edoverflow / can-i-take-over-xyz Goto Github PK
View Code? Open in Web Editor NEW"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
License: Creative Commons Attribution 4.0 International
"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
License: Creative Commons Attribution 4.0 International
Cloudfront 502 error
Error showing
502 ERROR
The request could not be satisfied.
CloudFront wasn't able to connect to the origin.
If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by following steps in the CloudFront documentation (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html).
Generated by cloudfront (CloudFront)
Request ID: xcB9zQ3IRZxqwgV5duuhW*****EVskahplQSTbcUuNjG86Pg==
when I used dig
command no CNAME to cloudfront.
On 502 error it is not vuln to subdomain takeover.
Readme.io (https://readme.io/)
The subdomains reside on *.readme.io
. It is a classic virtual hosting scenario like in other similar services.
To verify whether subdomain takeover may be possible, run:
http -b GET http://{DOMAIN NAME} | grep -F -q "Project doesnt exist... yet!" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
(Assuming you have Readme.io account created.)
is it possible subdomain takeover on azure?
subdomain returns azure 404 page and after checking with dig A records is public IP address
AWS S3 && Fastly
I've come across a sub-domain with a CNAME pointing to Fastly.net service while the actual http fingerprint confirms the S3 bucket Not in Use.
Is there are possibility of takeover through S3 bucket (which is not known) while the CNAME points to i2.shared.us-eu.fastly.net?
FreshDesk
if the subdomain have an fingerprint and the cname is the same fingerprint
Yes the subdomain can be takeover !
FingerPrint
We couldn't find support.example.com
May be this is still fresh!
You can claim it now at http://www.freshdesk.com/signup ``
HarryMag could takeover a Subdomain
http://support.hvst.com/support/login
Based on the information shared in the hackerone report for FeedPress based subdomain, not able to takeover the ownership. The error message on the URL stated:
After creating the account on feedpress, and trying to takeover the subdomain by selecting My Hostname and entering the programs sub-domain, it results in the error message - "The hostname xyz.domain.com is already registered on FeedPress."
Is the sub-domain takeover in such scenario possible?
Thanks
I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io
When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.
So I created a github page and added sub.example.com as custom domain.
And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.
Shopify
Please read the docs for more details.
I wrote a long article and release a small script that performs three types of test (page error message, CNAME and REST API query).
https://medium.com/@thebuckhacker/how-to-do-55-000-subdomain-takeover-in-a-blink-of-an-eye-a94954c3fc75
https://github.com/buckhacker/SubDomainTakeoverTools/blob/master/ShopifySubdomainTakeoverCheck.py
LaunchRock offers service to create marketing pages.
I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.
String to determine subdomain takeover:
It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:
54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54
If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel
Yes, we can add arbitrary Javascript through control panel.
Dec 2018
https://hackerone.com/reports/416474
Not Only FingerPrint Sorry, this shop is currently unavailable.
New FingerPrint that I've found in my report Now Your domain ( Name of subdomain ) is ready to connect to your Shopify Shop
Hey,
I just wanted to submit another website: Pantheon.
Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111
http://www.geekboy.ninja/blog/hijacking-tons-of-instapage-expired-users-domains-subdomains/
Is it still possible ?
It seems subdomains can be taken over, I think. Can you check it?
sorry it is indonesian language. but i add some screenshot so i think you will understand.
AWS finally started mitigating subdomain takeovers on CloudFront. When you try to register Alias (CNAME) for your CloudFront distribution, it refuses to do so if the DNS zone file has CNAME to different CloudFront domain.
This is a type of verification from cloudfront that you can't takeover any subdomain even both (http OR https) port (80 and 443) shows error.
If the DNS zone file has CNAME to different CloudFront domain.
so,from cloudfront bye bye bug bounty
When you try to takeover subdomain you will get this as a further alert!
Note :
The cname of vulnerable subdomain must be SmugMug's CNAME (domains.smugmug.com)
Fastly will work only in some specific situations. In some cases they validate the customer domain before assign the fastly.net subdomain.
Verifying domain ownership
Any time you request addition of a domain to a certificate, you must verify you own the domain. This helps us ensure no one else is using your domain without your permission.
Usually we see the Subdomain Takeover vulnerability affecting the front-end but I think APIs can also be affected.
For example Apigee use the same CNAME approach to set up an environment (e.g. https://docs-new.apigee.com/custom-domain). The problem is you need a paid Apigee account to create the custom domain.
