"Can I Take Over XYZ?" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records
What is a subdomain takeover?
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.You can read up more about subdomain takeovers here:
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
- https://0xpatrik.com/subdomain-takeover-ns/
Safely demonstrating a subdomain takeover
Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.How to contribute
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.
A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26.
All entries
Engine | Status | Fingerprint | Discussion | Documentation |
---|---|---|---|---|
Akamai | Not vulnerable | Issue #13 | ||
AWS/S3 | Vulnerable | The specified bucket does not exist | Issue #36 | |
Bitbucket | Vulnerable | Repository not found | ||
Campaign Monitor | Vulnerable | 'Trying to access your account?' | Support Page | |
Cargo Collective | Vulnerable | 404 Not Found | Cargo Support Page | |
Cloudfront | Not vulnerable | ViewerCertificateException | Issue #29 | Domain Security on Amazon CloudFront |
Desk | Not vulnerable | Please try again or try Desk.com free for 14 days. | Issue #9 | |
Fastly | Edge case | Fastly error: unknown domain: | Issue #22 | |
Feedpress | Vulnerable | The feed has not been found. | HackerOne #195350 | |
Fly.io | Vulnerable | 404 Not Found | Issue #101 | |
Freshdesk | Not vulnerable | Freshdesk Support Page | ||
Ghost | Vulnerable | The thing you were looking for is no longer here, or never was | ||
Github | Vulnerable | There isn't a Github Pages site here. | Issue #37 Issue #68 | |
Gitlab | Not vulnerable | HackerOne #312118 | ||
Google Cloud Storage | Not vulnerable | |||
HatenaBlog | vulnerable | 404 Blog is not found | ||
Help Juice | Vulnerable | We could not find what you're looking for. | Help Juice Support Page | |
Help Scout | Vulnerable | No settings were found for this company: | HelpScout Docs | |
Heroku | Edge case | No such app | Issue #38 | |
Intercom | Vulnerable | Uh oh. That page doesn't exist. | Issue #69 | Help center |
JetBrains | Vulnerable | is not a registered InCloud YouTrack | YouTrack InCloud Help Page | |
Kinsta | Vulnerable | No Site For Domain | Issue #48 | kinsta-add-domain |
LaunchRock | Vulnerable | It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. | Issue #74 | |
Mashery | Edge Case | Unrecognized domain | HackerOne #275714, Issue #14 | |
Microsoft Azure | Vulnerable | Issue #35 | ||
Netlify | Edge Case | Issue #40 | ||
Pantheon | Vulnerable | 404 error unknown site! | Issue #24 | Pantheon-Sub-takeover |
Readme.io | Vulnerable | Project doesnt exist... yet! | Issue #41 | |
Sendgrid | Not vulnerable | |||
Shopify | Edge Case | Sorry, this shop is currently unavailable. | Issue #32, Issue #46 | Medium Article |
Squarespace | Not vulnerable | |||
Statuspage | Vulnerable | Visiting the subdomain will redirect users to https://www.statuspage.io. | PR #105 | Statuspage documentation |
Strikingly | Vulnerable | page not found | Issue #58 | Strikingly-Sub-takeover |
Surge.sh | Vulnerable | project not found | Surge Documentation | |
Tumblr | Vulnerable | Whatever you were looking for doesn't currently exist at this address | ||
Tilda | Edge Case | Please renew your subscription | PR #20 | |
Unbounce | Not vulnerable | The requested URL was not found on this server. | Issue #11 | |
Uptimerobot | Vulnerable | page not found | Issue #45 | Uptimerobot-Sub-takeover |
UserVoice | Vulnerable | This UserVoice subdomain is currently available! | ||
Webflow | Not Vulnerable | Issue #44 | forum webflow | |
Wordpress | Vulnerable | Do you want to register *.wordpress.com? | ||
WP Engine | Not vulnerable | |||
Zendesk | Not Vulnerable | Help Center Closed | Issue #23 | Zendesk Support |
"Can I Take Over XYZ?" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records
Reviewed by Zion3R
on
9:06 AM
Rating: