/Subdomain-Takeovers

This repository discusses the subdomain takeover vulnerability and lists of services which are vulnerable to it. It also provides information, methodology and resources to perform subdomain takeover attacks.

Primary LanguageHTML

SubDomain Takeover Vulnerable WebSites Table

Web-Site name Vulnerable Error Show Issue Number Free/paid Pattern
https://worksites.net/ Vulnerable Hello! Sorry but the website you’re looking for doesn’t exist. Issue #142
Uptimerobot Vulnerable page not found Issue #45 (paid) ['stats.uptimerobot.com']
Uberflip Vulnerable Non-hub domain The URL you've accessed does not provide a hub. Issue #150 (Paid) ['read.uberflip.com' 'uberflip.com']
SurveySparrow Vulnerable 'Ouch! Account not found' Issue #281 (Piad) + (free Trial)
Surge.sh Vulnerable project not found (Free) ['surge.sh']
Strikingly Vulnerable page not found Issue #58 (Free) ['.s.strikinglydns.com']
SmartJobBoard Vulnerable This job board website is either expired or its domain name is invalid. Issue #139 (14 Days free) "[""smartjobboard.com"" ""mysmartjobboard.com""]"
Short.io Vulnerable Link does not exist Issue #260 (free Trile) "[""cname.short.io""]"
Readme.io Vulnerable Project doesnt exist... yet! Issue #41 (paid) ['readme.io']
Pingdom Vulnerable Sorry couldn't find the status page Issue #144 (30 Days Free) ['stats.pingdom.com']
Pantheon Vulnerable 404 error unknown site! Issue #24 (free) ['pantheonsite.io']
Ngrok Vulnerable Tunnel *.ngrok.io not found Issue #92 (Paid) ['ngrok.io']
LaunchRock Vulnerable It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. Issue #74 (padi) ['launchrock.com']
Kinsta Vulnerable No Site For Domain Issue #48 (Paid) "[""kinsta.com""]"
JetBrains Vulnerable is not a registered InCloud YouTrack (paid) ['myjetbrains.com']
Intercom Vulnerable Uh oh. That page doesn't exist. Issue #69 (Free) ['custom.intercom.help']
Help Scout Vulnerable No settings were found for this company: (Paid) ['helpscoutdocs.com']
HatenaBlog vulnerable 404 Blog is not found "[""hatenablog.com""]"
Gemfury Vulnerable 404: This page could not be found. Issue #154 Article (paid) "[""furyns.com""]"
Fly.io Vulnerable 404 Not Found Issue #101 (free)
Discourse Vulnerable Issue #49 (Paid)
Digital Ocean Vulnerable Domain uses DO name servers with no records in DO. (Paid)
Cargo Collective Vulnerable 404 Not Found Issue #152 (paid) ['subdomain.cargocollective.com']
AWS/Elastic Beanstalk Vulnerable 404 Not Found Issue #194 (paid) ['elasticbeanstalk.com']
AWS/Load Balancer (ELB) Not Vulnerable status NXDOMAIN and CNAME pointing to XYZ.elb.amazonaws.com Issue #137 (paid)
AWS/S3 Vulnerable The specified bucket does not exist Issue #36 (paid) bucket-name.s3.region-code.amazonaws.com
Campaign Monitor Vulnerable Trying to access your account? Issue #275 (free) ['createsend.com' 'name.createsend.com']
Agile CRM Vulnerable Sorry this page is no longer available. Issue #145 ['cname.agilecrm.com' 'agilecrm.com']
Anima Vulnerable If this is your website and you've just created it try refreshing in a minute Issue #126 (paid)
Airee.ru Vulnerable Issue #104 (free) ['cdn.airee.com' 'airee.com']

Subdomain Takeovers

Subdomain takeover is a high-security vulnerability via which an attacker can control an expired management service from where the subdomain of the site was pointing

What is that service?

It can be anything some of the vendors uses services like Shopify to build their shopping platform without changing their official subdomain you may have seen while shopping into some of the site something like powered by Shopify or something else this whole process of connecting one service to another is done by Cname.

What is Cname and How it works -

Cname stands for the canonical name it is something that is related to hosting and domain connecting system so suppose you buy one domain from godaddy.com and hosting from hostinger.com for connecting this space we have things like nameserver did setup with nameserver and web services to get started this is the whole process apply on the name as well it is used to pointing one domain to another domain without getting the change with an actual subdomain.And if the name record expired then any malicious actor can perform a takeover

$ subfinder -d Takeway.com > subdomain.txt

Step 2

MassDns to find Subdomain Cname

$ massdns -r resolvers.txt -t CNAME  -o S  -w scope-CNAME.txt subdomain.txt

Step 3

Grep 3rd party services

image

$ cat scope-CNAME.txt | grep -v -e"takeaway\.com\.$" | cut -f 3 -d" " | sed 's/.$//g' 

thuisbezorgdbeta.hypernode.io
geomaps.takeaway.com.s3.amazonaws.com

Use nuclei for detect vulnerability

image

$ nuclei -l Cname.txt -t /home/rooter/Desktop/nuclei-templates/takeovers

Cross check venerable Domain CNAME

image

$ dig images.takeaway.com

check Cname webserver search

image