Fastly Restrictions #22
Comments
|
That certainly merits further investigation! @EdOverflow I'm unable to look at this for a week, what's your capacity like? Happy for you to tag me on this if you're snowed under also. Related to the work on #20 I think this should be done in a test cases and then added to the main readme. |
|
Here is the verification screen and types.
|
EdOverflow
added
the
edge case
|
Hi @EdOverflow , I've been confirmed on my last report that this is not a valid vulnerability. This is the default Fastly error message if you are visiting the sub-domain directly which is not the intended use case, since it is part of a redirect by the CDN. Regards, |
|
Hi @EdOverflow, Regards, |
Yes Bro I do a Takeover last 2 days for a 4 domains. |
|
Hi bro. Is it possible to have the required steps?
Le lun. 29 avr. 2019 à 2:49 AM, m7mdharoun <notifications@github.com> a
écrit :
… Hi @EdOverflow <https://github.com/EdOverflow>,
Is it still possible to claim subdomain on Fastly?
Regards,
Yes Bro I do a Takeover last 2 days for a 4 domains.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AI2PH4Y5F7AVHC7CULVE4N3PSZH2VANCNFSM4FJQJFVQ>
.
|
|
Can someone post step by step subdomain takeover on fastly? |
|
@n1ghtfox its simple and easy ..
Kind Regards, |
|
Thanks, i could never register domain, so i thought there was other way
around.
…On Mon, May 13, 2019 at 9:05 PM m7mdharoun ***@***.***> wrote:
@n1ghtfox <https://github.com/n1ghtfox> its simple and easy ..
1. create a new service ( ex: version 1) .
2. add subdomain or domain if accept to add your domain this mean you
can takeover it then do the next steps.
3. then in the Origin Host add Your VPS ip without ssl if not include
port 80.
4. Active your service ( version 1 )
if you don't want to wait to know if the domain connecting to vps or not
.. You can check it directly by goto domains then near to domain name you
will see Test Domain which will open a Link like this
http://domain.com.global.prod.fastly.net and it will show your vps page.
Sure you can wait 10 min to avoid doing this step :)
Kind Regards,
Mohamed Haron.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#22?email_source=notifications&email_token=AFRWIMUD6WAC4QRATAQTTSLPVGNWVA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVI6KHI#issuecomment-491906333>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFRWIMVDGB6D7ZHJE7L2VPDPVGNWVANCNFSM4FJQJFVQ>
.
|
|
In 2nd point, you have mentioned add subdomain. This is victim subdomain right? |
|
i think i'm up to something can u help me out on fastly?
…On Wed, May 22, 2019 at 6:21 PM venkatst ***@***.***> wrote:
@m7mdharoun <https://github.com/m7mdharoun>,
In 2nd point, you have mentioned add subdomain. This is victim subdomain
right?
And what if it get rejected. Is there a way to control traffic like
redirection?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#22?email_source=notifications&email_token=AFRWIMXHHVPRPIXEXY25HU3PWVJIJA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV7GX7Q#issuecomment-494824446>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFRWIMQCS6SPRG7UBKEEMS3PWVJIJANCNFSM4FJQJFVQ>
.
|
|
I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is. DNS: I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service. |
|
@vaadataa I confirm this too last month I takeover 4 subdomains pointing to
|
|
This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:
Definitely an Edge Case. |
Yes I also got the same error |
me to same error any update ?? |
Yes, its an edge case. I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back. |
The same error, Any updates!? |
|
Just for confirmation of how Fastly is still possible to takeover, check out www.litium.de. This shall confirm the edge scenario. |
Any Updates got the same error! |
|
is it possible that we can take over any vulnerable subdomain using fastly services or not or we use the different services which that domain use? |
|
Hey, just used this method to takeover a subdomain and it worked. But still it's an edge case. In this one, the error was : |
|
i am getting the same error as above described by mefkan. "Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala". but still unable to add domain to fastly I am getting error - domain "abc" is already taken by another customer. Am i doing something wrong here? |
|
Any Updates got the same error! I am getting error - domain "abc" is already taken by another customer |
|
This is still an edge case.
Got 2 takeovers during this week for the same program, so it’s still
vulnerable but not every time.
On Sun, 8 Dec 2019 at 2:47 PM, bbbb ***@***.***> wrote:
Any Updates got the same error! I am getting error - domain "abc" is
already taken by another customer
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22?email_source=notifications&email_token=ACW5BD6L4YPPQPCPGDOWRITQXS3TNA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGGZLCI#issuecomment-562926985>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACW5BD2BCE5KTUTOWNWDLF3QXS3TNANCNFSM4FJQJFVQ>
.
--
Best,
Sumit Grover
|
|
@sumgr0 For the same program? They were using two different domains in scope rigth? |
|
That’s right 2 different subdomains on the same program were covered by the scope.
