Fastly Restrictions
riramar opened this issue ยท 70 comments
Fastly will work only in some specific situations. In some cases they validate the customer domain before assign the fastly.net subdomain.
Verifying domain ownership
Any time you request addition of a domain to a certificate, you must verify you own the domain. This helps us ensure no one else is using your domain without your permission.
That certainly merits further investigation!
@EdOverflow I'm unable to look at this for a week, what's your capacity like? Happy for you to tag me on this if you're snowed under also.
Related to the work on #20 I think this should be done in a test cases and then added to the main readme.
Here is the verification screen and types.
DNS, Email, or text file file upload.
Hi @EdOverflow ,
I've been confirmed on my last report that this is not a valid vulnerability. This is the default Fastly error message if you are visiting the sub-domain directly which is not the intended use case, since it is part of a redirect by the CDN.
Regards,
tolo7010
Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?
Regards,
Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?Regards,
Yes Bro I do a Takeover last 2 days for a 4 domains.
Can someone post step by step subdomain takeover on fastly?
@n1ghtfox its simple and easy ..
- create a new service ( ex: version 1) .
- add subdomain or domain if accept to add your domain this mean you can takeover it then do the next steps.
- then in the Origin Host add Your VPS ip without ssl if not include port 80.
- Active your service ( version 1 )
if you don't want to wait to know if the domain connecting to vps or not .. You can check it directly by goto domains then near to domain name you will see
Test Domainwhich will open a Link like this
http://domain.com.global.prod.fastly.net and it will show your vps page.
Sure you can wait 10 min to avoid doing this step :)
Kind Regards,
Mohamed Haron.
In 2nd point, you have mentioned add subdomain. This is victim subdomain right?
And what if it get rejected. Is there a way to control traffic like redirection?
I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.
DNS:
sub.staging.target.fr. CNAME target.map.fastly.net.
target.map.fastly.net. A 151.101.xx.xxx
I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.
@vaadataa I confirm this too last month I takeover 4 subdomains pointing to Fastly
Steps for takeover here Guys with video you can find it here
https://www.mohamedharon.com/2019/06/can-i-takeover-xyz-steps.html
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customerDefinitely an Edge Case.
Yes I also got the same error
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.Yes I also got the same error
me to same error any update ??
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.Yes I also got the same error
me to same error any update ??
Yes, its an edge case.
I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.Yes I also got the same error
me to same error any update ??
The same error, Any updates!?
Just for confirmation of how Fastly is still possible to takeover, check out www.litium.de. This shall confirm the edge scenario.
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Domain 'redacted.com' is already taken by another customer
Definitely an Edge Case.Yes I also got the same error
me to same error any update ??
Yes, its an edge case.
I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.
Any Updates got the same error!
is it possible that we can take over any vulnerable subdomain using fastly services or not or we use the different services which that domain use?
Hey, just used this method to takeover a subdomain and it worked. But still it's an edge case. In this one, the error was :
"Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala"
i am getting the same error as above described by mefkan. "Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala". but still unable to add domain to fastly
I am getting error - domain "abc" is already taken by another customer. Am i doing something wrong here?
Any Updates got the same error! I am getting error - domain "abc" is already taken by another customer
@sumgr0 For the same program? They were using two different domains in scope rigth?
At this time fastly is checking the domain(example.com) given, if it is taken once you can't register any of the subdomains (ignorebyfastly.example.com)
So a company is vulnerable only if they stop completly from using fastly for a whole domain.
@sumgr0 so you took over subdomain1.example.com and subdomain2.example.com ? Fastly UI says the opposite than you do, if you try to take subdomain1.example.com Fastly is only checking if example.com is taken, if it is you can't not register subdomain1.example.com nor subdomain2.example.com nor any other subdomain for that example.com, even if one of them is showing the fingerprint error message.
I understand, and confirm it worked for this time and allowed. Also the reason, as mentioned by the program, they were in the process of decommissioning the Fastly service, while I took over the subdomains. I've had mostly the experience of it not working, but once or twice it worked. Maybe due to the way the account is configured by the programs (they may or may not be using wildcards).
Hence, it seems if the setup contains the wildcard entries, it does not allow to takeover any subdomain belonging to the program and gives out the error: domain "abc" is already taken by another customer. And works when they setup individual subdomains on the service.
Hopefully this helps.
another corner case is :-
arjuns-MacBook-Air:domaintakeover arjunsharma$ dig elle.tw
; <<>> DiG 9.10.6 <<>> elle.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42494
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;elle.tw. IN A
;; ANSWER SECTION:
elle.tw. 86400 IN A 151.101.128.200
elle.tw. 86400 IN A 151.101.192.200
elle.tw. 86400 IN A 151.101.0.200
elle.tw. 86400 IN A 151.101.64.200
arjuns-MacBook-Air:domaintakeover arjunsharma$ dig www.elle.tw
; <<>> DiG 9.10.6 <<>> www.elle.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.elle.tw. IN A
;; ANSWER SECTION:
www.elle.tw. 80835 IN CNAME www.elle.com.tw.
www.elle.com.tw. 60 IN CNAME nonssl.global.fastly.net.
nonssl.global.fastly.net. 30 IN A 151.101.128.204
nonssl.global.fastly.net. 30 IN A 151.101.0.204
nonssl.global.fastly.net. 30 IN A 151.101.64.204
nonssl.global.fastly.net. 30 IN A 151.101.192.204
this kind of misconfigurations is also making services vulnerable
Hi @EdOverflow,
Is it still possible to claim subdomain on Fastly?
