can-i-take-over-xyz

image

Disclaimer ⚠️

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion.

Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action.

Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26.

All entries

Note: fingerprints.json is automatically updated based on the content of this table.

Column header definitions:

  • Engine: Name of service
  • Status: Whether the service is vulnerable
  • Verified by CI/CD: Whether automated fingerprint check is currently passing
  • Domains: Comma-separate domains (used for fingerprint auto-verification)
  • Fingerprint: Regex indicating vulnerable page (or NXDOMAIN, indicating non-existent DNS record)
  • Discussion: Link to issue on this repo for discussion
  • Documentation: Link to official documentation
EngineStatusVerified by CI/CDDomainsFingerprintDiscussionDocumentation
AWS/Elastic BeanstalkVulnerable🟩elasticbeanstalk.comNXDOMAINIssue #194
AWS/Load Balancer (ELB)Not vulnerableπŸŸ₯elb.amazonaws.comNXDOMAINIssue #137
AWS/S3Vulnerable🟩s3.amazonaws.comThe specified bucket does not existIssue #36
AcquiaNot vulnerableπŸŸ₯Web Site Not FoundIssue #103
Agile CRMVulnerableπŸŸ₯agilecrm.comSorry, this page is no longer available.Issue #145
Airee.ruVulnerable🟩airee.ruОшибка 402. БСрвис Айри.Ρ€Ρ„ Π½Π΅ ΠΎΠΏΠ»Π°Ρ‡Π΅Π½Issue #104
AkamaiNot vulnerableπŸŸ₯Issue #13
AnimaVulnerable🟩animaapp.ioThe page you were looking for does not exist.Issue #126Anima Documentation
BitbucketVulnerable🟩bitbucket.ioRepository not foundIssue #97
Campaign MonitorVulnerableπŸŸ₯Trying to access your account?Issue #275Support Page
CannyVulnerableπŸŸ₯ Company Not Found There is no such company. Did you enter the right URL?Issue #114
Cargo CollectiveVulnerableπŸŸ₯404 Not FoundIssue #152Cargo Support Page
CloudfrontNot vulnerableπŸŸ₯ViewerCertificateExceptionIssue #29Domain Security on Amazon CloudFront
DeskNot vulnerableπŸŸ₯Please try again or try Desk.com free for 14 days.Issue #9
Digital OceanVulnerableπŸŸ₯Domain uses DO name servers with no records in DO.
DiscourseVulnerable🟩trydiscourse.comNXDOMAINIssue #49Hackerone
DreamhostNot vulnerableπŸŸ₯Site Not Found Well, this is awkward. The site you're looking for is not here. Issue #153 Issue #5
FastlyNot vulnerableπŸŸ₯Fastly error: unknown domain:Issue #22
FeedpressNot vulnerableπŸŸ₯The feed has not been found.Issue #80
FirebaseNot vulnerableπŸŸ₯Issue #128
Fly.ioNot vulnerableπŸŸ₯404 Not FoundIssue #101
FreshdeskNot vulnerableπŸŸ₯We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signupIssue #214Freshdesk Support Page
FrontifyEdge caseπŸŸ₯ 404 - Page Not Found Oops… looks like you got lostIssue #170
GemfuryVulnerable🟩furyns.com404: This page could not be found.Issue #154Article
GetresponseVulnerableπŸŸ₯With GetResponse Landing Pages, lead generation has never been easierIssue #235
GhostVulnerableπŸŸ₯ghost.ioSite unavailable\.&#124;Failed to resolve DNS path for this hostIssue #89
GithubEdge caseπŸŸ₯There isn't a GitHub Pages site here. Issue #37 Issue #68
GitlabNot vulnerableπŸŸ₯HackerOne #312118
Google Cloud StorageNot vulnerableπŸŸ₯<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message></Error>
Google SitesNot vulnerableπŸŸ₯The requested URL was not found on this server. That’s all we know.Issue #277Google Support
HatenaBlogVulnerable🟩hatenablog.com404 Blog is not found
Help JuiceVulnerable🟩helpjuice.comWe could not find what you're looking for.Help Juice Support Page
Help ScoutVulnerable🟩helpscoutdocs.comNo settings were found for this company:HelpScout Docs
HelpraceVulnerable🟩helprace.comHTTP_STATUS=301Issue #115
