Created by @jackds1986, @gerben_javado, @0xibram, and @EdOverflow.
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here: https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/.
Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
Answer: Yes ✔️
Look for: 404 Not Found
Reference: http://support.2.cargocollective.com/Using-a-Third-Party-Domain
Answer: Yes ✔️
Look for: 4o’4! We could not find what you're looking for.
Reference: https://help.helpjuice.com/34339-getting-started/custom-domain
Answer: Yes ✔️
Look for a 404 page and either an A record pointing to 192.30.252.153
or 192.30.252.154
, or a CNAME record for username.github.io
. The latter requires owning the GitHub handle so navigate to github.com/username to make sure that the username has not already been registered.
Reference: https://hackerone.com/reports/263902
Answer: No ❎
GitLab require a text record with a verification token in order to set the custom domain. This was fixed as a result of https://hackerone.com/reports/312118.
Answer: Yes ✔️
If a domain has a CNAME record for *.s3.amazonaws.com
and is returning NoSuchBucket
, then all you need to do is to create a bucket with that name. You will need an AWS account, however, you can use the free tier which is more than enough for a PoC. You can then upload a simple txt file at a random path as a proof of concept.
Answer: Yes ✔️
When it comes to Cloudfront subdomain takeovers always check both ports 80 and 443. The error message "Bad Request" must be displayed on both ports to ensure that one can claim it on AWS.
If you find a domain that displays this error message, try adding that domain as CNAME to your CloudFront instance on http://aws.amazon.com/ .
Reference: https://blog.zsec.uk/subdomainhijack/
Answer: Yes ✔️
Reference: https://hackerone.com/reports/49663
Answer: Yes ✔️
Reference: https://docs.helpscout.net/article/42-setup-custom-domain
Answer: Yes ✔️
Reference: https://help.campaignmonitor.com/custom-domain-names
Answer: No ❎
Answer: Yes ✔️
Azure can host various services: Web Apps (*.azurewebsites.net), Cloud Services (*.cloudapp.net), Traffic Manager profiles (*.trafficmanager.net) or Blob Storages (*.blob.core.windows.net) to name a few. In general, once a service is removed it's address will become available to others.
Note: For Web Apps, if the subdomain points to Azure using an A record the takeover might not be possible if the corresponding TXT record is missing (see https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain.)
To create a service an account at https://portal.azure.com is needed (a valid CC is required once the trial expires).
Answer: Yes ✔️
Answer: Yes ✔️
Subdomains can be taken over if the root domain doesn't already belong to a Fastly account.
Answer: Yes ✔️
Check the CNAME record. If it's pointing at *.herokuapp.com
, and is returning "No such app", then all you need to do is to create a new app on Heroku with that name.
Answer: Yes ✔️
Check for an A record pointing to 66.6.44.4 with a subsequent 'Not found.' on the page's title or a 'There's nothing here.' on the page itself.
Answer: No ❎
Google requires domain verification in order to claim domains for Google Cloud Storage.
Answer: Yes ✔️
Look for the following message:
"Domain mapping upgrade for this domain not found"
Answer: Yes ✔️
Look for the following error message and make sure the host has a CNAME pointing to redirect.feedpress.me
:
"The feed has not been found"
Reference: https://hackerone.com/reports/195350
Answer: No ❎
Squarespace requires domain verification and doesn't allow claiming expired domains.
Answer: Yes ✔️
A vulnerable UserVoice instance will return the error message seen below:
"This UserVoice subdomain is currently available!"
Reference: https://hackerone.com/reports/269109
Answer: Yes ✔️
Look for: Oops, this help center no longer exists
Answer: Yes ✔️
This one is a little tricky since you need to pay for the service in order to register a custom domain.
Reference: https://hackerone.com/reports/202767
Answer: Yes ✔️
The host will either have a CNAME record pointing to na-west1.surge.sh
or an A record for 45.55.110.124
.
Reference: https://surge.sh/help/adding-a-custom-domain
Answer: No ❎
Answer: Yes ✔️
The host should have CNAME record pointing to Mashery.
Reference: https://hackerone.com/reports/275714
Answer: Yes ✔️
The host should have CNAME record pointing to *.ghost.io
, also it costs $20 to host.
Answer: Yes ✔️
Similar to Github, the CNAME record will be pointing at *.bitbucket.io
.
Answer: No ❎
Sendgrid generates a verification token that mitigates subdomain takeovers.
Reference: https://sendgrid.com/docs/Classroom/Basics/Whitelabel/setup_domain_whitelabel.html