The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion. Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action. Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise. Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. You can read up more about subdomain takeovers here: Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path: Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program. I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after. You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md. A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26. Note: Column header definitions:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
fingerprints.json is automatically updated based on the content of this table.Engine: Name of serviceStatus: Whether the service is vulnerableVerified by CI/CD: Whether automated fingerprint check is currently passingDomains: Comma-separate domains (used for fingerprint auto-verification)Fingerprint: Regex indicating vulnerable page (or NXDOMAIN, indicating non-existent DNS record)Discussion: Link to issue on this repo for discussionDocumentation: Link to official documentationEngine Status Verified by CI/CD Domains Fingerprint Discussion Documentation AWS/Elastic Beanstalk Vulnerable 🟩 elasticbeanstalk.com NXDOMAINIssue #194 AWS/Load Balancer (ELB) Not vulnerable 🟥 elb.amazonaws.com NXDOMAINIssue #137 AWS/S3 Vulnerable 🟩 s3.amazonaws.com The specified bucket does not existIssue #36 Acquia Not vulnerable 🟥 Web Site Not FoundIssue #103 Agile CRM Vulnerable 🟥 agilecrm.com Sorry, this page is no longer available.Issue #145 Airee.ru Vulnerable 🟩 airee.ru Ошибка 402. Сервис Айри.рф не оплаченIssue #104 Akamai Not vulnerable 🟥 Issue #13 Anima Vulnerable 🟩 animaapp.io The page you were looking for does not exist.Issue #126 Anima Documentation Bitbucket Vulnerable 🟩 bitbucket.io Repository not foundIssue #97 Campaign Monitor Vulnerable 🟥 Trying to access your account?Issue #275 Support Page Canny Vulnerable 🟥
Company Not Found There is no such company. Did you enter the right URL?Issue #114 Cargo Collective Vulnerable 🟥 404 Not FoundIssue #152 Cargo Support Page Cloudfront Not vulnerable 🟥 ViewerCertificateExceptionIssue #29 Domain Security on Amazon CloudFront Desk Not vulnerable 🟥 Please try again or try Desk.com free for 14 days.Issue #9 Digital Ocean Vulnerable 🟥 Domain uses DO name servers with no records in DO.Discourse Vulnerable 🟩 trydiscourse.com NXDOMAINIssue #49 Hackerone Dreamhost Not vulnerable 🟥 Site Not Found Well, this is awkward. The site you're looking for is not here.
Issue #153 Issue #5 Fastly Not vulnerable 🟥 Fastly error: unknown domain:Issue #22 Feedpress Not vulnerable 🟥 The feed has not been found.Issue #80 Firebase Not vulnerable 🟥 Issue #128 Fly.io Not vulnerable 🟥 404 Not FoundIssue #101 Freshdesk Not vulnerable 🟥 We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signupIssue #214 Freshdesk Support Page Frontify Edge case 🟥
404 - Page Not Found Oops… looks like you got lostIssue #170 Gemfury Vulnerable 🟥 furyns.com 404: This page could not be found.Issue #154 Article Getresponse Vulnerable 🟥 With GetResponse Landing Pages, lead generation has never been easierIssue #235 Ghost Vulnerable 🟥 ghost.io Site unavailable\.|Failed to resolve DNS path for this hostIssue #89 Github Edge case 🟥 There isn't a GitHub Pages site here.
