Skip to content

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Notifications You must be signed in to change notification settings

BugHunterID/can-i-take-over-xyz

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

image

Created by

Twitter Twitter Twitter Twitter Twitter Twitter

What is a sub-domain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: EdOverflow#26.

All entries

Engine Status Fingerprint Discussion Documentation
Akamai Not vulnerable Issue #13
AWS/S3 Vulnerable The specified bucket does not exist Issue #36
Bitbucket Vulnerable Repository not found
Campaign Monitor Vulnerable Support Page
Cargo Collective Vulnerable 404 Not Found Cargo Support Page
Cloudfront Edge case Bad Request: ERROR: The request could not be satisfied Issue #29
Desk Not vulnerable Please try again or try Desk.com free for 14 days. Issue #9
Fastly Edge case Fastly error: unknown domain: Issue #22
Feedpress Vulnerable The feed has not been found. HackerOne #195350
Freshdesk Not vulnerable Freshdesk Support Page
Ghost Vulnerable The thing you were looking for is no longer here, or never was
Github Vulnerable There isn't a Github Pages site here. Issue #37
Gitlab Not vulnerable HackerOne #312118
Google Cloud Storage Not vulnerable
Help Juice Vulnerable We could not find what you're looking for. Help Juice Support Page
Help Scout Vulnerable No settings were found for this company: HelpScout Docs
Heroku Edge case No such app Issue #38
JetBrains Vulnerable is not a registered InCloud YouTrack
Mashery Not vulnerable Unrecognized domain HackerOne #275714, Issue #14
Microsoft Azure Vulnerable Issue #35
Netlify Edge Case Issue #40
Readme.io Vulnerable Project doesnt exist... yet! Issue #41
Sendgrid Not vulnerable
Shopify Edge Case Sorry, this shop is currently unavailable. Issue #32, Issue #46 Medium Article
Squarespace Not vulnerable
Statuspage Not vulnerable PR #65
Surge.sh Vulnerable project not found Surge Documentation
Tumblr Vulnerable Whatever you were looking for doesn't currently exist at this address
Tilda Edge Case Please renew your subscription PR #20
Unbounce Not vulnerable The requested URL was not found on this server. Issue #11
UserVoice Vulnerable This UserVoice subdomain is currently available!
Wordpress Vulnerable Do you want to register *.wordpress.com?
WP Engine Not vulnerable
Zendesk Not Vulnerable Help Center Closed Issue #23 Zendesk Support

About

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published