Do you guys have any reference example or reference that Apigee APIs or any other vendor can be exploited?
Thanks!
Ricardo Iramar
Amazon (AWS) S3
Amazon S3 service is indeed vulnerable. Amazon S3 follows pretty much the same concept of virtual hosting as other cloud providers. S3 buckets might be configured as website hosting to serve static content as web servers. If the canonical domain name has website in it, the S3 bucket is specified as Website hosting. I suspect that non-website and website configured buckets are handled by separate load balancers, and therefore they don't work with each other. The only difference will be in the bucket creation where correct website flag needs to be set if necessary. Step-by-step process:
To verify the domain, I run:
http -b GET http://{SOURCE DOMAIN NAME} | grep -E -q '<Code>NoSuchBucket</Code>|<li>Code: NoSuchBucket</li>' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
Note that there are two possible error pages depending on the bucket settings (set as website hosting or not).
Some reports on H1, claiming S3 buckets:
There are several formats of domains that Amazon uses for S3 (RegExp):
^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$
^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$
^[a-z0-9\.\-]{0,63}\.?s3[\.-](eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$
^[a-z0-9\.\-]{0,63}\.?s3.dualstack\.(eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$
Note that there are cases where only raw domain (e.g. s3.amazon.com) is included in CNAME and takeover is still possible.
(Documentation taken from https://0xpatrik.com/takeover-proofs/)
Can anyone guide me that it is vulnerable or not?
The CNAME is pointed to the cloudflare
Web Page Blocked
Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.
The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.
Heroku
Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com
subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).
Step-by-step:
To verify:
http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
(there is an iFrame with aforementioned URL present)
There are three domains that Heroku uses:
At the moment, I can confirm only proper working on herokudns.com
. IIRC, herokuapp.com
is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.
Example of https://hackerone.com/reports/38007
I do the same takeover last 2 days so The vulnerability is still exist .
Service name
webflow
Website
https://webflow.com/
Report
https://hackerone.com/reports/399165
Subdomain takeover through webflow is possible but for creating POC you need a paid account because webflow need a paid account for creating subdomains and using web hosting through webflow.
Kinsta
Subdomain takeover through Kinsta is possible but for creating POC you need a paid account because kinsta need a paid account for creating subdomains and using web hosting through kinsta.
Hi.
I think it is good to mark "time" in the template.
Example) "Kinsta" service was added. But when?
So, I think it would be nice to add "time" to the "All entries" table.
By doing so, the newly added service can be confirmed intuitively.
Thanks.
strikingly
https://medium.com/@sherif0x00/takeover-subdomains-pointing-to-strikingly-5e67df80cdfd
I suppose that there is no conditions just needs to be not registered or expired.
Smartling is a translation service.
If the vulnerable domain has a CNAME pointing to e.g. *.smartling.com - open that domain and check for the string:
"Domain is not configured"
This means it should be possible to takeover.
Problem here is I can't actually be sure this works. A couple of subdomain takeover tools mention this service as well as this fingerprint, but I can't actually look up any report or blog post specifying this. Furthermore, to have access to smartling it seems you actually have to go through a manual register / validation process (I might be wrong).
The best reference so far is actually smartling documentation here. Reading the article, it doesn't seem any kind of ownership verification is done so, in theory, should be possible to just register a domain and complete the takeover.
If anyone can dig a bit more on this, would be awesome.
This Issue is vulnerable or not?
(Warning! Domain mapping upgrade for this domain not found. Please log in and go to the Domains Upgrades page of your blog to use this domain.)
If vulnerable then how i takeover through wordpress
For some of the mentioned vendors, which I've had experience dealing with, there is no clarification to hackers using this list of where a false positive could occur.
In the instance of Unbounce for example, an empty Unbounce would in some cases yield the same response as a claimed one.
By suggesting to hackers that it is vulnerable to takeover but it requires a paid account, this could cause confusion and lead to some hackers reading this to just file a report whenever they see an Unbounce with nothing on the homepage.
While I mentioned the Unbounce issue specifically, it might be good to mention the "gotchas" with other vendors when claiming domains more clearly (like is done presently with Fastly, although I think it could be clearer than just a "yes"). This isn't clear to lesser experienced hackers and likely also won't be clear to security teams handling these bugs, and would likely prevent it being fuel for long debates between hackers and teams about whether x takeover is actually vulnerable if it was more honest with the shortcomings of exploiting with certain vendors.
