Fastly Restrictions

[riramar]

Fastly will work only in some specific situations. In some cases they validate the customer domain before assign the fastly.net subdomain.

https://docs.fastly.com/guides/securing-communications/managing-domains-on-tls-certificates#verifying-domain-ownership

Verifying domain ownership Any time you request addition of a domain to a certificate, you must verify you own the domain. This helps us ensure no one else is using your domain without your permission.

[codingo]

That certainly merits further investigation!

@EdOverflow I'm unable to look at this for a week, what's your capacity like? Happy for you to tag me on this if you're snowed under also.

Related to the work on #20 I think this should be done in a test cases and then added to the main readme.

[JesseClarkND]

Here is the verification screen and types. DNS, Email, or text file file upload.

[tolo7010]

Hi @EdOverflow ,

I've been confirmed on my last report that this is not a valid vulnerability. This is the default Fastly error message if you are visiting the sub-domain directly which is not the intended use case, since it is part of a redirect by the CDN.

Regards, tolo7010

[sostoli]

Hi @EdOverflow, Is it still possible to claim subdomain on Fastly?

Regards,

[m7mdharoun]

Hi @EdOverflow, Is it still possible to claim subdomain on Fastly?

Regards,

Yes Bro I do a Takeover last 2 days for a 4 domains.

[sostoli]

Hi bro. Is it possible to have the required steps?

Le lun. 29 avr. 2019 à 2:49 AM, m7mdharoun notifications@github.com a écrit :

Hi @EdOverflow https://github.com/EdOverflow, Is it still possible to claim subdomain on Fastly?

Regards,

Yes Bro I do a Takeover last 2 days for a 4 domains.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/22#issuecomment-487434366, or mute the thread https://github.com/notifications/unsubscribe-auth/AI2PH4Y5F7AVHC7CULVE4N3PSZH2VANCNFSM4FJQJFVQ .

[n1ghtfox]

Can someone post step by step subdomain takeover on fastly?

[m7mdharoun]

@n1ghtfox its simple and easy ..
1) create a new service ( ex: version 1) . 2) add subdomain or domain if accept to add your domain this mean you can takeover it then do the next steps. 3) then in the Origin Host add Your VPS ip without ssl if not include port 80. 4) Active your service ( version 1 )

if you don't want to wait to know if the domain connecting to vps or not .. You can check it directly by goto domains then near to domain name you will see Test Domain which will open a Link like this http://domain.com.global.prod.fastly.net and it will show your vps page. Sure you can wait 10 min to avoid doing this step :)

Kind Regards, Mohamed Haron.

[n1ghtfox]

Thanks, i could never register domain, so i thought there was other way around.

On Mon, May 13, 2019 at 9:05 PM m7mdharoun notifications@github.com wrote:

@n1ghtfox https://github.com/n1ghtfox its simple and easy ..

1. create a new service ( ex: version 1) .
2. add subdomain or domain if accept to add your domain this mean you can takeover it then do the next steps.
3. then in the Origin Host add Your VPS ip without ssl if not include port 80.
4. Active your service ( version 1 )

if you don't want to wait to know if the domain connecting to vps or not .. You can check it directly by goto domains then near to domain name you will see Test Domain which will open a Link like this http://domain.com.global.prod.fastly.net and it will show your vps page. Sure you can wait 10 min to avoid doing this step :)

Kind Regards, Mohamed Haron.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/22?email_source=notifications&email_token=AFRWIMUD6WAC4QRATAQTTSLPVGNWVA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVI6KHI#issuecomment-491906333, or mute the thread https://github.com/notifications/unsubscribe-auth/AFRWIMVDGB6D7ZHJE7L2VPDPVGNWVANCNFSM4FJQJFVQ .

[venkatst]

@m7mdharoun,

In 2nd point, you have mentioned add subdomain. This is victim subdomain right? And what if it get rejected. Is there a way to control traffic like redirection?

[n1ghtfox]

i think i'm up to something can u help me out on fastly?

On Wed, May 22, 2019 at 6:21 PM venkatst notifications@github.com wrote:

@m7mdharoun https://github.com/m7mdharoun,

In 2nd point, you have mentioned add subdomain. This is victim subdomain right? And what if it get rejected. Is there a way to control traffic like redirection?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/22?email_source=notifications&email_token=AFRWIMXHHVPRPIXEXY25HU3PWVJIJA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV7GX7Q#issuecomment-494824446, or mute the thread https://github.com/notifications/unsubscribe-auth/AFRWIMQCS6SPRG7UBKEEMS3PWVJIJANCNFSM4FJQJFVQ .

[vaadata-thevenota]

I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.

DNS:

sub.staging.target.fr. CNAME target.map.fastly.net.
target.map.fastly.net.  A   151.101.xx.xxx

I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.