Regards,Yes Bro I do a Takeover last 2 days for a 4 domains.
can you guide us how you did it
can you guide us how you did it
thanks very much
Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs
Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs and I guess the subdomain i was trying to takeover is not vulnerable becoz it says " domain is already took by another customer"
I'm facing now with this shit Domain 'blahblah.com' is already taken by another customer
Can someone explain me how to fix this shit.
The 'blahblah.com' is secured and not possible to take over
Is it still possible to claim subdomain on Fastly?
I successfully claimed a domain
But the link it is generating is
Domain.com.fastly.net
It should show only domain.com
Or domain.com.fastly.net is also correct?
@sumgr0 so you took over
subdomain1.example.comandsubdomain2.example.com? Fastly UI says the opposite than you do, if you try to takesubdomain1.example.comFastly is only checking ifexample.comis taken, if it is you can't not registersubdomain1.example.comnorsubdomain2.example.comnor any other subdomain for thatexample.com, even if one of them is showing the fingerprint error message.
Is there any way to bypass this?
Only if the parent domain is not registered with wildcard entry. I've not seen anymore cases with fastly service takeover.
It seems that it is not vulnearble because when we try takeover sub_1.test.com , it says that test.com is already registered.
vikrams-MacBook-Air:domaintakeover arjunsharma$ dig https://critik.in/best-lip-balms-in-india/
; <<>> DiG 9.10.6 <<>> https://critik.in/best-lip-balms-in-india/
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;
https://critik.in/best-lip-balms-in-india/ IN A
;; ANSWER SECTION:
https://critik.in/best-lip-balms-in-india/ 80835 IN CNAME https://critik.in/best-lip-balms-in-india/
https://critik.in/best-lip-balms-in-india/ 60 IN CNAME nonssl.global.fastly.net.
nonssl.global.fastly.net. 30 IN A 151.101.128.204
nonssl.global.fastly.net. 30 IN A 151.101.0.204
nonssl.global.fastly.net. 30 IN A 151.101.64.204
nonssl.global.fastly.net. 30 IN A 151.101.192.204
this kind of misconfigurations is also making services vulnerable
I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.
DNS:
sub.staging.target.fr. CNAME target.map.fastly.net. target.map.fastly.net. A 151.101.xx.xxxI was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.
hi @vaadataa how can i register map.fastly.net domain?
Thank~
can yu tell me how because this is not workin for me
@vaadataa how can i register map.fastly.net domain? Now i only get a *.global.prod.fastly.net domain
After testing many domains with the error page. I haven't found a way to take over the subdomains.
I think this has been fixed and not properly reported here.
who knows why i can't takeover this subdomain , is very sad~
Just made a takeover.
Target was test.target.com. CNAME to global.prod.fastly.net
When i open URL, it says
Fastly error: unknow domain: test-example.s3.amazonaws.com. Please check that this domain has been added to a service. Details: cache-blalala
- Create new delivery service
- Name
test-example.s3.amazonaws.com - Host is my VPS
Worked
Any updates? I've found a error page on a program Bug Bounty but when i going to create, it returns the message:
Domain 'blahblah.com' is already taken by another customer
Any updates? I've found a error page on a program Bug Bounty but when i going to create, it returns the message:
Domain 'blahblah.com' is already taken by another customer
This mean blahblah.com Not Vulnerable to takeover.
Is there no way to bypass these errors..?
Domain 'socialcodia.facebook.com' is already taken by another customer.
Just made a takeover.
Target was
test.target.com. CNAME toglobal.prod.fastly.netWhen i open URL, it says
Fastly error: unknow domain: test-example.s3.amazonaws.com. Please check that this domain has been added to a service. Details: cache-blalala
- Create new delivery service
- Name
test-example.s3.amazonaws.com- Host is my VPS
Worked
I got the same page in www-TARGET-com.TARGET.com
BUT I didn't understand your tips and I don't know where (Create new delivery service) and the other tips
can you please explain it more deeper
my Twitter:_2os5
Is it still possible to takeover CNAME pointing to map.fastly.net? Eg : target.com --> target.com.map.fastly.net
Please provide steps if possible. I am getting only target.com.global.prod.fastly.net
Is it still possible to takeover CNAME pointing to map.fastly.net? Eg : target.com --> target.com.map.fastly.net Please provide steps if possible. I am getting only target.com.global.prod.fastly.net
No you can only add domain and Fastly choose the name for your domain.
Even you able to takeover target.com.map.fastly.net Services won't Run until you add Domain
I think Fastly is no more vulnerable for subdomain takeover .
@sawravchy I think this is still an edge case - as described by @mohamed-faris , his example still works:
Ok got it. Thanks for clarifying this.
fastly error for somthing.target.com is not vulnerable
But somthing.target.in was is vulnerable. can i report
hi @m7mdharoun , i used subjack tool and find 5 domain which are showing FASTLY . can vulnerable
Hii @m7mdharoun my custom domain is saved but i get this " Domain does not resolve to the GitHub Pages server" pls help me
Just made a takeover. Thank you mate @mohamed-faris
I just tried with 600 domains giving the fingerprint, none of them resulted in a takeover.
@vaadataa I confirm this too last month I takeover 4 subdomains pointing to
FastlySteps for takeover here Guys with video you can find it here
https://www.mohamedharon.com/2019/06/can-i-takeover-xyz-steps.html
the link is not working!!
fastly is an edge case its still vuln when none claimed domain tested on a live target
http://live.pandora.com
In my case, when I visited the site redacted.com, I got error
Fastly error: unknown domain: redacted.global.ssl.fastly.net. Please check blah blah blah.
Gone to Fastly.com -> CDN -> CDN services -> New service -> Domain: redacted.global.ssl.fastly.net.
It allowed me to add this as domain so I took over the domain.