HerokuEdge caseπŸŸ₯No such appIssue #38
HubSpotNot vulnerableπŸŸ₯This page isn't availableIssue #59
InstapageNot vulnerableπŸŸ₯Issue #73
IntercomEdge caseπŸŸ₯Uh oh. That page doesn't exist.Issue #69Help center
JetBrainsVulnerableπŸŸ₯youtrack.cloudis not a registered InCloud YouTrackPR #107YouTrack InCloud Help Page
Key CDNNot vulnerableπŸŸ₯Issue #112
KinstaNot vulnerableπŸŸ₯No Site For DomainIssue #48kinsta-add-domain
LandingiEdge caseπŸŸ₯It looks like you’re lost...Issue #117
LaunchRockVulnerableπŸŸ₯launchrock.comHTTP_STATUS=500Issue #74
MailchimpNot vulnerableπŸŸ₯We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active.Discussion #250
MasheryEdge caseπŸŸ₯Unrecognized domainIssue #14HackerOne
Microsoft AzureVulnerable🟩cloudapp.net, cloudapp.azure.com, azurewebsites.net, blob.core.windows.net, cloudapp.azure.com, azure-api.net, azurehdinsight.net, azureedge.net, azurecontainer.io, database.windows.net, azuredatalakestore.net, search.windows.net, azurecr.io, redis.cache.windows.net, azurehdinsight.net, servicebus.windows.net, visualstudio.comNXDOMAINIssue #35
NetlifyEdge caseπŸŸ₯Not Found - Request ID:Issue #40
NgrokVulnerable🟩ngrok.ioTunnel .*.ngrok.io not foundIssue #92Ngrok Documentation
PantheonVulnerableπŸŸ₯404 error unknown site!Issue #24 Documentation Pantheon-Sub-takeover
PingdomVulnerableπŸŸ₯Sorry, couldn't find the status pageIssue #144Support Page
Readme.ioVulnerableπŸŸ₯readme.ioThe creators of this project are still working on making everything perfect!Issue #41
ReadthedocsVulnerableπŸŸ₯The link you have followed or the URL that you entered does not exist.Issue #160
SendgridNot vulnerableπŸŸ₯
ShopifyEdge caseπŸŸ₯Sorry, this shop is currently unavailable. Issue #32 Issue #46Medium Article
Short.ioVulnerableπŸŸ₯Link does not existIssue #260
SmartJobBoardVulnerable🟩52.16.160.97This job board website is either expired or its domain name is invalid.Issue #139Support Page
SmartlingEdge caseπŸŸ₯Domain is not configuredIssue #67
SmugsmugVulnerableπŸŸ₯Issue #60
SquarespaceNot vulnerableπŸŸ₯
StatuspageNot vulnerableπŸŸ₯Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 PR #171Statuspage documentation
StrikinglyVulnerable🟩s.strikinglydns.comPAGE NOT FOUND.Issue #58Strikingly-Sub-takeover
Surge.shVulnerable🟩na-west1.surge.shproject not foundIssue #198Surge Documentation
SurveySparrowVulnerable🟩surveysparrow.comAccount not found.Issue #281Custom domain
TildaEdge caseπŸŸ₯Please renew your subscription Issue #155 PR #20
TumblrEdge caseπŸŸ₯Whatever you were looking for doesn't currently exist at this addressIssue #240Tumblr Custom Domains
UberflipVulnerable🟩read.uberflip.comThe URL you've accessed does not provide a hub.Issue #150Uberflip Documentation
UnbounceNot vulnerableπŸŸ₯The requested URL was not found on this server.Issue #11
UptimerobotVulnerableπŸŸ₯stats.uptimerobot.compage not foundIssue #45Uptimerobot-Sub-takeover
UserVoiceNot vulnerableπŸŸ₯This UserVoice subdomain is currently available!Issue #163
VercelEdge caseπŸŸ₯https://nonexistent-example.vercel.com/DEPLOYMENT_NOT_FOUND.Issue #183Adding & Configuring a Custom Domain
WP EngineNot vulnerableπŸŸ₯
WebflowEdge caseπŸŸ₯The page you are looking for doesn't exist or has been moved.Issue #44forum webflow
WixEdge caseπŸŸ₯Looks Like This Domain Isn't Connected To A Website Yet!Issue #231
WordpressVulnerable🟩wordpress.comDo you want to register .*.wordpress.com?PR #176
WorksitesVulnerable🟩worksites.net, 69.164.223.206Hello! Sorry, but the website you&rsquo;re looking for doesn&rsquo;t exist.Issue #142
ZendeskNot vulnerableπŸŸ₯Help Center ClosedIssue #23Zendesk Support