Disclaimer ⚠️

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion.

Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action.

Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: #26.

All entries

Note: fingerprints.json is automatically updated based on the content of this table.

Column header definitions:

Engine: Name of service
Status: Whether the service is vulnerable
Verified by CI/CD: Whether automated fingerprint check is currently passing
Domains: Comma-separate domains (used for fingerprint auto-verification)
Fingerprint: Regex indicating vulnerable page (or NXDOMAIN, indicating non-existent DNS record)
Discussion: Link to issue on this repo for discussion
Documentation: Link to official documentation

Engine	Status	Verified by CI/CD	Domains	Fingerprint	Discussion	Documentation
AWS/Elastic Beanstalk	Vulnerable	🟩	elasticbeanstalk.com	`NXDOMAIN`	Issue #194
AWS/Load Balancer (ELB)	Not vulnerable	🟥	elb.amazonaws.com	`NXDOMAIN`	Issue #137
AWS/S3	Vulnerable	🟩	s3.amazonaws.com	`The specified bucket does not exist`	Issue #36
Acquia	Not vulnerable	🟥		`Web Site Not Found`	Issue #103
Agile CRM	Vulnerable	🟥	agilecrm.com	`Sorry, this page is no longer available.`	Issue #145
Airee.ru	Vulnerable	🟩	airee.ru	`Ошибка 402. Сервис Айри.рф не оплачен`	Issue #104
Akamai	Not vulnerable	🟥			Issue #13
Anima	Vulnerable	🟩	animaapp.io	`The page you were looking for does not exist.`	Issue #126	Anima Documentation
Bitbucket	Vulnerable	🟩	bitbucket.io	`Repository not found`	Issue #97
Campaign Monitor	Vulnerable	🟥		`Trying to access your account?`	Issue #275	Support Page
Canny	Vulnerable	🟥		`Company Not Found` `There is no such company. Did you enter the right URL?`	Issue #114
Cargo Collective	Vulnerable	🟥		`404 Not Found`	Issue #152	Cargo Support Page
Cloudfront	Not vulnerable	🟥		`ViewerCertificateException`	Issue #29	Domain Security on Amazon CloudFront
Desk	Not vulnerable	🟥		`Please try again or try Desk.com free for 14 days.`	Issue #9
Digital Ocean	Vulnerable	🟥		`Domain uses DO name servers with no records in DO.`
Discourse	Vulnerable	🟩	trydiscourse.com	`NXDOMAIN`	Issue #49	Hackerone
Dreamhost	Not vulnerable	🟥		`Site Not Found Well, this is awkward. The site you're looking for is not here.`	Issue #153 Issue #5
Fastly	Not vulnerable	🟥		`Fastly error: unknown domain:`	Issue #22
Feedpress	Not vulnerable	🟥		`The feed has not been found.`	Issue #80
Firebase	Not vulnerable	🟥			Issue #128
Fly.io	Not vulnerable	🟥		`404 Not Found`	Issue #101
Freshdesk	Not vulnerable	🟥		`We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signup`	Issue #214	Freshdesk Support Page
Frontify	Edge case	🟥		`404 - Page Not Found` `Oops… looks like you got lost`	Issue #170
Gemfury	Vulnerable	🟩	furyns.com	`404: This page could not be found.`	Issue #154	Article
Getresponse	Vulnerable	🟥		`With GetResponse Landing Pages, lead generation has never been easier`	Issue #235
Ghost	Vulnerable	🟥	ghost.io	`Site unavailable\.\|Failed to resolve DNS path for this host`	Issue #89
Github	Edge case	🟥		`There isn't a GitHub Pages site here.`	Issue #37 Issue #68
Gitlab	Not vulnerable	🟥			HackerOne #312118
Google Cloud Storage	Not vulnerable	🟥		`<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message></Error>`
Google Sites	Not vulnerable	🟥		`The requested URL was not found on this server. That’s all we know.`	Issue #277	Google Support
HatenaBlog	Vulnerable	🟩	hatenablog.com	`404 Blog is not found`
Help Juice	Vulnerable	🟩	helpjuice.com	`We could not find what you're looking for.`		Help Juice Support Page
Help Scout	Vulnerable	🟩	helpscoutdocs.com	`No settings were found for this company:`		HelpScout Docs
Helprace	Vulnerable	🟩	helprace.com	`HTTP_STATUS=301`	Issue #115
Heroku	Edge case	🟥		`No such app`	Issue #38
HubSpot	Not vulnerable	🟥		`This page isn't available`	Issue #59
Instapage	Not vulnerable	🟥			Issue #73
Intercom	Edge case	🟥		`Uh oh. That page doesn't exist.`	Issue #69	Help center
JetBrains	Vulnerable	🟥	youtrack.cloud	`is not a registered InCloud YouTrack`	PR #107	YouTrack InCloud Help Page
Key CDN	Not vulnerable	🟥			Issue #112
Kinsta	Not vulnerable	🟥		`No Site For Domain`	Issue #48	kinsta-add-domain
Landingi	Edge case	🟥		`It looks like you’re lost...`	Issue #117
LaunchRock	Vulnerable	🟩	launchrock.com	`HTTP_STATUS=500`	Issue #74
Mailchimp	Not vulnerable	🟥		`We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active.`	Discussion #250
Mashery	Edge case	🟥		`Unrecognized domain`	Issue #14	HackerOne
Microsoft Azure	Vulnerable	🟩	cloudapp.net, cloudapp.azure.com, azurewebsites.net, blob.core.windows.net, cloudapp.azure.com, azure-api.net, azurehdinsight.net, azureedge.net, azurecontainer.io, database.windows.net, azuredatalakestore.net, search.windows.net, azurecr.io, redis.cache.windows.net, azurehdinsight.net, servicebus.windows.net, visualstudio.com	`NXDOMAIN`	Issue #35
Netlify	Edge case	🟥		`Not Found - Request ID:`	Issue #40
Ngrok	Vulnerable	🟩	ngrok.io	`Tunnel .*.ngrok.io not found`	Issue #92	Ngrok Documentation
Pantheon	Vulnerable	🟥		`404 error unknown site!`	Issue #24	Documentation Pantheon-Sub-takeover
Pingdom	Vulnerable	🟥		`Sorry, couldn't find the status page`	Issue #144	Support Page
Readme.io	Vulnerable	🟥	readme.io	`The creators of this project are still working on making everything perfect!`	Issue #41
Readthedocs	Vulnerable	🟥		`The link you have followed or the URL that you entered does not exist.`	Issue #160
Sendgrid	Not vulnerable	🟥
Shopify	Edge case	🟥		`Sorry, this shop is currently unavailable.`	Issue #32 Issue #46	Medium Article
Short.io	Vulnerable	🟥		`Link does not exist`	Issue #260
SmartJobBoard	Vulnerable	🟩	52.16.160.97	`This job board website is either expired or its domain name is invalid.`	Issue #139	Support Page
Smartling	Edge case	🟥		`Domain is not configured`	Issue #67
Smugsmug	Vulnerable	🟥			Issue #60
Squarespace	Not vulnerable	🟥
Statuspage	Not vulnerable	🟥			Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 PR #171	Statuspage documentation
Strikingly	Vulnerable	🟩	s.strikinglydns.com	`PAGE NOT FOUND.`	Issue #58	Strikingly-Sub-takeover
Surge.sh	Vulnerable	🟩	na-west1.surge.sh	`project not found`	Issue #198	Surge Documentation
SurveySparrow	Vulnerable	🟩	surveysparrow.com	`Account not found.`	Issue #281	Custom domain
Tilda	Edge case	🟥		`Please renew your subscription`	Issue #155 PR #20
Tumblr	Edge case	🟥		`Whatever you were looking for doesn't currently exist at this address`	Issue #240	Tumblr Custom Domains
Uberflip	Vulnerable	🟩	read.uberflip.com	`The URL you've accessed does not provide a hub.`	Issue #150	Uberflip Documentation
Unbounce	Not vulnerable	🟥		`The requested URL was not found on this server.`	Issue #11
Uptimerobot	Vulnerable	🟥	stats.uptimerobot.com	`page not found`	Issue #45	Uptimerobot-Sub-takeover
UserVoice	Not vulnerable	🟥		`This UserVoice subdomain is currently available!`	Issue #163
Vercel	Edge case	🟥	https://nonexistent-example.vercel.com/	`DEPLOYMENT_NOT_FOUND.`	Issue #183	Adding & Configuring a Custom Domain
WP Engine	Not vulnerable	🟥
Webflow	Edge case	🟥		`The page you are looking for doesn't exist or has been moved.`	Issue #44	forum webflow
Wix	Edge case	🟥		`Looks Like This Domain Isn't Connected To A Website Yet!`	Issue #231
Wordpress	Vulnerable	🟩	wordpress.com	`Do you want to register .*.wordpress.com?`	PR #176
Worksites	Vulnerable	🟩	worksites.net, 69.164.223.206	`Hello! Sorry, but the website you’re looking for doesn’t exist.`	Issue #142
Zendesk	Not vulnerable	🟥		`Help Center Closed`	Issue #23	Zendesk Support

EdOverflow/can-i-take-over-xyz

EdOverflow

Reviews

Repository Details