[m7mdharoun]

@vaadataa I confirm this too last month I takeover 4 subdomains pointing to Fastly

Steps for takeover here Guys with video you can find it here https://www.mohamedharon.com/2019/06/can-i-takeover-xyz-steps.html

[Dec0y-jb]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:

Domain 'redacted.com' is already taken by another customer

Definitely an Edge Case.

[theamanrawat]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned:

Domain 'redacted.com' is already taken by another customer

Definitely an Edge Case.

Yes I also got the same error

[mouanime04]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned: Domain 'redacted.com' is already taken by another customer Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

[sumgr0]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned: Domain 'redacted.com' is already taken by another customer Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

Yes, its an edge case.

I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.

[No1d3a]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned: Domain 'redacted.com' is already taken by another customer Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

The same error, Any updates!?

[sumgr0]

Just for confirmation of how Fastly is still possible to takeover, check out www.litium.de. This shall confirm the edge scenario.

[hetroublemaker]

This doesn't work for me. If the tld is already registered - it's not possible. The following error is returned: Domain 'redacted.com' is already taken by another customer Definitely an Edge Case.

Yes I also got the same error

me to same error any update ??

Yes, its an edge case.

I was able to takeover a subdomain for a H1 program and was awarded bounty about a week back.

Any Updates got the same error!

[ashhadali10]

is it possible that we can take over any vulnerable subdomain using fastly services or not or we use the different services which that domain use?

[efkann]

Hey, just used this method to takeover a subdomain and it worked. But still it's an edge case. In this one, the error was : "Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala"

[ankushgoel27]

i am getting the same error as above described by mefkan. "Fastly error: unknow domain: domainname.com. Please check that this domain has been added to a service. Details: cache-blalala". but still unable to add domain to fastly

I am getting error - domain "abc" is already taken by another customer. Am i doing something wrong here?

[jojojump]

Any Updates got the same error! I am getting error - domain "abc" is already taken by another customer

[sumgr0]

This is still an edge case.

Got 2 takeovers during this week for the same program, so it’s still vulnerable but not every time.

On Sun, 8 Dec 2019 at 2:47 PM, bbbb notifications@github.com wrote:

Any Updates got the same error! I am getting error - domain "abc" is already taken by another customer

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/22?email_source=notifications&email_token=ACW5BD6L4YPPQPCPGDOWRITQXS3TNA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGGZLCI#issuecomment-562926985, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW5BD2BCE5KTUTOWNWDLF3QXS3TNANCNFSM4FJQJFVQ .

-- Best, Sumit Grover

[melardev]

@sumgr0 For the same program? They were using two different domains in scope rigth? At this time fastly is checking the domain(example.com) given, if it is taken once you can't register any of the subdomains (ignorebyfastly.example.com) So a company is vulnerable only if they stop completly from using fastly for a whole domain.

[sumgr0]

That’s right 2 different subdomains on the same program were covered by the scope.

On 08-Dec-2019, at 6:00 PM, MelarDev notifications@github.com wrote:

@sumgr0 https://github.com/sumgr0 For the same program? They were using two different domains in scope rigth? At this time fastly is checking the domain(example.com) given if it is taken once you can't register any of the subdomains (ignorebyfastly.example.com) So a company is vulnerable only if they stop completly from using fastly for a whole domain.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/22?email_source=notifications&email_token=ACW5BD2WLAGSWGXZT5ZDMRLQXTSHTA5CNFSM4FJQJFV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGG5JJI#issuecomment-562943141, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW5BDZWKLCV5IOI3MGSXDTQXTSHTANCNFSM4FJQJFVQ.

[melardev]

@sumgr0 so you took over subdomain1.example.com and subdomain2.example.com ? Fastly UI says the opposite than you do, if you try to take subdomain1.example.com Fastly is only checking if example.com is taken, if it is you can't not register subdomain1.example.com nor subdomain2.example.com nor any other subdomain for that example.com, even if one of them is showing the fingerprint error message.

[sumgr0]

I understand, and confirm it worked for this time and allowed. Also the reason, as mentioned by the program, they were in the process of decommissioning the Fastly service, while I took over the subdomains. I've had mostly the experience of it not working, but once or twice it worked. Maybe due to the way the account is configured by the programs (they may or may not be using wildcards).

Hence, it seems if the setup contains the wildcard entries, it does not allow to takeover any subdomain belonging to the program and gives out the error: domain "abc" is already taken by another customer. And works when they setup individual subdomains on the service.

Hopefully this helps.

