"Can I Take Over XYZ?" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records

2019-08-19T02:10:40
ID KITPLOIT:108394148920726632
Type kitploit
Reporter KitPloit
Modified 2019-08-19T02:10:40

Description

What is a subdomain takeover?

> Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover
Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to contribute
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md .
A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26 .

All entries
Engine | Status | Fingerprint | Discussion | Documentation
---|---|---|---|---
Akamai | Not vulnerable | | Issue #13 |
AWS/S3 | Vulnerable | The specified bucket does not exist | Issue #36 |
Bitbucket | Vulnerable | Repository not found | |
Campaign Monitor | Vulnerable | 'Trying to access your account?' | | Support Page
Cargo Collective | Vulnerable | 404 Not Found | | Cargo Support Page
Cloudfront | Not vulnerable | ViewerCertificateException | Issue #29 | Domain Security on Amazon CloudFront
Desk | Not vulnerable | Please try again or try Desk.com free for 14 days. | Issue #9 |
Fastly | Edge case | Fastly error: unknown domain: | Issue #22 |
Feedpress | Vulnerable | The feed has not been found. | HackerOne #195350 |
Fly.io | Vulnerable | 404 Not Found | Issue #101 |
Freshdesk | Not vulnerable | | | Freshdesk Support Page
Ghost | Vulnerable | The thing you were looking for is no longer here, or never was | |
Github | Vulnerable | There isn't a Github Pages site here. | Issue #37 Issue #68 |
Gitlab | Not vulnerable | | HackerOne #312118 |
Google Cloud Storage | Not vulnerable | | |
HatenaBlog | vulnerable | 404 Blog is not found | |
Help Juice | Vulnerable | We could not find what you're looking for. | | Help Juice Support Page
Help Scout | Vulnerable | No settings were found for this company: | | HelpScout Docs
Heroku | Edge case | No such app | Issue #38 |
Intercom | Vulnerable | Uh oh. That page doesn't exist. | Issue #69 | Help center
JetBrains | Vulnerable | is not a registered InCloud YouTrack | | YouTrack InCloud Help Page
Kinsta | Vulnerable | No Site For Domain | Issue #48 | kinsta-add-domain
LaunchRock | Vulnerable | It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. | Issue #74 |
Mashery | Edge Case | Unrecognized domain | HackerOne #275714 , Issue #14 |
Microsoft Azure | Vulnerable | | Issue #35 |
Netlify | Edge Case | | Issue #40 |
Pantheon | Vulnerable | 404 error unknown site! | Issue #24 | Pantheon-Sub-takeover
Readme.io | Vulnerable | Project doesnt exist... yet! | Issue #41 |
Sendgrid | Not vulnerable | | |
Shopify | Edge Case | Sorry, this shop is currently unavailable. | Issue #32 , Issue #46 | Medium Article
Squarespace | Not vulnerable | | |
Statuspage | Vulnerable | Visiting the subdomain will redirect users to https://www.statuspage.io . | PR #105 | Statuspage documentation
Strikingly | Vulnerable | page not found | Issue #58 | Strikingly-Sub-takeover
Surge.sh | Vulnerable | project not found | | Surge Documentation
Tumblr | Vulnerable | Whatever you were looking for doesn't currently exist at this address | |
Tilda | Edge Case | Please renew your subscription | PR #20 |
Unbounce | Not vulnerable | The requested URL was not found on this server. | Issue #11 |
Uptimerobot | Vulnerable | page not found | Issue #45 | Uptimerobot-Sub-takeover
UserVoice | Vulnerable | This UserVoice subdomain is currently available! | |
Webflow | Not Vulnerable | | Issue #44 | forum webflow
Wordpress | Vulnerable | Do you want to register *.wordpress.com? | |
WP Engine | Not vulnerable | | |
Zendesk | Not Vulnerable | Help Center Closed | Issue #23 | Zendesk Support

Download Can-I-Take-Over-Xyz