I found some subdomains that look like this:
Server: edgesuite and akadns (Akamai)
I found some different 404 responses for those subdomains
look like :
1>File not found."
2>Service Unavailable - DNS failure
The server is temporarily unable to service your request. Please try again later.
3>An error occurred while processing your request.
This is what I getting from that Akamai CDN service
which is different from the last one
Invalid URL
The requested URL "[no URL]", is invalid.
Does anyone know if this vulnerable to a takeover?
As reported here https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping- Zendesk subdomain takeover requires making the subdomain an alias of default address. So it shouldn't be possible get a subdomain takeover without getting access to the domain registrar's control panel.
Am I wrong?
Is subdomains hosted at discourse is vulnerable to takeover or not?
Does subdomain with eloqua cloud could takeover?And how to use azure cloud to takeover sudomains?
We could integrate a TO-DO list into the README.md file for services that have not been tested yet. That way, people can help us expand the list by focusing on untested services.
Hi, I wanted to share a list of CNAMEs (or rather just substrings), seen for sub-domains from public BBPs/VDPs on various platforms that might indicate a takeover-able sub-domain. I created the list a few months ago (it might be dated) and never found time to utilize it further so I'm sharing it publicly as it might be helpful to extend what this repository covers:
The ones below need an approved registration, a demo or similar stuff so it's hard to tell if they are takeover-able or not:
Have fun.
can a response like the one below take over?
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A 0day.xxxxx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12015
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;0day.xxxxx.com. IN A
;; AUTHORITY SECTION:
0day.xxxxx.com. 900 IN SOA ns-xxx.awsdns-61.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 62 msec
;; SERVER: 192.168.xx.xx#53(192.168.xx.xx)
;; WHEN: Fri Nov 23 18:53:17 DST 2018
;; MSG SIZE rcvd: 130
If you get an Error Similar to this one that gives 404 Error simply go to https://www.intercom.com/customer-support-software create a new account buy the service or get a free demo for 14 days
Then visit https://app.intercom.io/a/apps/pr1twx7u/articles/site/settings and add the subdomain that's giving error in custom domain field
Turn On the Help Center and Publish a test article also otherwise you won't be able to turn on the help center
after you turn on successfully you'll be the admin of the help center
https://www.intercom.com/help/
Thanks 😉
Microsoft Azure
There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.
General approach in verifying subdomain takeover is to check, whether the Azure domain responds with NXDOMAIN
DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond with NXDOMAIN
are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded with NXDOMAIN
.
Some H1 reports to prove this point:
As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.
These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:
Ngrok allows you to expose a web server running on your local machine to the internet. Just tell ngrok what port your web server is listening on.
Visiting the subdomain from your browser will show a HTML page, like shown below:
Perform a dig
or host
command, you will see a CNAME
record pointing to [CUSTOM].ngrok.io
.
To perform the takeover:
./ngrok http 80 -subdomain quikke
. Note, quikke needs to be replaced with the value before .ngrok.io
The error message is basically saying that I do not have a HTTP service running on port 80 on my local machine.
readme.io is another service which's subdomains can be taken over if it says "Project doesnt exist... yet!". There's a sign-up button and if someone does, then just simply entering the domain name on custom domain option can take over it.
I took over developer.bksah.com earlier. but didn't keep any PoC though. But it looks same like that as readme.io hosted sites are a subdomain of readme.io
https://xyz124.readme.io/inactive
GitHub Pages
GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:
For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.
To verify:
http -b GET http://{DOMAIN NAME} | grep -F -q "<strong>There isn't a GitHub Pages site here.</strong>" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
(Note: DOMAIN NAME has to be the affected domain, not the github.io
page itself. This is due to Host header forwarding which affects the HTTP response)
There is only one format of GitHub Pages domains:
please note that having CNAME to github.io
itself can also lead to subdomain takeover.
Distil Networks Portal
Requested Domain Unavailable
https://help.distilnetworks.com/hc/en-us/articles/216808648-Adding-Domains-and-Subdomains
There have been a few subdomains that I've come across now that look like this:
Server: AkamaiGHost
and the page will say:
Invalid URL The requested URL "[no URL]", is invalid.
As far as I can tell, this message is coming from Akamai, I'm assuming from their CDN service unless they have others? Does anyone know if this vulnerable to a takeover?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.