• Stars
    star
    4,823
  • Rank 8,734 (Top 0.2 %)
  • Language
    Python
  • License
    Creative Commons ...
  • Created over 6 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

"Can I take over XYZ?" โ€” a list of services and how to claim (sub)domains with dangling DNS records.

image

Disclaimer โš ๏ธ

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion.

Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action.

Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: #26.

All entries

Note: fingerprints.json is automatically updated based on the content of this table.

Column header definitions:

  • Engine: Name of service
  • Status: Whether the service is vulnerable
  • Verified by CI/CD: Whether automated fingerprint check is currently passing
  • Domains: Comma-separate domains (used for fingerprint auto-verification)
  • Fingerprint: Regex indicating vulnerable page (or NXDOMAIN, indicating non-existent DNS record)
  • Discussion: Link to issue on this repo for discussion
  • Documentation: Link to official documentation
Engine Status Verified by CI/CD Domains Fingerprint Discussion Documentation
AWS/Elastic Beanstalk Vulnerable ๐ŸŸฉ elasticbeanstalk.com NXDOMAIN Issue #194
AWS/Load Balancer (ELB) Not vulnerable ๐ŸŸฅ elb.amazonaws.com NXDOMAIN Issue #137
AWS/S3 Vulnerable ๐ŸŸฉ s3.amazonaws.com The specified bucket does not exist Issue #36
Acquia Not vulnerable ๐ŸŸฅ Web Site Not Found Issue #103
Agile CRM Vulnerable ๐ŸŸฅ agilecrm.com Sorry, this page is no longer available. Issue #145
Airee.ru Vulnerable ๐ŸŸฉ airee.ru ะžัˆะธะฑะบะฐ 402. ะกะตั€ะฒะธั ะะนั€ะธ.ั€ั„ ะฝะต ะพะฟะปะฐั‡ะตะฝ Issue #104
Akamai Not vulnerable ๐ŸŸฅ Issue #13
Anima Vulnerable ๐ŸŸฉ animaapp.io The page you were looking for does not exist. Issue #126 Anima Documentation
Bitbucket Vulnerable ๐ŸŸฉ bitbucket.io Repository not found Issue #97
Campaign Monitor Vulnerable ๐ŸŸฅ Trying to access your account? Issue #275 Support Page
Canny Vulnerable ๐ŸŸฅ Company Not Found There is no such company. Did you enter the right URL? Issue #114
Cargo Collective Vulnerable ๐ŸŸฅ 404 Not Found Issue #152 Cargo Support Page
Cloudfront Not vulnerable ๐ŸŸฅ ViewerCertificateException Issue #29 Domain Security on Amazon CloudFront
Desk Not vulnerable ๐ŸŸฅ Please try again or try Desk.com free for 14 days. Issue #9
Digital Ocean Vulnerable ๐ŸŸฅ Domain uses DO name servers with no records in DO.
Discourse Vulnerable ๐ŸŸฉ trydiscourse.com NXDOMAIN Issue #49 Hackerone
Dreamhost Not vulnerable ๐ŸŸฅ Site Not Found Well, this is awkward. The site you're looking for is not here. Issue #153 Issue #5
Fastly Not vulnerable ๐ŸŸฅ Fastly error: unknown domain: Issue #22
Feedpress Not vulnerable ๐ŸŸฅ The feed has not been found. Issue #80
Firebase Not vulnerable ๐ŸŸฅ Issue #128
Fly.io Not vulnerable ๐ŸŸฅ 404 Not Found Issue #101
Freshdesk Not vulnerable ๐ŸŸฅ We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signup Issue #214 Freshdesk Support Page
Frontify Edge case ๐ŸŸฅ 404 - Page Not Found Oopsโ€ฆ looks like you got lost Issue #170
Gemfury Vulnerable ๐ŸŸฉ furyns.com 404: This page could not be found. Issue #154 Article
Getresponse Vulnerable ๐ŸŸฅ With GetResponse Landing Pages, lead generation has never been easier Issue #235
Ghost Vulnerable ๐ŸŸฅ ghost.io Site unavailable\.&#124;Failed to resolve DNS path for this host Issue #89
Github Edge case ๐ŸŸฅ There isn't a GitHub Pages site here. Issue #37 Issue #68
Gitlab Not vulnerable ๐ŸŸฅ HackerOne #312118
Google Cloud Storage Not vulnerable ๐ŸŸฅ <?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message></Error>
Google Sites Not vulnerable ๐ŸŸฅ The requested URL was not found on this server. Thatโ€™s all we know. Issue #277 Google Support
HatenaBlog Vulnerable ๐ŸŸฉ hatenablog.com 404 Blog is not found
Help Juice Vulnerable ๐ŸŸฉ helpjuice.com We could not find what you're looking for. Help Juice Support Page
Help Scout Vulnerable ๐ŸŸฉ helpscoutdocs.com No settings were found for this company: HelpScout Docs
Helprace Vulnerable ๐ŸŸฉ helprace.com HTTP_STATUS=301 Issue #115
Heroku Edge case ๐ŸŸฅ No such app Issue #38
HubSpot Not vulnerable ๐ŸŸฅ This page isn't available Issue #59
Instapage Not vulnerable ๐ŸŸฅ Issue #73
Intercom Edge case ๐ŸŸฅ Uh oh. That page doesn't exist. Issue #69 Help center
JetBrains Vulnerable ๐ŸŸฅ youtrack.cloud is not a registered InCloud YouTrack PR #107 YouTrack InCloud Help Page
Key CDN Not vulnerable ๐ŸŸฅ Issue #112
Kinsta Not vulnerable ๐ŸŸฅ No Site For Domain Issue #48 kinsta-add-domain
Landingi Edge case ๐ŸŸฅ It looks like youโ€™re lost... Issue #117
LaunchRock Vulnerable ๐ŸŸฉ launchrock.com HTTP_STATUS=500 Issue #74
Mailchimp Not vulnerable ๐ŸŸฅ We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active. Discussion #250
Mashery Edge case ๐ŸŸฅ Unrecognized domain Issue #14 HackerOne
Microsoft Azure Vulnerable ๐ŸŸฉ cloudapp.net, cloudapp.azure.com, azurewebsites.net, blob.core.windows.net, cloudapp.azure.com, azure-api.net, azurehdinsight.net, azureedge.net, azurecontainer.io, database.windows.net, azuredatalakestore.net, search.windows.net, azurecr.io, redis.cache.windows.net, azurehdinsight.net, servicebus.windows.net, visualstudio.com NXDOMAIN Issue #35
Netlify Edge case ๐ŸŸฅ Not Found - Request ID: Issue #40
Ngrok Vulnerable ๐ŸŸฉ ngrok.io Tunnel .*.ngrok.io not found Issue #92 Ngrok Documentation
Pantheon Vulnerable ๐ŸŸฅ 404 error unknown site! Issue #24 Documentation Pantheon-Sub-takeover
Pingdom Vulnerable ๐ŸŸฅ Sorry, couldn't find the status page Issue #144 Support Page
Readme.io Vulnerable ๐ŸŸฅ readme.io The creators of this project are still working on making everything perfect! Issue #41
Readthedocs Vulnerable ๐ŸŸฅ The link you have followed or the URL that you entered does not exist. Issue #160
Sendgrid Not vulnerable ๐ŸŸฅ
Shopify Edge case ๐ŸŸฅ Sorry, this shop is currently unavailable. Issue #32 Issue #46 Medium Article
Short.io Vulnerable ๐ŸŸฅ Link does not exist Issue #260
SmartJobBoard Vulnerable ๐ŸŸฉ 52.16.160.97 This job board website is either expired or its domain name is invalid. Issue #139 Support Page
Smartling Edge case ๐ŸŸฅ Domain is not configured Issue #67
Smugsmug Vulnerable ๐ŸŸฅ Issue #60
Squarespace Not vulnerable ๐ŸŸฅ
Statuspage Not vulnerable ๐ŸŸฅ Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 PR #171 Statuspage documentation
Strikingly Vulnerable ๐ŸŸฉ s.strikinglydns.com PAGE NOT FOUND. Issue #58 Strikingly-Sub-takeover
Surge.sh Vulnerable ๐ŸŸฉ na-west1.surge.sh project not found Issue #198 Surge Documentation
SurveySparrow Vulnerable ๐ŸŸฉ surveysparrow.com Account not found. Issue #281 Custom domain
Tilda Edge case ๐ŸŸฅ Please renew your subscription Issue #155 PR #20
Tumblr Edge case ๐ŸŸฅ Whatever you were looking for doesn't currently exist at this address Issue #240 Tumblr Custom Domains
Uberflip Vulnerable ๐ŸŸฉ read.uberflip.com The URL you've accessed does not provide a hub. Issue #150 Uberflip Documentation
Unbounce Not vulnerable ๐ŸŸฅ The requested URL was not found on this server. Issue #11
Uptimerobot Vulnerable ๐ŸŸฅ stats.uptimerobot.com page not found Issue #45 Uptimerobot-Sub-takeover
UserVoice Not vulnerable ๐ŸŸฅ This UserVoice subdomain is currently available! Issue #163
Vercel Edge case ๐ŸŸฅ https://nonexistent-example.vercel.com/ DEPLOYMENT_NOT_FOUND. Issue #183 Adding & Configuring a Custom Domain
WP Engine Not vulnerable ๐ŸŸฅ
Webflow Edge case ๐ŸŸฅ The page you are looking for doesn't exist or has been moved. Issue #44 forum webflow
Wix Edge case ๐ŸŸฅ Looks Like This Domain Isn't Connected To A Website Yet! Issue #231
Wordpress Vulnerable ๐ŸŸฉ wordpress.com Do you want to register .*.wordpress.com? PR #176
Worksites Vulnerable ๐ŸŸฉ worksites.net, 69.164.223.206 Hello! Sorry, but the website you&rsquo;re looking for doesn&rsquo;t exist. Issue #142
Zendesk Not vulnerable ๐ŸŸฅ Help Center Closed Issue #23 Zendesk Support

More Repositories

1

bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters.
5,775
star
2

bugbountyguide

Bug Bounty Guide is a launchpad for bug bounty programs and bug bounty hunters.
HTML
453
star
3

megplus

Automated reconnaissance wrapper โ€” TomNomNom's meg on steroids. [DEPRECATED]
Shell
298
star
4

contact.sh

An OSINT tool to find contacts in order to report security vulnerabilities.
Shell
252
star
5

bugbountywiki

The Bug Bounty Wiki
167
star
6

proof-of-concepts

A little collection of fun and creative proof of concepts to demonstrate the potential impact of a security vulnerability.
HTML
162
star
7

bug-bounty-responses

A collection of response templates for invalid bug bounty reports.
80
star
8

hacks

Some random scripts. Just trying to be like the cool kids.
Shell
79
star
9

legal-bug-bounty

#legalbugbounty project โ€” creating safe harbors on bug bounty programs and vulnerability disclosure programs. Authored by Amit Elazari.
64
star
10

smith

Simple wrapper for meg that sieves through meg's output for you.
Shell
60
star
11

security-template

A static website template for security pages.
HTML
49
star
12

curate

A tool for fetching archived URLs (to be rewritten in Go).
Shell
39
star
13

h1-cli

A CLI tool to interact with hackerone.com. This was my submission for HackerOne's Summer 2018 Hack Day.
Shell
33
star
14

security-policy-specification-standard

This document proposes a way of standardising the structure, language, and grammar used in security policies.
25
star
15

hunter

Guidelines for writing secure code for Python developers.
18
star
16

cryptojourney-content

Learn the basics of cryptography throughout history.
18
star
17

bounty-formula

A formula to calculate bounty amounts.
HTML
12
star
18

propaganda

Generate a personal Jekyll website using your Bibtex references.
CSS
10
star
19

hackerone-security-policy

This is the security policy for https://hackerone.com/ed.
5
star
20

bounty-pls

A Chrome extension that spices up those #togetherwehitharder tweets.
JavaScript
5
star
21

edoverflow

2
star
22

slides

Slides from my past talks.
2
star
23

.gitignore

๐Ÿค”
1
star