Subdomains pointing to vercel.com are vulnerable
ScrubsAndStats opened this issue ยท 33 comments
Service name
Vercel
Proof
Successful subdomain takeover on a harvard.edu subdomain (screenshot).
Documentation
- Create a new repository on Github and upload an index.html
- Visit https://vercel.com/ and sign up using your Github account
- Create a new project and point it to the previously created Github repository
- Open the "Domains" tab on Vercel and add the vulnerable domain
- Boom! Exploited!
Can you share the cname regex and the fingerprint?
Can you share the cname regex and the fingerprint?
Sure
{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }
There are definitely edge cases here.
$ host -t CNAME anythingrandom.console.dev.twilio.com
anythingrandom.console.dev.twilio.com is an alias for cname.vercel-dns.com.
$ curl 'https://anythingrandom.console.dev.twilio.com/' ๏ 10:12:48
The deployment could not be found on Vercel.
DEPLOYMENT_NOT_FOUND
so the cname we need to grep is vercel-dns.com not vercel.com. thank you @adityathebe
Can you share the cname regex and the fingerprint?
Sure
{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }
are you takeover any subdomain? Do you have any poc?
Summary for 2021:
U can takeover mashed.potato.com only if potato.com is not used in the account of the victim, otherwise, u will get Already owned err.
This can be closed as Edge-case
It still vulnerable yesterday I takeover 2 subdomains and I've upload my index
@M359AH u took over mashed.potato.com even when potato.com is already registered? If yes, please share how you managed to do that? Just curious :0
@jan-muhammad-zaidi
Hello Muhammed
I've found the subdomain I got this error page
- After it, I go to see the CNAME
;; AUTHORITY SECTION:
vercel.app. 60 IN SOA ns1.vercel-dns.com. hostmaster.nsone.net. 1644228969 43200 7200 1209600 60
;; Query time: 134 msec
;; SERVER:#53(.131)
;; WHEN: Mon Feb 07 12:41:00 EET 2022
;; MSG SIZE rcvd: 119
Now I go to vercel.app and add a public repository contains my PoC index and after import the project I've add the domain and added successfully
and my PoC has been uploaded
Hello @jan-muhammad-zaidi
I think your target is not vulnerable because It should be registered without an errors like my comment above
@M359AH no issues with the edit though :P
Hello Fatma, Umar
Unfortunately, I didn't find this error before
me aswelll
no more takeover
Domain takeovers using Vercel are definitely still possible.
However, they are limited. In my testing, I found that a domain is not vulnerable if:
- The root domain is used by a Vercel account (i.e. the root domain points to
76.76.21.21
and is linked to a project). - The domain/root domain is verified, even if the root domain does not point to
76.76.21.21
. - Another subdomain of the same root domain is used by a Vercel account.
In practice, this means many subdomains will not be vulnerable (but subdomains definitely can be vulnerable).
There seems to be only one way to be sure a domain is vulnerable or not: try it out.
I created a PR to update the README: #375
I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?
Any success on this?
I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?
This has happened to me too, please show me the solution
Yes I think the exploitation now will not complete
Shouldn't this be marked not vulnerable at this point?
It should be closed as Not Vulnerable