GitHub.io Subdomain Takeover
jatoch opened this issue ยท 21 comments
I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io
When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.
So I created a github page and added sub.example.com as custom domain.
And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.
There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:
- Username-based subdomains;
- Organisation-based subdomain.
As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow โ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay โ liberapay.github.io).
With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.
The following case is not vulnerable:
- There is no index page (
404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checkinghttps://github.com/<name>to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such assite:example.github.ioto find hidden directories that have been crawled by Google.
The following cases are vulnerable:
- There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
- There is no account or organisation under
https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content onhttps://<name>.github.io/.
I hope this clears up any uncertainties when it comes to GitHub pages.
@EdOverflow I'm trying to create a test environment for myself. I created a github repo and created a simple index.html file. then I created a site with the extension .io.
I had previously purchased a domain address with a .com extension. I added the subdomain address I created with github to my domain name as a cname record.
example:
dig cname www.guidebookdemo.com
www.guidebookdemo.com cname phoenix1112.github.io
You can see that my username is used as the subdomain address in the site address i created for github.(phoenix1112)
now, if the phoenix1112.github.io address was unavailable, how would we get the phoenix1112 username to get this github address? if the username is used for the subdomain name, how do we get someone else's username?
You would have to hope that the user โ phoenix1112 in your example โ deletes their account so that you can then claim that username. There is no other way around it as far as I know.
@EdOverflow i did takeover now... the user name does not matter.. i did test it..
dig cname www.guidebookdemo.com
www.guidebookdemo.com CNAME phoenix1112.github.io
I deleted the files I created phoenix1112.github.io. I created a repo with another user and wrote www.guidebookdemo.com in the site name. and I created an index.htm file
After 10 minutes, when I opened www.guidebookdemo.com, my index.html file started to appear. Although I am not a phoenix1112 user, I did takeover www.guidebookdemo.com.
Actually, now that I think of it, I have submitted two subdomain takeovers using the exact process you described above roughly two years ago. Silly me! :P
You are absolutely right, the username is not actually important. Thank you for double-checking this, @Phoenix1112.
Actually, I don't even think the name of the repo matters, just create any repo, go to settings of that repo, enable Github pages and add your custom domain there, reply to me if you think I am wrong.
Update: but I also had issues with "CNAME has already been taken." even though the page was showing the fingerprint message, I don't know why ;O
Check site: "traget.github.io" and see you get the repo. In my case, it was also showing There isn't a Github Pages site here. but when checked using site: "traget.github.io" all the pages and everything was present. So this case is also not vulnerable.
website name example.com pointing to cname example.github.io. Now there is still content on example.com but when navigated to example.github.io it says a 404. I tried to create a github repo but when trying to add a domain, it says cname is already taken. I am kinda confused as if it is pointing to an unclaimed github.io domain, it should be vulnerable right ?
@saurabh96216 IIRC the cname is irrelevant as long as it is pointing to .github.io
@EdOverflow Hi Ed, it seems github no longer vulnerable for sub-domain takeOver since they add account name before the sub-domain that planing to takeover it.
For example the sub-domain suppose to be vulnerable is example.gitexample.com
When creating page they add your github name before the page name like (hxxps://mnijres.github.io/example.gitexample.com)
Since mnijres is my github name.
After testing 1.516.945 sub-domains included (cloudfront, fastly, Github.io, tumbler,shopify)
Non of them are vulnerable to sub-domain takevoer anymore !
I will try my luck with something else.
There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:
- Username-based subdomains;
- Organisation-based subdomain.
As the names already state, the former is based on the GitHub user's handle (e.g.
https://github.com/edoverflow โ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay โ liberapay.github.io).With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.
The following case is not vulnerable:
- There is no index page (
404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checkinghttps://github.com/<name>to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such assite:example.github.ioto find hidden directories that have been crawled by Google.The following cases are vulnerable:
- There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
- There is no account or organisation under
https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content onhttps://<name>.github.io/.I hope this clears up any uncertainties when it comes to GitHub pages.
Hello @EdOverflow I have try this similar way and my target vulnerable to this way. Can I report it to the Vendor as Github Subdomain takeover? and it could be a valid issue?
GitHub has implemented DNS verification to confirm the legitimacy of domains.
โ ๏ธ โ ๏ธ GitHub's pages are now secure and no longer vulnerable.โ ๏ธ โ ๏ธ GitHub has implemented DNS verification to confirm the legitimacy of domains.
i confirm it
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
what you did ?
Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification.
Currently live exploited vulnerability: https://turakhia.ucsd.edu
Currently live exploited vulnerability: https://turakhia.ucsd.edu
Details?
I saw a live subdomain name hijacked to point at GitHub Pages today.
First of all, here's a proof of concept: http://ftp.vidovi.ch. I do not own, nor am I associated with, vidovi.ch. I simply added it to my GitHub Pages account.
I was able to do this because:
- vidovi.ch has been legitimately configured to point at GitHub Pages:
$ dig vidovi.ch
...
;; ANSWER SECTION:
vidovi.ch. 300 IN A 185.199.111.153
vidovi.ch. 300 IN A 185.199.108.153
vidovi.ch. 300 IN A 185.199.109.153
vidovi.ch. 300 IN A 185.199.110.153
- vidovi.ch uses something like cPanel that creates a default CNAME record from
ftp.vidovi.chto the apexvidovi.ch, but doesn't delete that default record if you point the apex elsewhere:
$ dig ftp.vidovi.ch CNAME
...
;; ANSWER SECTION:
ftp.vidovi.ch. 300 IN CNAME vidovi.ch.
-
The owner of
vidovi.chhas (presumably) not followed the instructions on this page that say "Tip: We recommend verifying your custom domain prior to adding it to your repository, in order to improve security and avoid takeover attacks" (GitHub does not require this, unlike many companies). -
GitHub Pages considers
ftp.vidovi.chto be a different "site" thanvidovi.chorwww.vidovi.ch, so anyone can "claim" it as I did.
The requirements for a site to be vulnerable are:
- The apex has been pointed to GitHub Pages;
- The site uses something like cPanel that leaves dangling CNAMEs like
ftp.pointing to that apex; - The site owner has not followed the GitHub recommendation to "verify" the domain name with a TXT record to prevent other people from using subdomains.
There are a large number of sites out there meeting these requirements. You can find them pretty easily by using any tool that shows you what domain names have the apex pointing at GitHub pages, then checking whether they have a CNAME subdomain like ftp. that points to the apex. You'll then find most of those haven't been verified/secured.
Bad actors are exploiting this in the wild (my colleague and I saw someone complaining about this happening to them -- their ftp subdomain was being used for advertising an online casino -- and helped them track down the cause).