Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here:
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
- https://0xpatrik.com/subdomain-takeover-ns/
Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.
A list of services that can be checked (although check for duplicates against this list first) can be found here: EdOverflow#26.
| Engine | Status | Fingerprint | Discussion | Documentation |
|---|---|---|---|---|
| Akamai | Not vulnerable | Issue #13 | ||
| AWS/S3 | Vulnerable | The specified bucket does not exist |
Issue #36 | |
| Bitbucket | Vulnerable | Repository not found |
||
| Campaign Monitor | Vulnerable | Support Page | ||
| Cargo Collective | Vulnerable | 404 Not Found |
Cargo Support Page | |
| Cloudfront | Edge case | Bad Request: ERROR: The request could not be satisfied |
Issue #29 | |
| Desk | Not vulnerable | Please try again or try Desk.com free for 14 days. |
Issue #9 | |
| Fastly | Edge case | Fastly error: unknown domain: |
Issue #22 | |
| Feedpress | Vulnerable | The feed has not been found. |
HackerOne #195350 | |
| Freshdesk | Not vulnerable | Freshdesk Support Page | ||
| Ghost | Vulnerable | The thing you were looking for is no longer here, or never was |
||
| Github | Vulnerable | There isn't a Github Pages site here. |
Issue #37 | |
| Gitlab | Not vulnerable | HackerOne #312118 | ||
| Google Cloud Storage | Not vulnerable | |||
| Help Juice | Vulnerable | We could not find what you're looking for. |
Help Juice Support Page | |
| Help Scout | Vulnerable | No settings were found for this company: |
HelpScout Docs | |
| Heroku | Edge case | No such app |
Issue #38 | |
| JetBrains | Vulnerable | is not a registered InCloud YouTrack |
||
| Mashery | Not vulnerable | Unrecognized domain |
HackerOne #275714, Issue #14 | |
| Microsoft Azure | Vulnerable | Issue #35 | ||
| Netlify | Edge Case | Issue #40 | ||
| Readme.io | Vulnerable | Project doesnt exist... yet! |
Issue #41 | |
| Sendgrid | Not vulnerable | |||
| Shopify | Edge Case | Sorry, this shop is currently unavailable. |
Issue #32, Issue #46 | Medium Article |
| Squarespace | Not vulnerable | |||
| Statuspage | Not vulnerable | PR #65 | ||
| Surge.sh | Vulnerable | project not found |
Surge Documentation | |
| Tumblr | Vulnerable | Whatever you were looking for doesn't currently exist at this address |
||
| Tilda | Edge Case | Please renew your subscription |
PR #20 | |
| Unbounce | Not vulnerable | The requested URL was not found on this server. |
Issue #11 | |
| UserVoice | Vulnerable | This UserVoice subdomain is currently available! |
||
| Wordpress | Vulnerable | Do you want to register *.wordpress.com? |
||
| WP Engine | Not vulnerable | |||
| Zendesk | Not Vulnerable | Help Center Closed |
Issue #23 | Zendesk Support |