search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.75k stars 705 forks source link

Subdomain takeover of Alibaba Cloud OSS #162

Open janthraper opened 4 years ago

janthraper commented 4 years ago

Alibaba Cloud OSS

A subdomain pointing to unclaimed Alibaba OSS bucket via CNAME is vulnerable for takeover. The website will throw an error like this when the bucket doesn't exist.

test

Step-by-step process:

  1. Go to OSS panel
  2. Click Create Bucket
  3. Set Bucket name to source domain name (i.e., the domain you want to take over)
  4. Click OK to finish
  5. Open the created bucket (Select Access Control List (ACL) as public)
  6. Go to Files and Click Upload
  7. Select the file which will be used for PoC (HTML or TXT file)
  8. Set file ACL as public read

Verify by going to the subdomain.

Documentation

https://www.alibabacloud.com/help/doc-detail/31899.htm?spm=a2c63.p38356.879954.14.71cd374fq6kJ5W#concept-ars-bhz-5db https://www.alibabacloud.com/help/doc-detail/31836.htm https://partners-intl.aliyun.com/help/doc-detail/31902.htm

ravkishu commented 3 years ago

Hi @janthraper

I appreciate this research but can you please:

  1. Suggest the CNAME pattern in Alibaba Cloud that you're talking about
  2. PoC will be much appreciated if possible.