Can I take over XYZ?

Created by @jackds1986, @gerben_javado, @0xibram, and @EdOverflow.

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here: https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/.

Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Cargo Collective

Answer: Yes ✔️

Look for: 404 Not Found

Reference: http://support.2.cargocollective.com/Using-a-Third-Party-Domain

Help Juice

Answer: Yes ✔️

Look for: 4o’4! We could not find what you're looking for.

Reference: https://help.helpjuice.com/34339-getting-started/custom-domain

GitHub

Answer: Yes ✔️

Look for a 404 page and either an A record pointing to 192.30.252.153 or 192.30.252.154, or a CNAME record for username.github.io. The latter requires owning the GitHub handle so navigate to github.com/username to make sure that the username has not already been registered.

Reference: https://hackerone.com/reports/263902

Gitlab

Answer: No ❎

GitLab require a text record with a verification token in order to set the custom domain. This was fixed as a result of https://hackerone.com/reports/312118.

AWS/S3

Answer: Yes ✔️

If a domain has a CNAME record for *.s3.amazonaws.com and is returning NoSuchBucket, then all you need to do is to create a bucket with that name. You will need an AWS account, however, you can use the free tier which is more than enough for a PoC. You can then upload a simple txt file at a random path as a proof of concept.

Cloudfront

Answer: Yes ✔️

When it comes to Cloudfront subdomain takeovers always check both ports 80 and 443. The error message "Bad Request" must be displayed on both ports to ensure that one can claim it on AWS.

If you find a domain that displays this error message, try adding that domain as CNAME to your CloudFront instance on http://aws.amazon.com/ .

Reference: https://blog.zsec.uk/subdomainhijack/

Statuspage

Answer: Yes ✔️

Reference: https://hackerone.com/reports/49663

Help Scout

Answer: Yes ✔️

Reference: https://docs.helpscout.net/article/42-setup-custom-domain

Campaign Monitor

Answer: Yes ✔️

Reference: https://help.campaignmonitor.com/custom-domain-names

WP Engine

Answer: No ❎

Azure

Answer: Depends

Shopify

Answer: Yes ✔️

Fastly

Answer: Yes ✔️

Subdomains can be taken over if the root domain doesn't already belong to a Fastly account.

Heroku

Answer: Yes ✔️

Check the CNAME record. If it's pointing at *.herokuapp.com, and is returning "No such app", then all you need to do is to create a new app on Heroku with that name.

Tumblr

Answer: Yes ✔️

Check for an A record pointing to 66.6.44.4 with a subsequent 'Not found.' on the page's title or a 'There's nothing here.' on the page itself.

Google Cloud Storage

Answer: No ❎

Google requires domain verification in order to claim domains for Google Cloud Storage.

Wordpress

Answer: Yes ✔️

Look for the following message:

"Domain mapping upgrade for this domain not found"

Feedpress

Answer: Yes ✔️

Look for the following error message and make sure the host has a CNAME pointing to redirect.feedpress.me:

"The feed has not been found"

Reference: https://hackerone.com/reports/195350

Squarespace

Answer: No ❎

Squarespace requires domain verification and doesn't allow claiming expired domains.

Reference: https://support.squarespace.com/hc/en-us/articles/205812378-Connecting-a-domain-to-your-Squarespace-site

UserVoice

Answer: Yes ✔️

A vulnerable UserVoice instance will return the error message seen below:

"This UserVoice subdomain is currently available!"

Reference: https://hackerone.com/reports/269109

Zendesk

Answer: Yes ✔️

Look for: Oops, this help center no longer exists

Reference: https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping-

Unbounce

Answer: Yes ✔️

This one is a little tricky since you need to pay for the service in order to register a custom domain.

Reference: https://hackerone.com/reports/202767

Surge.sh

Answer: Yes ✔️

The host will either have a CNAME record pointing to na-west1.surge.sh or an A record for 45.55.110.124.

Reference: https://surge.sh/help/adding-a-custom-domain

Freshdesk

Answer: No ❎

Reference: https://support.freshdesk.com/support/solutions/articles/37590-using-a-vanity-support-url-and-pointing-the-cname

Mashery

Answer: Yes ✔️

The host should have CNAME record pointing to Mashery.

Reference: https://hackerone.com/reports/275714

Ghost

Answer: Yes ✔️

The host should have CNAME record pointing to *.ghost.io, also it costs $20 to host.

Bitbucket

Answer: Yes ✔️

Similar to Github, the CNAME record will be pointing at *.bitbucket.io.

Sendgrid

Answer: No ❎

Sendgrid generates a verification token that mitigates subdomain takeovers.

Reference: https://sendgrid.com/docs/Classroom/Basics/Whitelabel/setup_domain_whitelabel.html