shown us how to find these domains, I’ve decided to release my list that has been false positive checked with all of the invalid SSL certificate domains removed.

The following script was used to check for SSL issues and that the domain front was infact working:

    import ssl, socket, requests, urllib2, sys
    hostname = sys.argv[1]

    bValid = False
    bFrontSSL = False

    try:
     ctx = ssl.create_default_context()
     s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
     s.connect((hostname, 443))
     cert = s.getpeercert()

    subject = dict(x[0] for x in cert['subject'])
     issued_to = subject['commonName']
     issuer = dict(x[0] for x in cert['issuer'])
     issued_by = issuer['commonName']
     
     bValid = True
    except:
     bValid = False

    #print bValid

    try:
     txheaders = {"User-Agent":"Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0", "Host": "yourinstance.cloudfront.net"}

    url = "https://%s/rare.txt" % sys.argv[1]
     request = urllib2.Request(url, headers=txheaders)
     response = urllib2.urlopen(request).read()
     if "ABC123" in response:
      bFrontSSL = True
     else:
      bFrontSSL = False
    except:
     bFrontSSL = False

    if bFrontSSL:
     print "[!] SSL Front: %s" % sys.argv[1]

After hosting rare.txt on my CloudFront instance, using the above script, all I had to do was perform the following parallel command to ensure swift checking:

cat fronts.txt | parallel -j 32 "python sslfront.py {} | tee -a output.txt"

Soon, output.txt would be filled with legitimate fronts that would have valid certificates that would be used to encrypt our traffic.

vysec/DomainFrontingLists - A list of Domain Frontable Domains by CDN

There wasn’t much point in keeping this private any longer as the same domains were already out there.