The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion. On top of that, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here:
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
- https://0xpatrik.com/subdomain-takeover-ns/
Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.
A list of services that can be checked (although check for duplicates against this list first) can be found here: EdOverflow#26.
| Engine | Status | Fingerprint | Discussion | Documentation |
|---|---|---|---|---|
| Akamai | Not vulnerable | Issue #13 | ||
| AWS/S3 | Vulnerable | The specified bucket does not exist |
Issue #36 | |
| Bitbucket | Vulnerable | Repository not found |
||
| Campaign Monitor | Vulnerable | Support Page | ||
| Cargo Collective | Vulnerable | 404 Not Found |
Cargo Support Page | |
| Cloudfront | Edge case | Bad Request: ERROR: The request could not be satisfied |
Issue #29 | |
| Desk | Not vulnerable | Please try again or try Desk.com free for 14 days. |
Issue #9 | |
| Fastly | Edge case | Fastly error: unknown domain: |
Issue #22 | |
| Feedpress | Vulnerable | The feed has not been found. |
HackerOne #195350 | |
| Freshdesk | Not vulnerable | Freshdesk Support Page | ||
| Ghost | Vulnerable | The thing you were looking for is no longer here, or never was |
||
| Github | Vulnerable | There isn't a Github Pages site here. |
Issue #37 | |
| Gitlab | Not vulnerable | HackerOne #312118 | ||
| Google Cloud Storage | Not vulnerable | |||
| Help Juice | Vulnerable | We could not find what you're looking for. |
Help Juice Support Page | |
| Help Scout | Vulnerable | No settings were found for this company: |
HelpScout Docs | |
| Heroku | Edge case | No such app |
Issue #38 | |
| JetBrains | Vulnerable | is not a registered InCloud YouTrack |
||
| Kinsta | Vulnerable | No Site For Domain |
Issue #48 | kinsta-add-domain |
| Mashery | Not vulnerable | Unrecognized domain |
HackerOne #275714, Issue #14 | |
| Microsoft Azure | Vulnerable | Issue #35 | ||
| Netlify | Edge Case | Issue #40 | ||
| Readme.io | Vulnerable | Project doesnt exist... yet! |
Issue #41 | |
| Sendgrid | Not vulnerable | |||
| Shopify | Edge Case | Sorry, this shop is currently unavailable. |
Issue #32, Issue #46 | Medium Article |
| Squarespace | Not vulnerable | |||
| Statuspage | Not vulnerable | PR #65 | ||
| Surge.sh | Vulnerable | project not found |
Surge Documentation | |
| Tumblr | Vulnerable | Whatever you were looking for doesn't currently exist at this address |
||
| Tilda | Edge Case | Please renew your subscription |
PR #20 | |
| Unbounce | Not vulnerable | The requested URL was not found on this server. |
Issue #11 | |
| UserVoice | Vulnerable | This UserVoice subdomain is currently available! |
||
| Webflow | Vulnerable | 404 Page Not Found |
Issue #44 | forum webflow |
| Wordpress | Vulnerable | Do you want to register *.wordpress.com? |
||
| WP Engine | Not vulnerable | |||
| Zendesk | Not Vulnerable | Help Center Closed |
Issue #23 | Zendesk Support |