/can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

image

Disclaimer ⚠️

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion. On top of that, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: EdOverflow#26.

All entries

Engine Status Fingerprint Discussion Documentation
Acquia Not vulnerable Web Site Not Found Issue #103
Agile CRM Vulnerable Sorry, this page is no longer available. Issue #145
Airee.ru Vulnerable Issue #104
Anima Vulnerable If this is your website and you've just created it, try refreshing in a minute Issue #126 Anima Documentation
Akamai Not vulnerable Issue #13
AWS/S3 Vulnerable The specified bucket does not exist Issue #36
AWS/Load Balancer (ELB) Not Vulnerable status NXDOMAIN and CNAME pointing to XYZ.elb.amazonaws.com Issue #137
Bitbucket Vulnerable Repository not found
Campaign Monitor Vulnerable Trying to access your account? Support Page
Cargo Collective Vulnerable 404 Not Found Issue #152 Cargo Support Page
Cloudfront Not vulnerable ViewerCertificateException Issue #29 Domain Security on Amazon CloudFront
Desk Not vulnerable Please try again or try Desk.com free for 14 days. Issue #9
Digital Ocean Vulnerable Domain uses DO name serves with no records in DO.
Discourse Vulnerable Hackerone
Fastly Edge case Fastly error: unknown domain: Issue #22
Feedpress Not vulnerable The feed has not been found. Issue #80
Firebase Not vulnerable Issue #128
Fly.io Vulnerable 404 Not Found Issue #101
Freshdesk Not vulnerable Freshdesk Support Page
Gemfury Vulnerable 404: This page could not be found. Issue #154 Article
Ghost Vulnerable The thing you were looking for is no longer here, or never was
Github Vulnerable There isn't a GitHub Pages site here. Issue #37 Issue #68
Gitlab Not vulnerable HackerOne #312118
Google Cloud Storage Not vulnerable NoSuchBucketThe specified bucket does not exist.
HatenaBlog vulnerable 404 Blog is not found
Help Juice Vulnerable We could not find what you're looking for. Help Juice Support Page
Help Scout Vulnerable No settings were found for this company: HelpScout Docs
Heroku Edge case No such app Issue #38
HubSpot Not vulnerable This page isn’t available
Instapage Not vulnerable Issue #73
Intercom Vulnerable Uh oh. That page doesn't exist. Issue #69 Help center
JetBrains Vulnerable is not a registered InCloud YouTrack YouTrack InCloud Help Page
Key CDN Not vulnerable Issue #112
Kinsta Vulnerable No Site For Domain Issue #48 kinsta-add-domain
Landingi Edge case It looks like you’re lost... Issue #117
LaunchRock Vulnerable It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. Issue #74
Mashery Edge Case Unrecognized domain HackerOne #275714, Issue #14
Microsoft Azure Vulnerable Issue #35
Netlify Edge Case Issue #40
Ngrok Vulnerable Tunnel *.ngrok.io not found Issue #92 Ngrok Documentation
Pantheon Vulnerable 404 error unknown site! Issue #24 Pantheon-Sub-takeover
Pingdom Vulnerable Sorry, couldn't find the status page Issue #144 Support Page
Readme.io Vulnerable Project doesnt exist... yet! Issue #41
Sendgrid Not vulnerable
Shopify Edge Case Sorry, this shop is currently unavailable. Issue #32, Issue #46 Medium Article
SmartJobBoard Vulnerable This job board website is either expired or its domain name is invalid. Issue #139 Support Page
Smartling Edge Case Domain is not configured Issue #67
Squarespace Not vulnerable
Statuspage Not Vulnerable Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 and PR #171 Statuspage documentation
Strikingly Vulnerable page not found Issue #58 Strikingly-Sub-takeover
Surge.sh Vulnerable project not found Surge Documentation
Tumblr Edge Case Whatever you were looking for doesn't currently exist at this address
Tilda Edge Case Please renew your subscription Issue #155PR #20
Uberflip Vulnerable Non-hub domain, The URL you've accessed does not provide a hub. Issue #150 Uberflip Documentation
Unbounce Not Vulnerable The requested URL was not found on this server. Issue #11
Uptimerobot Vulnerable page not found Issue #45 Uptimerobot-Sub-takeover
UserVoice Vulnerable This UserVoice subdomain is currently available!
Webflow Edge Case The page you are looking for doesn't exist or has been moved. Issue #44 forum webflow
Wordpress Vulnerable Do you want to register *.wordpress.com?
Worksites Vulnerable Hello! Sorry, but the website you&rsquo;re looking for doesn&rsquo;t exist. Issue #142
WP Engine Not vulnerable
Zendesk Not vulnerable Help Center Closed Issue #23 Zendesk Support