-
-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub.io Subdomain Takeover #68
Comments
There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:
As the names already state, the former is based on the GitHub user's handle (e.g. With this in mind, it becomes a little easier to determine whether or not a page is vulnerable. The following case is not vulnerable:
The following cases are vulnerable:
I hope this clears up any uncertainties when it comes to GitHub pages. |
@EdOverflow I'm trying to create a test environment for myself. I created a github repo and created a simple index.html file. then I created a site with the extension .io. example: dig cname www.guidebookdemo.com www.guidebookdemo.com cname phoenix1112.github.io You can see that my username is used as the subdomain address in the site address i created for github.(phoenix1112) now, if the phoenix1112.github.io address was unavailable, how would we get the phoenix1112 username to get this github address? if the username is used for the subdomain name, how do we get someone else's username? |
You would have to hope that the user — |
@EdOverflow i did takeover now... the user name does not matter.. i did test it.. dig cname www.guidebookdemo.com www.guidebookdemo.com CNAME phoenix1112.github.io I deleted the files I created phoenix1112.github.io. I created a repo with another user and wrote www.guidebookdemo.com in the site name. and I created an index.htm file After 10 minutes, when I opened www.guidebookdemo.com, my index.html file started to appear. Although I am not a phoenix1112 user, I did takeover www.guidebookdemo.com. |
Actually, now that I think of it, I have submitted two subdomain takeovers using the exact process you described above roughly two years ago. Silly me! :P You are absolutely right, the username is not actually important. Thank you for double-checking this, @Phoenix1112. |
Actually, I don't even think the name of the repo matters, just create any repo, go to settings of that repo, enable Github pages and add your custom domain there, reply to me if you think I am wrong. Update: but I also had issues with "CNAME has already been taken." even though the page was showing the fingerprint message, I don't know why ;O |
Check |
website name example.com pointing to cname example.github.io. Now there is still content on example.com but when navigated to example.github.io it says a 404. I tried to create a github repo but when trying to add a domain, it says cname is already taken. I am kinda confused as if it is pointing to an unclaimed github.io domain, it should be vulnerable right ? |
@saurabh96216 IIRC the cname is irrelevant as long as it is pointing to .github.io |
@EdOverflow Hi Ed, it seems github no longer vulnerable for sub-domain takeOver since they add account name before the sub-domain that planing to takeover it. |
After testing 1.516.945 sub-domains included (cloudfront, fastly, Github.io, tumbler,shopify) Non of them are vulnerable to sub-domain takevoer anymore ! I will try my luck with something else. |
Hello @EdOverflow I have try this similar way and my target vulnerable to this way. Can I report it to the Vendor as Github Subdomain takeover? and it could be a valid issue? |
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain. |
what you did ? |
Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification. |
Ok, why this didn't ask for verif ?
…
Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification.
—
Reply to this email directly, > view it on GitHub <#68 (comment)>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/AIPC4MJUKP6HZKXMH27ZVJ3W2ZETVANCNFSM4GE5465Q>> .
You are receiving this because you commented.> Message ID: > <EdOverflow/can-i-take-over-xyz/issues/68/1456965562> @> github> .> com>
|
Currently live exploited vulnerability: https://turakhia.ucsd.edu |
Details? |
I saw a live subdomain name hijacked to point at GitHub Pages today. First of all, here's a proof of concept: http://ftp.vidovi.ch. I do not own, nor am I associated with, I was able to do this because:
The requirements for a site to be vulnerable are:
There are a large number of sites out there meeting these requirements. You can find them pretty easily by using any tool that shows you what domain names have the apex pointing at GitHub pages, then checking whether they have a CNAME subdomain like Bad actors are exploiting this in the wild (my colleague and I saw someone complaining about this happening to them -- their |
I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io
When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.
So I created a github page and added sub.example.com as custom domain.
And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.
The text was updated successfully, but these errors were encountered: