-
-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subdomain Takeover via netlify #40
Comments
when you attempt to add a custom domain on Netlify, they ask you to add a randomly-named cname record for them to verify. Because of this, it doesn't look like you can do takeovers anymore. Unless i've missed a trick? |
@AnotherWayIn How random is the seed? Have you done collision checks on it? I've managed to do takeovers on some services by looping the creation/deletion of a service with a random seed until I hit a collision for an old service either using javascript in a client session or looping in python/bash utilizing something like the AWS cli. |
Also this seems more remote as it's a change from the old state, so I'm going to flag this as not vulnerable unless confirmed otherwise. |
Yeah, BF is not possible here. Mine for example is asking for the cname to be: |
Closed via #53 |
This vulnerability still exists (the company I work for was just informed by a white hat hacker that this affected us). If a sub domain (eg: mysubdomain.test.com) is pointing to a Netlify CNAME that is no longer in use by the original party and removed from the previous Netlify project, another party can add that subdomain to their own Netlify project and take it over. |
@smartens80 it's one thing to highlight it, but it's another thing to do a claim. From my own testing it doesn't look like a claim isn't actually possible. Did they perform one in this case, or just let you know the DNS record was still there? If you're unsure about this feel free to DM me on twitter under @codingo_ and we can talk through it further. |
Potentially older domains are still vulnerable (without a seed), but this would still be considered an Edge Case. You should certainly be asking for proof of takeover on all reports though @smartens80. |
@codingo yes, they took over the sub domain and sent over as a poc. I've since removed the affected CNAME records from our DNS. I can PM you more info if you like? |
Sounds good - I'm mostly interested in the format of the CNAME. What I suspect has happened is that older DNS records can still be taken over, and that this will need to be adjusted on the repository. If you can DM me it would be great to collect further information. |
This is now confirmed as an edge case. Older DNS records for Netlify are still vulnerable to takeover. |
Updated to master via #57 |
@codingo Can you shed more light on
? I know what you mean by "old DNS records for Netlify" (ones where the canonical name doesn't have a random subdomain), but how can you claim them? |
Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday. |
up |
Can you share details? What's the CNAME ? |
Nah, it cannot be possible for subdomain until its root domain is vulnerable a new setting is implemented as fastly if this feature implemented by every1 then wht?? |
How can create subdomain How can move further?? |
So, I don't think is possible to perform the take over of a netlify account: I had this case everybodywins.adobe.com
You can't create a domain everybodywins.netlify.app. It gives you If you try to add a custom domain everybodywins.adobe.com, you will get |
Is not possible to take over anymore EdOverflow/can-i-take-over-xyz#40
I just managed to takeover a sudomain:
Reponse before taking over:
I just created a new app in Netlify and setup the domain. |
Can you tell how you managed to do this because the netlify is saying the site name is taken already |
Subdomain Takeover in Netlify as same as Takeover in Fastly Service if company add 3 subdomains and 1 of them is vulnerable you can't add the vulnerable 1 to your account unless company delete the whole Domain or closed their Netlify Account. I mean this takeover Edge case. |
I just took over a netlify and it wasn't an edge case. I think its still fully possible The company had a cname to x-y.netlify.app I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app I clicked edit and changed my netlify site name to be x-y.netlify.app I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me. |
|
Not possible anymore !! |
What when CNAME points to |
Good Morning Yesterday I managed to do the subdomain takeover in a cname of *.netlifyglobalcdn.com What I needed to do was: Adding the cname to the default domain, if you can, is the first step. You just took the cname. This works for me. But in this case it wasn't the subdomain takeover it was just the takeover of cname, for some reason the subdomain was still not redirecting to cname. So in the field to add the subdomain I added the root domain, and then created an alias as in the image. This is how the subdomain takeover works completely. I reported it to the company yesterday and today it was corrected, they had removed the cname. So yes it is still possible to takeover on netlify |
Thanks @Kaue-Navarro POC: |
Hey @Sechunt3r, You revealed the subdomain you took over on the page title. :( |
1- Change the netlify.app subdomain name that you have in your account to the one you found vulnerable if it allows it is the first step, this will give you power only to the cname. 2- Step you put the root domain of the subdomain in that field to add domain the root domain. 3 - Create the alias with the subdomain you found. Done these three then yes you will have full control. Important if the first step does not work you will not be able to assume the subdomain completely. |
How can i contact you bro? I have a question |
Yes, my contact in linkedin Kauê Navarro |
Just took over a Netlify app, can confirm this still works. CNAME was set to: randomappname.netlify.com (it was .com, not .app) Steps I took to take it over:
|
This is not really accurate. You don't need to change the name of your app. Just add the vulnerable subdomain as a domain alias. This is my example: Vulnerable subdomain Dig pretty.domain.com
To take over this subdomain I just created an alias. You cannot accomplish the same with every vulnerable subdomain since it depends on some |
I've a vuln subdomain that doesn't point to any cname, is it vuln to STO ? |
Tried to put the CNAME itself in here and got "custom_domain has a reserved word" tried to put the vuln subdomain and got already used domain any help, am i doing something wrong ? |
If you don't get the first step to use the custom cname you thought of what you created, I believe you won't be able to point to the main domain and create the subdomain; Which then in this case is not vulnerable. |
Yep i tried adding the cname when created a project and uploaded it.Then it ask me to add custom subdomain in 2nd step and it said "custom domain has a reserved word" (1st picture) after i put the CNAME value, am i correct in steps but it's not vuln ? |
It's Possible to takeover netlify subdomain now ? |
No brother no ways to takeover now |
netlify
https://medium.com/@alirazzaq/subdomain-takeover-worth-200-ed73f0a58ffe
Documentation
The text was updated successfully, but these errors were encountered: