EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.88k stars 716 forks source link

GitHub.io Subdomain Takeover #68

Open jatoch opened 6 years ago

jatoch commented 6 years ago

I have found a subdomain sub.example.com And the CNAME is pointing to 1234.github.io

When navigating to sub.example.com It will show the 404 error There isn't a GitHub Pages site here.

So I created a github page and added sub.example.com as custom domain.

And it will say that this CNAME has already been taken. Am I doing something wrong? Or is it not vulnerable.

EdOverflow commented 6 years ago

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

  1. Username-based subdomains;
  2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

The following cases are vulnerable:

I hope this clears up any uncertainties when it comes to GitHub pages.

Phoenix1112 commented 4 years ago

@EdOverflow I'm trying to create a test environment for myself. I created a github repo and created a simple index.html file. then I created a site with the extension .io. I had previously purchased a domain address with a .com extension. I added the subdomain address I created with github to my domain name as a cname record.

example:

dig cname www.guidebookdemo.com

www.guidebookdemo.com cname phoenix1112.github.io

You can see that my username is used as the subdomain address in the site address i created for github.(phoenix1112)

now, if the phoenix1112.github.io address was unavailable, how would we get the phoenix1112 username to get this github address? if the username is used for the subdomain name, how do we get someone else's username?

EdOverflow commented 4 years ago

You would have to hope that the user — phoenix1112 in your example — deletes their account so that you can then claim that username. There is no other way around it as far as I know.

Phoenix1112 commented 4 years ago

@EdOverflow i did takeover now... the user name does not matter.. i did test it..

dig cname www.guidebookdemo.com

www.guidebookdemo.com CNAME phoenix1112.github.io

I deleted the files I created phoenix1112.github.io. I created a repo with another user and wrote www.guidebookdemo.com in the site name. and I created an index.htm file

After 10 minutes, when I opened www.guidebookdemo.com, my index.html file started to appear. Although I am not a phoenix1112 user, I did takeover www.guidebookdemo.com.

EdOverflow commented 4 years ago

Actually, now that I think of it, I have submitted two subdomain takeovers using the exact process you described above roughly two years ago. Silly me! :P

You are absolutely right, the username is not actually important. Thank you for double-checking this, @Phoenix1112.

melardev commented 4 years ago

Actually, I don't even think the name of the repo matters, just create any repo, go to settings of that repo, enable Github pages and add your custom domain there, reply to me if you think I am wrong.

Update: but I also had issues with "CNAME has already been taken." even though the page was showing the fingerprint message, I don't know why ;O

Shrimant12 commented 4 years ago

Check site: "traget.github.io" and see you get the repo. In my case, it was also showing There isn't a Github Pages site here. but when checked using site: "traget.github.io" all the pages and everything was present. So this case is also not vulnerable.

7RUST commented 4 years ago

website name example.com pointing to cname example.github.io. Now there is still content on example.com but when navigated to example.github.io it says a 404. I tried to create a github repo but when trying to add a domain, it says cname is already taken. I am kinda confused as if it is pointing to an unclaimed github.io domain, it should be vulnerable right ?

adityathebe commented 4 years ago

@saurabh96216 IIRC the cname is irrelevant as long as it is pointing to .github.io

mnijres commented 4 years ago

@EdOverflow Hi Ed, it seems github no longer vulnerable for sub-domain takeOver since they add account name before the sub-domain that planing to takeover it. For example the sub-domain suppose to be vulnerable is example.gitexample.com When creating page they add your github name before the page name like (hxxps://mnijres.github.io/example.gitexample.com) Since mnijres is my github name.

mnijres commented 4 years ago

After testing 1.516.945 sub-domains included (cloudfront, fastly, Github.io, tumbler,shopify)

Non of them are vulnerable to sub-domain takevoer anymore !

I will try my luck with something else.

cyberbharathi commented 3 years ago

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

  1. Username-based subdomains;
  2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

  • There is no index page (404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checking https://github.com/<name> to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such as site:example.github.io to find hidden directories that have been crawled by Google.

The following cases are vulnerable:

  • There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
  • There is no account or organisation under https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content on https://<name>.github.io/.

I hope this clears up any uncertainties when it comes to GitHub pages.

Hello @EdOverflow I have try this similar way and my target vulnerable to this way. Can I report it to the Vendor as Github Subdomain takeover? and it could be a valid issue?

sa1tama0 commented 1 year ago

:warning::warning: GitHub's pages are now secure and no longer vulnerable. :warning::warning: GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

molitona commented 1 year ago

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

i confirm it

akincibor commented 1 year ago

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

molitona commented 1 year ago

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

what you did ?

akincibor commented 1 year ago

Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification.

molitona commented 1 year ago

Ok, why this didn't ask for verif ?

Nothing special. But I tried more than 50 to find one vulnerable in the last 2 months. Github always ask DNS TXT verification.

— Reply to this email directly, > view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/68#issuecomment-1456965562> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AIPC4MJUKP6HZKXMH27ZVJ3W2ZETVANCNFSM4GE5465Q> . You are receiving this because you commented.> Message ID: > <EdOverflow/can-i-take-over-xyz/issues/68/1456965562> @> github> .> com>

corneliusroemer commented 11 months ago

Currently live exploited vulnerability: https://turakhia.ucsd.edu

cyberduck404 commented 10 months ago

Currently live exploited vulnerability: https://turakhia.ucsd.edu

Details?

robertmathews commented 9 months ago

I saw a live subdomain name hijacked to point at GitHub Pages today.

First of all, here's a proof of concept: http://ftp.vidovi.ch. I do not own, nor am I associated with, vidovi.ch. I simply added it to my GitHub Pages account.

I was able to do this because:

  1. vidovi.ch has been legitimately configured to point at GitHub Pages:

    $ dig vidovi.ch
    ...
    ;; ANSWER SECTION:
    vidovi.ch.      300 IN  A   185.199.111.153
    vidovi.ch.      300 IN  A   185.199.108.153
    vidovi.ch.      300 IN  A   185.199.109.153
    vidovi.ch.      300 IN  A   185.199.110.153
  2. vidovi.ch uses something like cPanel that creates a default CNAME record from ftp.vidovi.ch to the apex vidovi.ch, but doesn't delete that default record if you point the apex elsewhere:

    $ dig ftp.vidovi.ch CNAME
    ...
    ;; ANSWER SECTION:
    ftp.vidovi.ch.      300 IN  CNAME   vidovi.ch.
  3. The owner of vidovi.ch has (presumably) not followed the instructions on this page that say "Tip: We recommend verifying your custom domain prior to adding it to your repository, in order to improve security and avoid takeover attacks" (GitHub does not require this, unlike many companies).

  4. GitHub Pages considers ftp.vidovi.ch to be a different "site" than vidovi.ch or www.vidovi.ch, so anyone can "claim" it as I did.

The requirements for a site to be vulnerable are:

There are a large number of sites out there meeting these requirements. You can find them pretty easily by using any tool that shows you what domain names have the apex pointing at GitHub pages, then checking whether they have a CNAME subdomain like ftp. that points to the apex. You'll then find most of those haven't been verified/secured.

Bad actors are exploiting this in the wild (my colleague and I saw someone complaining about this happening to them -- their ftp subdomain was being used for advertising an online casino -- and helped them track down the cause).