Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subdomain Takeover via netlify #40

Closed
m7mdharoun opened this issue Sep 14, 2018 · 41 comments
Closed

Subdomain Takeover via netlify #40

m7mdharoun opened this issue Sep 14, 2018 · 41 comments
Labels
edge case An edge case was discovered where it is possible to hijack a subdomain on this service.

Comments

@m7mdharoun
Copy link

netlify

https://medium.com/@alirazzaq/subdomain-takeover-worth-200-ed73f0a58ffe

Documentation

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 17, 2018
@AnotherWayIn
Copy link

when you attempt to add a custom domain on Netlify, they ask you to add a randomly-named cname record for them to verify. Because of this, it doesn't look like you can do takeovers anymore. Unless i've missed a trick?

@codingo
Copy link
Collaborator

codingo commented Oct 4, 2018

@AnotherWayIn How random is the seed? Have you done collision checks on it?

I've managed to do takeovers on some services by looping the creation/deletion of a service with a random seed until I hit a collision for an old service either using javascript in a client session or looping in python/bash utilizing something like the AWS cli.

@codingo
Copy link
Collaborator

codingo commented Oct 4, 2018

Also this seems more remote as it's a change from the old state, so I'm going to flag this as not vulnerable unless confirmed otherwise.

@codingo codingo added not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. and removed vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. labels Oct 4, 2018
@AnotherWayIn
Copy link

Yeah, BF is not possible here. Mine for example is asking for the cname to be:
gallant-pare-4f7741.netlify.com
This is generated when you create a new site.

@codingo
Copy link
Collaborator

codingo commented Oct 15, 2018

Closed via #53

@smartens80
Copy link

This vulnerability still exists (the company I work for was just informed by a white hat hacker that this affected us). If a sub domain (eg: mysubdomain.test.com) is pointing to a Netlify CNAME that is no longer in use by the original party and removed from the previous Netlify project, another party can add that subdomain to their own Netlify project and take it over.

@codingo
Copy link
Collaborator

codingo commented Oct 16, 2018

@smartens80 it's one thing to highlight it, but it's another thing to do a claim. From my own testing it doesn't look like a claim isn't actually possible. Did they perform one in this case, or just let you know the DNS record was still there?

If you're unsure about this feel free to DM me on twitter under @codingo_ and we can talk through it further.

@codingo
Copy link
Collaborator

codingo commented Oct 16, 2018

Potentially older domains are still vulnerable (without a seed), but this would still be considered an Edge Case. You should certainly be asking for proof of takeover on all reports though @smartens80.

@smartens80
Copy link

@codingo yes, they took over the sub domain and sent over as a poc. I've since removed the affected CNAME records from our DNS. I can PM you more info if you like?

@codingo
Copy link
Collaborator

codingo commented Oct 16, 2018

Sounds good - I'm mostly interested in the format of the CNAME. What I suspect has happened is that older DNS records can still be taken over, and that this will need to be adjusted on the repository. If you can DM me it would be great to collect further information.

@codingo codingo added edge case An edge case was discovered where it is possible to hijack a subdomain on this service. and removed not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. labels Oct 16, 2018
@codingo
Copy link
Collaborator

codingo commented Oct 17, 2018

This is now confirmed as an edge case. Older DNS records for Netlify are still vulnerable to takeover.

@codingo
Copy link
Collaborator

codingo commented Oct 17, 2018

Updated to master via #57

@jubobs
Copy link

jubobs commented Jul 15, 2019

@codingo Can you shed more light on

Older DNS records for Netlify are still vulnerable to takeover.

?

I know what you mean by "old DNS records for Netlify" (ones where the canonical name doesn't have a random subdomain), but how can you claim them?

@monizb
Copy link

monizb commented Jul 4, 2021

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday.

@YASSlNE
Copy link

YASSlNE commented Jul 23, 2021

@codingo Can you shed more light on

Older DNS records for Netlify are still vulnerable to takeover.

?

I know what you mean by "old DNS records for Netlify" (ones where the canonical name doesn't have a random subdomain), but how can you claim them?

up

@pdelteil
Copy link
Contributor

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday.

Can you share details? What's the CNAME ?

@wowits
Copy link

wowits commented Jul 28, 2021

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday

Nah, it cannot be possible for subdomain until its root domain is vulnerable a new setting is implemented as fastly if this feature implemented by every1 then wht??

@Xplo8E
Copy link

Xplo8E commented Aug 21, 2021

How can create subdomain
something.netlify.com but in netlify it giving only **.netlify.app

How can move further??

@pdelteil
Copy link
Contributor

pdelteil commented Sep 4, 2021

So, I don't think is possible to perform the take over of a netlify account:

I had this case everybodywins.adobe.com

>  dig everybodywins.adobe.com

; <<>> DiG 9.16.1-Ubuntu <<>> everybodywins.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22410
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;everybodywins.adobe.com.	IN	A

;; ANSWER SECTION:
everybodywins.adobe.com. 10800	IN	CNAME	everybodywins.netlify.app.
everybodywins.netlify.app. 19	IN	A	54.205.240.192
everybodywins.netlify.app. 19	IN	A	157.245.242.152

;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Sep 04 21:44:28 UTC 2021
;; MSG SIZE  rcvd: 123

You can't create a domain everybodywins.netlify.app. It gives you

Screenshot from 2021-09-04 17-48-12

If you try to add a custom domain everybodywins.adobe.com, you will get

Screenshot from 2021-09-04 17-49-06

pdelteil added a commit to pdelteil/nuclei-templates that referenced this issue Sep 4, 2021
@Techbrunch
Copy link

Techbrunch commented Sep 6, 2021

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

@rsgian
Copy link

rsgian commented Oct 23, 2021

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

Can you tell how you managed to do this because the netlify is saying the site name is taken already

@m7mdharoun m7mdharoun changed the title subdomain Takeover via netlify Subdomain Takeover via netlify Oct 23, 2021
@m7mdharoun
Copy link
Author

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

Can you tell how you managed to do this because the netlify is saying the site name is taken already

Subdomain Takeover in Netlify as same as Takeover in Fastly Service if company add 3 subdomains and 1 of them is vulnerable you can't add the vulnerable 1 to your account unless company delete the whole Domain or closed their Netlify Account.

I mean this takeover Edge case.

@SimonGurney
Copy link

I just took over a netlify and it wasn't an edge case. I think its still fully possible

The company had a cname to x-y.netlify.app

I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app

I clicked edit and changed my netlify site name to be x-y.netlify.app

I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

@samogod
Copy link

samogod commented Jul 25, 2022

I just took over a netlify and it wasn't an edge case. I think its still fully possible

The company had a cname to x-y.netlify.app

I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app

I clicked edit and changed my netlify site name to be x-y.netlify.app

I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

image
image

@danzee1
Copy link

danzee1 commented Oct 12, 2022

I just took over a netlify and it wasn't an edge case. I think its still fully possible
The company had a cname to x-y.netlify.app
I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app
I clicked edit and changed my netlify site name to be x-y.netlify.app
I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

image image

Not possible anymore !!

@CalfCrusher
Copy link

What when CNAME points to *.netlifyglobalcdn.com ?
Is it possible the tko ?

@Kaue-Navarro
Copy link

Good Morning

Yesterday I managed to do the subdomain takeover in a cname of *.netlifyglobalcdn.com

WhatsApp Image 2022-11-27 at 18 10 35

What I needed to do was:

Adding the cname to the default domain, if you can, is the first step.

You just took the cname.

This works for me.

But in this case it wasn't the subdomain takeover it was just the takeover of cname, for some reason the subdomain was still not redirecting to cname.

So in the field to add the subdomain I added the root domain, and then created an alias as in the image.

This is how the subdomain takeover works completely.

I reported it to the company yesterday and today it was corrected, they had removed the cname.

image-2022-11-27T22_54_15 084Z

So yes it is still possible to takeover on netlify

@Sechunt3r
Copy link

Sechunt3r commented Nov 28, 2022

Thanks @Kaue-Navarro
The technique you suggested completely works & full subdomain takeover is still possible on netlify.

Cname-Settings:
CNAME

POC:

STK

@pdelteil
Copy link
Contributor

Hey @Sechunt3r,

You revealed the subdomain you took over on the page title. :(

@b1bek
Copy link

b1bek commented Nov 30, 2022

subdomain has cname foo-bar-xyz.netlify.app , i got it and my site is hosted at foo-bar-xyz.netlify.app but the subdomain still has error like this
image

now when trying to add subdomain in custom domain it shows this error
image

Can anyone confirm if *.netlify.app is still possible or not?

@Kaue-Navarro
Copy link

1- Change the netlify.app subdomain name that you have in your account to the one you found vulnerable if it allows it is the first step, this will give you power only to the cname.

2- Step you put the root domain of the subdomain in that field to add domain the root domain.

3 - Create the alias with the subdomain you found.

Done these three then yes you will have full control.

Important if the first step does not work you will not be able to assume the subdomain completely.

@gonzxph
Copy link

gonzxph commented Dec 12, 2022

How can i contact you bro? I have a question

@Kaue-Navarro
Copy link

Yes, my contact in linkedin Kauê Navarro

@FalcoXYZ
Copy link

Just took over a Netlify app, can confirm this still works.

CNAME was set to: randomappname.netlify.com (it was .com, not .app)

Steps I took to take it over:

  1. I deployed a new app in Netlify with Nextjs template. (can be any template)
  2. Changed my app name to the one that was set as CNAME. In my example: randomappname
  3. Added an additional sub-domain under the "domain management" tab.
  4. This additional subdomain will be set as the "primary domain" and the Netlify domain will be "default subdomain"

@pdelteil
Copy link
Contributor

Just took over a Netlify app, can confirm this still works.

CNAME was set to: randomappname.netlify.com (it was .com, not .app)

Steps I took to take it over:

1. I deployed a new app in Netlify with Nextjs template. (can be any template)

2. Changed my app name to the one that was set as CNAME. In my example: randomappname

3. Added an additional sub-domain under the "domain management" tab.

4. This additional subdomain will be set as the "primary domain" and the Netlify domain will be "default subdomain"

This is not really accurate. You don't need to change the name of your app. Just add the vulnerable subdomain as a domain alias.

This is my example:

Vulnerable subdomain pretty.domain.com

Dig pretty.domain.com

;; ANSWER SECTION:
pretty.domain.com.	300	IN	CNAME	pretty-another.netlify.com.
pretty-another.netlify.com. 20	IN	A	52.X
pretty-another.netlify.com. 20	IN	A	177.Y

To take over this subdomain I just created an alias. You cannot accomplish the same with every vulnerable subdomain since it depends on some edge conditions (account deleted, etc).

@molitona
Copy link

molitona commented Jan 3, 2023

Hi @Kaue-Navarro @pdelteil

I've a vuln subdomain that doesn't point to any cname, is it vuln to STO ?

@molitona
Copy link

molitona commented Jan 3, 2023

@Kaue-Navarro

Tried to put the CNAME itself in here and got "custom_domain has a reserved word"

Screenshot from 2023-01-03 17-29-35

tried to put the vuln subdomain and got already used domain

Screenshot from 2023-01-03 17-31-39

any help, am i doing something wrong ?

@Kaue-Navarro
Copy link

If you don't get the first step to use the custom cname you thought of what you created, I believe you won't be able to point to the main domain and create the subdomain;

Which then in this case is not vulnerable.

@molitona
Copy link

molitona commented Jan 4, 2023

If you don't get the first step to use the custom cname you thought of what you created, I believe you won't be able to point to the main domain and create the subdomain;

Which then in this case is not vulnerable.

Yep i tried adding the cname when created a project and uploaded it.Then it ask me to add custom subdomain in 2nd step and it said "custom domain has a reserved word" (1st picture) after i put the CNAME value, am i correct in steps but it's not vuln ?

@alice12o1
Copy link

It's Possible to takeover netlify subdomain now ?

@Sachin85y
Copy link

It's Possible to takeover netlify subdomain now ?

No brother no ways to takeover now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
edge case An edge case was discovered where it is possible to hijack a subdomain on this service.
Projects
None yet
Development

No branches or pull requests