Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here: https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/.
Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
| Engine | Possible | Fingerprint | Reference |
|---|---|---|---|
| AWS/S3 | Yes | The specified bucket does not exist |
|
| Bitbucket | Yes | Repository not found |
|
| Campaign Monitor | Yes | Support Page | |
| Cargo Collective | Yes | 404 Not Found |
Cargo Support Page |
| Cloudfront | Yes | Bad Request: ERROR: The request could not be satisfied |
https://blog.zsec.uk/subdomainhijack/ |
| Desk | Yes | Sorry, We Couldn't Find That Page |
|
| Fastly | Yes | Fastly error: unknown domain: |
|
| Feedpress | Yes | The feed has not been found. |
https://hackerone.com/reports/195350 |
| Freshdesk | No | Freshdesk Support Page | |
| Ghost | Yes | The thing you were looking for is no longer here, or never was |
|
| Github | Yes | There isn't a Github Pages site here. |
https://hackerone.com/reports/263902 |
| Gitlab | No | https://hackerone.com/reports/312118 | |
| Google Cloud Storage | No | ||
| Help Juice | Yes | We could not find what you're looking for. |
Help Juice Support Page |
| Help Scout | Yes | No settings were found for this company: |
HelpScout Docs |
| Heroku | Yes | No such app |
|
| JetBrains | Yes | is not a registered InCloud YouTrack |
|
| Mashery | No | Unrecognized domain |
https://hackerone.com/reports/275714 |
| Microsoft Azure | Yes | ||
| Sendgrid | No | ||
| Shopify | Yes | Sorry, this shop is currently unavailable. |
|
| Squarespace | No | ||
| Statuspage | Yes | You are being redirected |
https://hackerone.com/reports/49663 |
| Surge.sh | Yes | project not found |
https://surge.sh/help/adding-a-custom-domain |
| Tumblr | Yes | Whatever you were looking for doesn't currently exist at this address |
|
| Unbounce | Yes | The requested URL was not found on this server. |
https://hackerone.com/reports/202767 |
| UserVoice | Yes | This UserVoice subdomain is currently available! |
|
| Wordpress | Yes | Do you want to register *.wordpress.com? |
|
| WP Engine | No | ||
| Zendesk | Yes | Help Center Closed |
Zendesk Support |
Answer: Yes ✔️
Look for: 404 Not Found
Reference: http://support.2.cargocollective.com/Using-a-Third-Party-Domain
Answer: Yes ✔️
Look for: 4o’4! We could not find what you're looking for.
Reference: https://help.helpjuice.com/34339-getting-started/custom-domain
Answer: Yes ✔️
Look for a 404 page and either an A record pointing to 192.30.252.153 or 192.30.252.154, or a CNAME record for username.github.io. The latter requires owning the GitHub handle so navigate to github.com/username to make sure that the username has not already been registered.
Reference: https://hackerone.com/reports/263902
Answer:
GitLab require a text record with a verification token in order to set the custom domain. This was fixed as a result of https://hackerone.com/reports/312118.
Answer: Yes ✔️
If a domain has a CNAME record for *.s3.amazonaws.com and is returning NoSuchBucket, then all you need to do is to create a bucket with that name. You will need an AWS account, however, you can use the free tier which is more than enough for a PoC. You can then upload a simple txt file at a random path as a proof of concept.
Answer: Yes ✔️
When it comes to Cloudfront subdomain takeovers always check both ports 80 and 443. The error message "Bad Request" must be displayed on both ports to ensure that one can claim it on AWS.
If you find a domain that displays this error message, try adding that domain as CNAME to your CloudFront instance on http://aws.amazon.com/ .
Reference: https://blog.zsec.uk/subdomainhijack/
Answer: Yes ✔️
Reference: https://hackerone.com/reports/49663
Answer: Yes ✔️
Reference: https://docs.helpscout.net/article/42-setup-custom-domain
Answer: Yes ✔️
Reference: https://help.campaignmonitor.com/custom-domain-names
Answer: No ❎
Answer: Yes ✔️
Azure can host various services: Web Apps (*.azurewebsites.net), Cloud Services (*.cloudapp.net), Traffic Manager profiles (*.trafficmanager.net) or Blob Storages (*.blob.core.windows.net) to name a few. In general, once a service is removed it's address will become available to others.
Note: For Web Apps, if the subdomain points to Azure using an A record the takeover might not be possible if the corresponding TXT record is missing (see https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain.)
To create a service an account at https://portal.azure.com is needed (a valid CC is required once the trial expires).
Answer: Yes ✔️
Answer: Yes ✔️
Subdomains can be taken over if the root domain doesn't already belong to a Fastly account.
Answer: Yes ✔️
Check the CNAME record. If it's pointing at *.herokuapp.com, and is returning "No such app", then all you need to do is to create a new app on Heroku with that name.
Answer: Yes ✔️
Check for an A record pointing to 66.6.44.4 with a subsequent 'Not found.' on the page's title or a 'There's nothing here.' on the page itself.
Answer: No ❎
Google requires domain verification in order to claim domains for Google Cloud Storage.
Answer: Yes ✔️
Look for the following message:
"Domain mapping upgrade for this domain not found"
Answer: Yes ✔️
Look for the following error message and make sure the host has a CNAME pointing to redirect.feedpress.me:
"The feed has not been found"
Reference: https://hackerone.com/reports/195350
Answer: No ❎
Squarespace requires domain verification and doesn't allow claiming expired domains.
Answer: Yes ✔️
A vulnerable UserVoice instance will return the error message seen below:
"This UserVoice subdomain is currently available!"
Reference: https://hackerone.com/reports/269109
Answer: Yes ✔️
Look for: Oops, this help center no longer exists
Answer: Yes ✔️
This one is a little tricky since you need to pay for the service in order to register a custom domain.
Reference: https://hackerone.com/reports/202767
Unbounce takeovers are also only possible in cases where an Unbounce CNAME has been setup but an Unbounce project had not been created. This is an extremely unlikely scenario and Unbounce takeovers should be approached with scepticism until a Proof of Concept has been delivered.
Answer: Yes ✔️
The host will either have a CNAME record pointing to na-west1.surge.sh or an A record for 45.55.110.124.
Reference: https://surge.sh/help/adding-a-custom-domain
Answer: No ❎
Answer: No ❎
This was previously the case when the host should have CNAME record pointing to Mashery.
Reference: https://hackerone.com/reports/275714
At this point in time (June-2018), Mashery takeovers no longer appear possible.
Answer: Yes ✔️
The host should have CNAME record pointing to *.ghost.io, also it costs $20 to host.
Answer: Yes ✔️
Similar to Github, the CNAME record will be pointing at *.bitbucket.io.
Answer: No ❎
Sendgrid generates a verification token that mitigates subdomain takeovers.
Reference: https://sendgrid.com/docs/Classroom/Basics/Whitelabel/setup_domain_whitelabel.html
Answer: Yes ✔️
CNAME record will be pointing to *.desk.com, and will redirect to this page: http://support.desk.com/system/site_not_found
Answer: Yes ✔️
CNAME record will be pointing to *.myjetbrains.com, and will redirect to this page: https://www.jetbrains.com/youtrack/youtrack-hosted-master/instanceIsNotRegistered/*