… On 08-Dec-2019, at 6:00 PM, MelarDev ***@***.***> wrote:
@sumgr0 <https://github.com/sumgr0> For the same program? They were using two different domains in scope rigth?
At this time fastly is checking the domain(example.com) given if it is taken once you can't register any of the subdomains (ignorebyfastly.example.com)
So a company is vulnerable only if they stop completly from using fastly for a whole domain.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#22?email_source=notifications&email_token=ACW5BD2WLAGSWGXZT5ZDMRLQXTSHTA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGG5JJI#issuecomment-562943141>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACW5BDZWKLCV5IOI3MGSXDTQXTSHTANCNFSM4FJQJFVQ>.
|
|
@sumgr0 so you took over |
|
Only if the parent domain is not registered with wildcard entry. I've not seen anymore cases with fastly service takeover. |
|
It seems that it is not vulnearble because when we try takeover sub_1.test.com , it says that test.com is already registered. |
|
vikrams-MacBook-Air:domaintakeover arjunsharma$ dig https://critik.in/best-lip-balms-in-india/ ; <<>> DiG 9.10.6 <<>> https://critik.in/best-lip-balms-in-india/ ;; OPT PSEUDOSECTION: https://critik.in/best-lip-balms-in-india/ IN A ;; ANSWER SECTION: https://critik.in/best-lip-balms-in-india/ 80835 IN CNAME https://critik.in/best-lip-balms-in-india/ this kind of misconfigurations is also making services vulnerable |
hi @vaadataa how can i register |
|
can yu tell me how because this is not workin for me |
|
@vaadataa how can i register map.fastly.net domain? Now i only get a *.global.prod.fastly.net domain |
|
After testing many domains with the error page. I haven't found a way to take over the subdomains. I think this has been fixed and not properly reported here. |
|
|
|
Just made a takeover. Target was When i open URL, it says
Worked |
|
<p title=” </noscript>
<style onload= alert(document.domain)//"> *{/*all*/color/*all*/:/*all*/#f78fb3/*all*/;} </style>
.qmbox .qmbox .qmbox *{color:#f78fb3;}
|
|
Any updates? I've found a error page on a program Bug Bounty but when i going to create, it returns the message: |
This mean |
|
Is there no way to bypass these errors..?
|
|
this domain seems has register buy others
------------------ 原始邮件 ------------------
发件人: "EdOverflow/can-i-take-over-xyz" ***@***.***>;
发送时间: 2022年3月8日(星期二) 上午7:23
***@***.***>;
***@***.******@***.***>;
主题: Re: [EdOverflow/can-i-take-over-xyz] Fastly Restrictions (#22)
Is there no way to bypass these errors..?
Domain 'socialcodia.facebook.com' is already taken by another customer.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you commented.Message ID: ***@***.***>
|
I got the same page in www-TARGET-com.TARGET.com BUT I didn't understand your tips and I don't know where (Create new delivery service) and the other tips |
|
<p title=” </noscript>
<style onload= alert(document.domain)//"> *{/*all*/color/*all*/:/*all*/#f78fb3/*all*/;} </style>
.qmbox .qmbox .qmbox *{color:#f78fb3;}
|
|
Is it still possible to takeover CNAME pointing to map.fastly.net? Eg : target.com --> target.com.map.fastly.net |
No you can only add Even you able to takeover |
|
I think Fastly is no more vulnerable for subdomain takeover . |
|
@sawravchy I think this is still an edge case - as described by @mohamed-faris , his example still works: |
|
Ok got it. Thanks for clarifying this. |
|
fastly error for somthing.target.com is not vulnerable |
|
hi @m7mdharoun , i used subjack tool and find 5 domain which are showing FASTLY . can vulnerable |
|
Hii @m7mdharoun my custom domain is saved but i get this " Domain does not resolve to the GitHub Pages server" pls help me |
|
Just made a takeover. Thank you mate @mohamed-faris |
|
I just tried with 600 domains giving the fingerprint, none of them resulted in a takeover. |
the link is not working!! |
|
fastly is an edge case its still vuln when none claimed domain tested on a live target |
|
In my case, when I visited the site redacted.com, I got error |
|
what you say is false, fastly has a protection that prevents users from taking control of subdomains that belong to domains already registered in its infrastructure, and when you try to add the subdomain to take control gives the following error: “{”detail“: ‘Name ’prod.pinterest.global.map.fastly.net' is a reserved public suffix: Domain not valid”}” to keep it in mind, something says Not Vulnerable. |
and others
Fastly will work only in some specific situations. In some cases they validate the customer domain before assign the fastly.net subdomain.
https://docs.fastly.com/guides/securing-communications/managing-domains-on-tls-certificates#verifying-domain-ownership
The text was updated successfully, but these errors were encountered: