Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub.io Subdomain Takeover #68

Open
jatoch opened this issue Nov 17, 2018 · 22 comments
Open

GitHub.io Subdomain Takeover #68

jatoch opened this issue Nov 17, 2018 · 22 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@jatoch
Copy link

jatoch commented Nov 17, 2018

I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io

When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.

So I created a github page and added sub.example.com as custom domain.

And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.

@EdOverflow
Copy link
Owner

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

  1. Username-based subdomains;
  2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

  • There is no index page (404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checking https://github.com/<name> to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such as site:example.github.io to find hidden directories that have been crawled by Google.

The following cases are vulnerable:

  • There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
  • There is no account or organisation under https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content on https://<name>.github.io/.

I hope this clears up any uncertainties when it comes to GitHub pages.

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Nov 17, 2018
@Phoenix1112
Copy link

@EdOverflow I'm trying to create a test environment for myself. I created a github repo and created a simple index.html file. then I created a site with the extension .io.
I had previously purchased a domain address with a .com extension. I added the subdomain address I created with github to my domain name as a cname record.

example:

dig cname www.guidebookdemo.com

www.guidebookdemo.com cname phoenix1112.github.io

You can see that my username is used as the subdomain address in the site address i created for github.(phoenix1112)

now, if the phoenix1112.github.io address was unavailable, how would we get the phoenix1112 username to get this github address? if the username is used for the subdomain name, how do we get someone else's username?

@EdOverflow
Copy link
Owner

You would have to hope that the user — phoenix1112 in your example — deletes their account so that you can then claim that username. There is no other way around it as far as I know.

@Phoenix1112
Copy link

@EdOverflow i did takeover now... the user name does not matter.. i did test it..

dig cname www.guidebookdemo.com

www.guidebookdemo.com CNAME phoenix1112.github.io

I deleted the files I created phoenix1112.github.io. I created a repo with another user and wrote www.guidebookdemo.com in the site name. and I created an index.htm file

After 10 minutes, when I opened www.guidebookdemo.com, my index.html file started to appear. Although I am not a phoenix1112 user, I did takeover www.guidebookdemo.com.

@EdOverflow
Copy link
Owner

Actually, now that I think of it, I have submitted two subdomain takeovers using the exact process you described above roughly two years ago. Silly me! :P

You are absolutely right, the username is not actually important. Thank you for double-checking this, @Phoenix1112.

@melardev
Copy link

melardev commented Dec 19, 2019

Actually, I don't even think the name of the repo matters, just create any repo, go to settings of that repo, enable Github pages and add your custom domain there, reply to me if you think I am wrong.

Update: but I also had issues with "CNAME has already been taken." even though the page was showing the fingerprint message, I don't know why ;O

@Shrimant12
Copy link

Check site: "traget.github.io" and see you get the repo. In my case, it was also showing There isn't a Github Pages site here. but when checked using site: "traget.github.io" all the pages and everything was present. So this case is also not vulnerable.

@7RUST
Copy link

7RUST commented Aug 21, 2020

website name example.com pointing to cname example.github.io. Now there is still content on example.com but when navigated to example.github.io it says a 404. I tried to create a github repo but when trying to add a domain, it says cname is already taken. I am kinda confused as if it is pointing to an unclaimed github.io domain, it should be vulnerable right ?

@adityathebe
Copy link

@saurabh96216 IIRC the cname is irrelevant as long as it is pointing to .github.io

@mnijres
Copy link

mnijres commented Sep 1, 2020

@EdOverflow Hi Ed, it seems github no longer vulnerable for sub-domain takeOver since they add account name before the sub-domain that planing to takeover it.
For example the sub-domain suppose to be vulnerable is example.gitexample.com
When creating page they add your github name before the page name like (hxxps://mnijres.github.io/example.gitexample.com)
Since mnijres is my github name.

@mnijres
Copy link

mnijres commented Sep 1, 2020

After testing 1.516.945 sub-domains included (cloudfront, fastly, Github.io, tumbler,shopify)

Non of them are vulnerable to sub-domain takevoer anymore !

I will try my luck with something else.

@cyberbharathi
Copy link

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

  1. Username-based subdomains;
  2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

  • There is no index page (404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checking https://github.com/<name> to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such as site:example.github.io to find hidden directories that have been crawled by Google.

The following cases are vulnerable:

  • There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
  • There is no account or organisation under https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content on https://<name>.github.io/.

I hope this clears up any uncertainties when it comes to GitHub pages.

Hello @EdOverflow I have try this similar way and my target vulnerable to this way. Can I report it to the Vendor as Github Subdomain takeover? and it could be a valid issue?

@sa1tama0
Copy link

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️
GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

@molitona
Copy link

molitona commented Jan 3, 2023

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

i confirm it

@akincibor
Copy link

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

@molitona
Copy link

molitona commented Mar 6, 2023

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

what you did ?

@akincibor
Copy link

Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification.

@molitona
Copy link

molitona commented Mar 7, 2023 via email

@corneliusroemer
Copy link

corneliusroemer commented Dec 20, 2023

Currently live exploited vulnerability: https://turakhia.ucsd.edu

@cyberduck404
Copy link

Currently live exploited vulnerability: https://turakhia.ucsd.edu

Details?

@robertmathews
Copy link

I saw a live subdomain name hijacked to point at GitHub Pages today.

First of all, here's a proof of concept: http://ftp.vidovi.ch. I do not own, nor am I associated with, vidovi.ch. I simply added it to my GitHub Pages account.

I was able to do this because:

  1. vidovi.ch has been legitimately configured to point at GitHub Pages:
$ dig vidovi.ch
...
;; ANSWER SECTION:
vidovi.ch.      300 IN  A   185.199.111.153
vidovi.ch.      300 IN  A   185.199.108.153
vidovi.ch.      300 IN  A   185.199.109.153
vidovi.ch.      300 IN  A   185.199.110.153
  1. vidovi.ch uses something like cPanel that creates a default CNAME record from ftp.vidovi.ch to the apex vidovi.ch, but doesn't delete that default record if you point the apex elsewhere:
$ dig ftp.vidovi.ch CNAME
...
;; ANSWER SECTION:
ftp.vidovi.ch.      300 IN  CNAME   vidovi.ch.
  1. The owner of vidovi.ch has (presumably) not followed the instructions on this page that say "Tip: We recommend verifying your custom domain prior to adding it to your repository, in order to improve security and avoid takeover attacks" (GitHub does not require this, unlike many companies).

  2. GitHub Pages considers ftp.vidovi.ch to be a different "site" than vidovi.ch or www.vidovi.ch, so anyone can "claim" it as I did.

The requirements for a site to be vulnerable are:

  • The apex has been pointed to GitHub Pages;
  • The site uses something like cPanel that leaves dangling CNAMEs like ftp. pointing to that apex;
  • The site owner has not followed the GitHub recommendation to "verify" the domain name with a TXT record to prevent other people from using subdomains.

There are a large number of sites out there meeting these requirements. You can find them pretty easily by using any tool that shows you what domain names have the apex pointing at GitHub pages, then checking whether they have a CNAME subdomain like ftp. that points to the apex. You'll then find most of those haven't been verified/secured.

Bad actors are exploiting this in the wild (my colleague and I saw someone complaining about this happening to them -- their ftp subdomain was being used for advertising an online casino -- and helped them track down the cause).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests

16 participants