[melardev]

@sumgr0 Yes, it helps, thanks =)

[arjunnkn]

another corner case is :- arjuns-MacBook-Air:domaintakeover arjunsharma$ dig elle.tw

; <<>> DiG 9.10.6 <<>> elle.tw ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42494 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;elle.tw. IN A

;; ANSWER SECTION: elle.tw. 86400 IN A 151.101.128.200 elle.tw. 86400 IN A 151.101.192.200 elle.tw. 86400 IN A 151.101.0.200 elle.tw. 86400 IN A 151.101.64.200

arjuns-MacBook-Air:domaintakeover arjunsharma$ dig www.elle.tw

; <<>> DiG 9.10.6 <<>> www.elle.tw ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.elle.tw. IN A

;; ANSWER SECTION: www.elle.tw. 80835 IN CNAME www.elle.com.tw. www.elle.com.tw. 60 IN CNAME nonssl.global.fastly.net. nonssl.global.fastly.net. 30 IN A 151.101.128.204 nonssl.global.fastly.net. 30 IN A 151.101.0.204 nonssl.global.fastly.net. 30 IN A 151.101.64.204 nonssl.global.fastly.net. 30 IN A 151.101.192.204

this kind of misconfigurations is also making services vulnerable

[rsgian]

Hi @EdOverflow, Is it still possible to claim subdomain on Fastly? Regards,

Yes Bro I do a Takeover last 2 days for a 4 domains.

can you guide us how you did it

[rsgian]

can you guide us how you did it

[m7mdharoun]

here bro https://www.youtube.com/watch?v=9DYEg_j-_hw

[rsgian]

thanks very much

[rsgian]

Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs

here bro https://www.youtube.com/watch?v=9DYEg_j-_hw

Great PoC thanks for that I also follow you blog learned subdomain takeover through you blogs and I guess the subdomain i was trying to takeover is not vulnerable becoz it says " domain is already took by another customer"

[null406]

I'm facing now with this shit Domain 'blahblah.com' is already taken by another customer Can someone explain me how to fix this shit.

[rsgian]

The 'blahblah.com' is secured and not possible to take over

[rishabsinghlogin]

Is it still possible to claim subdomain on Fastly?

[faeeq]

I successfully claimed a domain But the link it is generating is Domain.com.fastly.net It should show only domain.com Or domain.com.fastly.net is also correct?

[Bhargava-krishna]

@sumgr0 so you took over subdomain1.example.com and subdomain2.example.com ? Fastly UI says the opposite than you do, if you try to take subdomain1.example.com Fastly is only checking if example.com is taken, if it is you can't not register subdomain1.example.com nor subdomain2.example.com nor any other subdomain for that example.com, even if one of them is showing the fingerprint error message.

Is there any way to bypass this?

[sumgr0]

Only if the parent domain is not registered with wildcard entry. I've not seen anymore cases with fastly service takeover.

[theunited36]

It seems that it is not vulnearble because when we try takeover sub_1.test.com , it says that test.com is already registered.

[arunrkamaraj]

vikrams-MacBook-Air:domaintakeover arjunsharma$ dig https://critik.in/best-lip-balms-in-india/

; <<>> DiG 9.10.6 <<>> https://critik.in/best-lip-balms-in-india/ ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;

https://critik.in/best-lip-balms-in-india/ IN A

;; ANSWER SECTION:

https://critik.in/best-lip-balms-in-india/ 80835 IN CNAME https://critik.in/best-lip-balms-in-india/ https://critik.in/best-lip-balms-in-india/ 60 IN CNAME nonssl.global.fastly.net. nonssl.global.fastly.net. 30 IN A 151.101.128.204 nonssl.global.fastly.net. 30 IN A 151.101.0.204 nonssl.global.fastly.net. 30 IN A 151.101.64.204 nonssl.global.fastly.net. 30 IN A 151.101.192.204

this kind of misconfigurations is also making services vulnerable

[com0t]

I confirm that it is possible to take over a subdomain pointing at Fastly, not sure how much of an edge case it is.

DNS:

sub.staging.target.fr. CNAME target.map.fastly.net.
target.map.fastly.net.    A   151.101.xx.xxx

I was able to take over the subdomain by creating an account and specifying the subdomain in the domain configuration for a service.

hi @vaadataa how can i register map.fastly.net domain? Thank~

[zkebami]

can yu tell me how because this is not workin for me

[lnlinh31]

@vaadataa how can i register map.fastly.net domain? Now i only get a *.global.prod.fastly.net domain

[pdelteil]

After testing many domains with the error page. I haven't found a way to take over the subdomains.

I think this has been fixed and not properly reported here.

[Captain0X]

who knows why i can't takeover this subdomain , is very sad~

[vionde]

Just made a takeover.

Target was test.target.com. CNAME to global.prod.fastly.net

When i open URL, it says Fastly error: unknow domain: test-example.s3.amazonaws.com. Please check that this domain has been added to a service. Details: cache-blalala

1. Create new delivery service
2. Name test-example.s3.amazonaws.com
3. Host is my VPS

Worked