Fastly Restrictions about can-i-take-over-xyz HOT 69 CLOSED

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:

Domain 'redacted.com' is already taken by another customer

Definitely an Edge Case.

from can-i-take-over-xyz.

@n1ghtfox its simple and easy ..

1. create a new service ( ex: version 1) .
2. add subdomain or domain if accept to add your domain this mean you can takeover it then do the next steps.
3. then in the Origin Host add Your VPS ip without ssl if not include port 80.
4. Active your service ( version 1 )

if you don't want to wait to know if the domain connecting to vps or not .. You can check it directly by goto domains then near to domain name you will see Test Domain which will open a Link like this
http://domain.com.global.prod.fastly.net and it will show your vps page.
Sure you can wait 10 min to avoid doing this step :)

Kind Regards,
Mohamed Haron.

from can-i-take-over-xyz.

I understand, and confirm it worked for this time and allowed. Also the reason, as mentioned by the program, they were in the process of decommissioning the Fastly service, while I took over the subdomains. I've had mostly the experience of it not working, but once or twice it worked. Maybe due to the way the account is configured by the programs (they may or may not be using wildcards).

Hence, it seems if the setup contains the wildcard entries, it does not allow to takeover any subdomain belonging to the program and gives out the error: domain "abc" is already taken by another customer. And works when they setup individual subdomains on the service.

Hopefully this helps.

from can-i-take-over-xyz.

I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.

DNS:

sub.staging.target.fr. CNAME target.map.fastly.net.
target.map.fastly.net.	A	151.101.xx.xxx

I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.

from can-i-take-over-xyz.

I'm facing now with this shit Domain 'blahblah.com' is already taken by another customer
Can someone explain me how to fix this shit.

from can-i-take-over-xyz.

I think Fastly is no more vulnerable for subdomain takeover .

from can-i-take-over-xyz.

Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?

Regards,

Yes Bro I do a Takeover last 2 days for a 4 domains.

from can-i-take-over-xyz.

vikrams-MacBook-Air:domaintakeover arjunsharma$ dig https://critik.in/best-lip-balms-in-india/

; <<>> DiG 9.10.6 <<>> https://critik.in/best-lip-balms-in-india/
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;

https://critik.in/best-lip-balms-in-india/ IN A

;; ANSWER SECTION:

https://critik.in/best-lip-balms-in-india/ 80835 IN CNAME https://critik.in/best-lip-balms-in-india/
https://critik.in/best-lip-balms-in-india/ 60 IN CNAME nonssl.global.fastly.net.
nonssl.global.fastly.net. 30 IN A 151.101.128.204
nonssl.global.fastly.net. 30 IN A 151.101.0.204
nonssl.global.fastly.net. 30 IN A 151.101.64.204
nonssl.global.fastly.net. 30 IN A 151.101.192.204

this kind of misconfigurations is also making services vulnerable

from can-i-take-over-xyz.

That certainly merits further investigation!

@EdOverflow I'm unable to look at this for a week, what's your capacity like? Happy for you to tag me on this if you're snowed under also.

Related to the work on #20 I think this should be done in a test cases and then added to the main readme.

from can-i-take-over-xyz.

@sumgr0 Yes, it helps, thanks =)

from can-i-take-over-xyz.

It seems that it is not vulnearble because when we try takeover sub_1.test.com , it says that test.com is already registered.

from can-i-take-over-xyz.

I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.

DNS:

sub.staging.target.fr. CNAME target.map.fastly.net.
target.map.fastly.net.	A	151.101.xx.xxx

I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.

hi @vaadataa how can i register map.fastly.net domain?
Thank~

from can-i-take-over-xyz.

who knows why i can't takeover this subdomain , is very sad~

from can-i-take-over-xyz.

Is it still possible to takeover CNAME pointing to map.fastly.net? Eg : target.com --> target.com.map.fastly.net Please provide steps if possible. I am getting only target.com.global.prod.fastly.net

No you can only add domain and Fastly choose the name for your domain.

Even you able to takeover target.com.map.fastly.net Services won't Run until you add Domain

from can-i-take-over-xyz.

@sawravchy I think this is still an edge case - as described by @mohamed-faris , his example still works:

from can-i-take-over-xyz.

Here is the verification screen and types.
DNS, Email, or text file file upload.

from can-i-take-over-xyz.

Hi @EdOverflow ,

I've been confirmed on my last report that this is not a valid vulnerability. This is the default Fastly error message if you are visiting the sub-domain directly which is not the intended use case, since it is part of a redirect by the CDN.

Regards,
tolo7010

from can-i-take-over-xyz.

Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?

Regards,

from can-i-take-over-xyz.

from can-i-take-over-xyz.

Can someone post step by step subdomain takeover on fastly?

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@m7mdharoun,

In 2nd point, you have mentioned add subdomain. This is victim subdomain right?
And what if it get rejected. Is there a way to control traffic like redirection?

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@vaadataa I confirm this too last month I takeover 4 subdomains pointing to Fastly

Steps for takeover here Guys with video you can find it here
https://www.mohamedharon.com/2019/06/can-i-takeover-xyz-steps.html

from can-i-take-over-xyz.

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:

Domain 'redacted.com' is already taken by another customer

Definitely an Edge Case.

Yes I also got the same error

from can-i-take-over-xyz.

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

from can-i-take-over-xyz.

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

Yes, its an edge case.

I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.

from can-i-take-over-xyz.

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

The same error, Any updates!?

from can-i-take-over-xyz.

Just for confirmation of how Fastly is still possible to takeover, check out www.litium.de. This shall confirm the edge scenario.

from can-i-take-over-xyz.

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

Yes, its an edge case.

I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.

Any Updates got the same error!

from can-i-take-over-xyz.

is it possible that we can take over any vulnerable subdomain using fastly services or not or we use the different services which that domain use?

from can-i-take-over-xyz.

Hey, just used this method to takeover a subdomain and it worked. But still it's an edge case. In this one, the error was :
"Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala"

from can-i-take-over-xyz.

i am getting the same error as above described by mefkan. "Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala". but still unable to add domain to fastly

I am getting error - domain "abc" is already taken by another customer. Am i doing something wrong here?

from can-i-take-over-xyz.

Any Updates got the same error! I am getting error - domain "abc" is already taken by another customer

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@sumgr0 For the same program? They were using two different domains in scope rigth?
At this time fastly is checking the domain(example.com) given, if it is taken once you can't register any of the subdomains (ignorebyfastly.example.com)
So a company is vulnerable only if they stop completly from using fastly for a whole domain.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@sumgr0 so you took over subdomain1.example.com and subdomain2.example.com ? Fastly UI says the opposite than you do, if you try to take subdomain1.example.com Fastly is only checking if example.com is taken, if it is you can't not register subdomain1.example.com nor subdomain2.example.com nor any other subdomain for that example.com, even if one of them is showing the fingerprint error message.

from can-i-take-over-xyz.

another corner case is :-
arjuns-MacBook-Air:domaintakeover arjunsharma$ dig elle.tw

; <<>> DiG 9.10.6 <<>> elle.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42494
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;elle.tw. IN A

;; ANSWER SECTION:
elle.tw. 86400 IN A 151.101.128.200
elle.tw. 86400 IN A 151.101.192.200
elle.tw. 86400 IN A 151.101.0.200
elle.tw. 86400 IN A 151.101.64.200

arjuns-MacBook-Air:domaintakeover arjunsharma$ dig www.elle.tw

; <<>> DiG 9.10.6 <<>> www.elle.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.elle.tw. IN A

;; ANSWER SECTION:
www.elle.tw. 80835 IN CNAME www.elle.com.tw.
www.elle.com.tw. 60 IN CNAME nonssl.global.fastly.net.
nonssl.global.fastly.net. 30 IN A 151.101.128.204
nonssl.global.fastly.net. 30 IN A 151.101.0.204
nonssl.global.fastly.net. 30 IN A 151.101.64.204
nonssl.global.fastly.net. 30 IN A 151.101.192.204

this kind of misconfigurations is also making services vulnerable

from can-i-take-over-xyz.

Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?
Regards,

Yes Bro I do a Takeover last 2 days for a 4 domains.

can you guide us how you did it

from can-i-take-over-xyz.

can you guide us how you did it

from can-i-take-over-xyz.

here bro https://www.youtube.com/watch?v=9DYEg_j-_hw

from can-i-take-over-xyz.

thanks very much

from can-i-take-over-xyz.

Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs

here bro https://www.youtube.com/watch?v=9DYEg_j-_hw

Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs and I guess the subdomain i was trying to takeover is not vulnerable becoz it says " domain is already took by another customer"

from can-i-take-over-xyz.

The 'blahblah.com' is secured and not possible to take over

from can-i-take-over-xyz.

Is it still possible to claim subdomain on Fastly?

from can-i-take-over-xyz.

I successfully claimed a domain
But the link it is generating is
Domain.com.fastly.net
It should show only domain.com
Or domain.com.fastly.net is also correct?

from can-i-take-over-xyz.

@sumgr0 so you took over subdomain1.example.com and subdomain2.example.com ? Fastly UI says the opposite than you do, if you try to take subdomain1.example.com Fastly is only checking if example.com is taken, if it is you can't not register subdomain1.example.com nor subdomain2.example.com nor any other subdomain for that example.com, even if one of them is showing the fingerprint error message.

Is there any way to bypass this?

from can-i-take-over-xyz.

Only if the parent domain is not registered with wildcard entry. I've not seen anymore cases with fastly service takeover.

from can-i-take-over-xyz.

can yu tell me how because this is not workin for me

from can-i-take-over-xyz.

@vaadataa how can i register map.fastly.net domain? Now i only get a *.global.prod.fastly.net domain

from can-i-take-over-xyz.

After testing many domains with the error page. I haven't found a way to take over the subdomains.

I think this has been fixed and not properly reported here.

from can-i-take-over-xyz.

Just made a takeover.

Target was test.target.com. CNAME to global.prod.fastly.net

When i open URL, it says
Fastly error: unknow domain: test-example.s3.amazonaws.com. Please check that this domain has been added to a service. Details: cache-blalala

1. Create new delivery service
2. Name test-example.s3.amazonaws.com
3. Host is my VPS

Worked

from can-i-take-over-xyz.

from can-i-take-over-xyz.

Any updates? I've found a error page on a program Bug Bounty but when i going to create, it returns the message:
Domain 'blahblah.com' is already taken by another customer

from can-i-take-over-xyz.

Any updates? I've found a error page on a program Bug Bounty but when i going to create, it returns the message: Domain 'blahblah.com' is already taken by another customer

This mean blahblah.com Not Vulnerable to takeover.

from can-i-take-over-xyz.

Is there no way to bypass these errors..?

Domain 'socialcodia.facebook.com' is already taken by another customer.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

Just made a takeover.

Target was test.target.com. CNAME to global.prod.fastly.net

When i open URL, it says Fastly error: unknow domain: test-example.s3.amazonaws.com. Please check that this domain has been added to a service. Details: cache-blalala

1. Create new delivery service
2. Name test-example.s3.amazonaws.com
3. Host is my VPS

Worked

I got the same page in www-TARGET-com.TARGET.com

BUT I didn't understand your tips and I don't know where (Create new delivery service) and the other tips
can you please explain it more deeper
my Twitter:_2os5

from can-i-take-over-xyz.

from can-i-take-over-xyz.

Is it still possible to takeover CNAME pointing to map.fastly.net? Eg : target.com --> target.com.map.fastly.net
Please provide steps if possible. I am getting only target.com.global.prod.fastly.net

from can-i-take-over-xyz.

Ok got it. Thanks for clarifying this.

from can-i-take-over-xyz.

fastly error for somthing.target.com is not vulnerable
But somthing.target.in was is vulnerable. can i report

from can-i-take-over-xyz.

hi @m7mdharoun , i used subjack tool and find 5 domain which are showing FASTLY . can vulnerable

from can-i-take-over-xyz.

Hii @m7mdharoun my custom domain is saved but i get this " Domain does not resolve to the GitHub Pages server" pls help me

from can-i-take-over-xyz.

Just made a takeover. Thank you mate @mohamed-faris

from can-i-take-over-xyz.

I just tried with 600 domains giving the fingerprint, none of them resulted in a takeover.

from can-i-take-over-xyz.

@vaadataa I confirm this too last month I takeover 4 subdomains pointing to Fastly

Steps for takeover here Guys with video you can find it here
https://www.mohamedharon.com/2019/06/can-i-takeover-xyz-steps.html

the link is not working!!

from can-i-take-over-xyz.

fastly is an edge case its still vuln when none claimed domain tested on a live target
http://live.pandora.com

from can-i-take-over-xyz.