Issue #37 Issue #68 Gitlab Not vulnerable 🟥 HackerOne #312118 Google Cloud Storage Not vulnerable 🟥 <?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message></Error>Google Sites Not vulnerable 🟥 The requested URL was not found on this server. That’s all we know.Issue #277 Google Support HatenaBlog Vulnerable 🟩 hatenablog.com 404 Blog is not foundHelp Juice Vulnerable 🟩 helpjuice.com We could not find what you're looking for.Help Juice Support Page Help Scout Vulnerable 🟩 helpscoutdocs.com No settings were found for this company:HelpScout Docs Helprace Vulnerable 🟩 helprace.com HTTP_STATUS=301Issue #115 Heroku Edge case 🟥 No such appIssue #38 HubSpot Not vulnerable 🟥 This page isn't availableIssue #59 Instapage Not vulnerable 🟥 Issue #73 Intercom Edge case 🟥 Uh oh. That page doesn't exist.Issue #69 Help center JetBrains Vulnerable 🟥 youtrack.cloud is not a registered InCloud YouTrackPR #107 YouTrack InCloud Help Page Key CDN Not vulnerable 🟥 Issue #112 Kinsta Not vulnerable 🟥 No Site For DomainIssue #48 kinsta-add-domain Landingi Edge case 🟥 It looks like you’re lost...Issue #117 LaunchRock Vulnerable 🟥 launchrock.com HTTP_STATUS=500Issue #74 Mailchimp Not vulnerable 🟥 We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active.Discussion #250 Mashery Edge case 🟥 Unrecognized domainIssue #14 HackerOne Microsoft Azure Vulnerable 🟩 cloudapp.net, cloudapp.azure.com, azurewebsites.net, blob.core.windows.net, cloudapp.azure.com, azure-api.net, azurehdinsight.net, azureedge.net, azurecontainer.io, database.windows.net, azuredatalakestore.net, search.windows.net, azurecr.io, redis.cache.windows.net, azurehdinsight.net, servicebus.windows.net, visualstudio.com NXDOMAINIssue #35 Netlify Edge case 🟥 Not Found - Request ID:Issue #40 Ngrok Vulnerable 🟥 ngrok.io Tunnel .*.ngrok.io not foundIssue #92 Ngrok Documentation Pantheon Vulnerable 🟥 404 error unknown site!Issue #24
Documentation Pantheon-Sub-takeover Pingdom Vulnerable 🟥 Sorry, couldn't find the status pageIssue #144 Support Page Readme.io Vulnerable 🟥 readme.io The creators of this project are still working on making everything perfect!Issue #41 Readthedocs Vulnerable 🟥 The link you have followed or the URL that you entered does not exist.Issue #160 Sendgrid Not vulnerable 🟥 Shopify Edge case 🟥 Sorry, this shop is currently unavailable.
Issue #32 Issue #46 Medium Article Short.io Vulnerable 🟥 Link does not existIssue #260 SmartJobBoard Vulnerable 🟩 52.16.160.97 This job board website is either expired or its domain name is invalid.Issue #139 Support Page Smartling Edge case 🟥 Domain is not configuredIssue #67 Smugsmug Vulnerable 🟥 Issue #60 Squarespace Not vulnerable 🟥 Statuspage Not vulnerable 🟥 Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 PR #171 Statuspage documentation Strikingly Vulnerable 🟩 s.strikinglydns.com PAGE NOT FOUND.Issue #58 Strikingly-Sub-takeover Surge.sh Vulnerable 🟩 na-west1.surge.sh project not foundIssue #198 Surge Documentation SurveySparrow Vulnerable 🟩 surveysparrow.com Account not found.Issue #281 Custom domain Tilda Edge case 🟥 Please renew your subscription
Issue #155 PR #20 Tumblr Edge case 🟥 Whatever you were looking for doesn't currently exist at this addressIssue #240 Tumblr Custom Domains Uberflip Vulnerable 🟩 read.uberflip.com The URL you've accessed does not provide a hub.Issue #150 Uberflip Documentation Unbounce Not vulnerable 🟥 The requested URL was not found on this server.Issue #11 Uptimerobot Vulnerable 🟥 stats.uptimerobot.com page not foundIssue #45 Uptimerobot-Sub-takeover UserVoice Not vulnerable 🟥 This UserVoice subdomain is currently available!Issue #163 Vercel Edge case 🟥 https://nonexistent-example.vercel.com/ DEPLOYMENT_NOT_FOUND.Issue #183 Adding & Configuring a Custom Domain WP Engine Not vulnerable 🟥 Webflow Edge case 🟥 The page you are looking for doesn't exist or has been moved.Issue #44 forum webflow Wix Edge case 🟥 Looks Like This Domain Isn't Connected To A Website Yet!Issue #231 Wordpress Vulnerable 🟩 wordpress.com Do you want to register .*.wordpress.com?PR #176 Worksites Vulnerable 🟩 worksites.net, 69.164.223.206 Hello! Sorry, but the website you’re looking for doesn’t exist.Issue #142 Zendesk Not vulnerable 🟥 Help Center ClosedIssue #23 Zendesk Support