search

anshumanbh / tko-subs

A tool that can help detect and takeover subdomains with dead DNS records
MIT License
741 stars 137 forks source link

Does it check for NXDOMAIN with any CNAMEs? #29

Closed anshumanbh closed 6 years ago

anshumanbh commented 6 years ago

Can tko-subs find cases like this one - https://0xpatrik.com/subdomain-takeover-starbucks-ii/?

mhmdiaa commented 6 years ago

That was the old behavior (before https://github.com/anshumanbh/tko-subs/pull/31) which caused a ton of false positive to be reported, where a target domain was pointing to a subdomain of a registered domain, which means it cannot be taken over. Now, tko-subs reports dead DNS records in only two cases:

  1. The CNAME's apex can be registered.
  2. The CNAME belongs to one of the known providers.

So to find cases like the one mentioned in the blog post, you need to add the provider (in this case trafficmanager.net) to providers-data.csv, and tko-subs will report vulnerable hosts pointing to this provider with the message Can't CURL it but dig shows a dead DNS record