Closed PatrikHudak closed 5 years ago
Official GitHub Pages docs: https://help.github.com/articles/using-a-custom-domain-with-github-pages/
Closing as now available on main readme.
Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.
snapshot attached.
Is GitHub takeover still working for anyone?
Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.
snapshot attached.
Is GitHub takeover still working for anyone?
Facing the same issue.
Is it possible to takeover githubapp.com subdomains with github.io CNAME?
Hi @sumgr0
I'm not quite sure but you should be able to, because it's not allowed only in case of github.io, github.com, or github.page
as per official error I'm currently getting.
There isn't any such notice regarding githubapp.com
. So, I suppose you should be able to takeover if it's available.
For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/
Hi @EdOverflow
I am trying to takeover subdomain
Github has started to appending the username to the github.io/
I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account.
CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover. https://github.community/t/the-cname-is-already-taken/149785
I was still able to takeover a domain
Still works. +1
Looks like it's kind of conditional because it can say that the domain is claimed
I was still able to takeover a domain
how you can takeover yet I have some of the vulnerable URLs, if you can help me..
There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable.
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?
I've experienced the same with Github takeovers in the last couple of days. Looks like github has implemented it across the board.
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?
I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. Is there any way to takeover such a domain?
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo. Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?
I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. Is there any way to takeover such a domain?
Then, it's not vulnerable.
:warning::warning: GitHub's pages are now secure and no longer vulnerable. :warning::warning: GitHub has implemented DNS verification to confirm the legitimacy of domains.
⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.
This does not apply to retrospective custom domains, right?
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
How?
What if there is a 404 no pages site here error, but the account that owns it still exists? like if example30.github.io would 404, but the example30 account still existed, would it be vulnerable?
I confirm that the vulnerability still exists, at least for domains without domain verification. Example: turakhia.ucsd.edu
Confirmed, still be vuln.
You must verify your domain dev-test.***** before you can use it. Check out https://docs.github.com/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages for more information.
Service name
GitHub Pages
Proof
GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:
For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.
To verify:
(Note: DOMAIN NAME has to be the affected domain, not the
github.io
page itself. This is due to Host header forwarding which affects the HTTP response)Documentation
There is only one format of GitHub Pages domains:
please note that having CNAME to
github.io
itself can also lead to subdomain takeover.