search

haccer / subjack

Subdomain Takeover tool written in Go
Apache License 2.0
1.92k stars 338 forks source link

Netlify False Positives #19

Closed AnotherWayIn closed 6 years ago

AnotherWayIn commented 6 years ago

Hey,

So I'm getting FPs for Netlify. The page content check is fine, but it doesn't seem to be looking for the netlify cname record. An example of one is: cds.ie1.twilio.com

Thanks

haccer commented 6 years ago

I see the issue,

Since -a ignores initial CNAME checks, subjack workflow went like this:

--

I just gave it the cname = true verification check, which for now just checks if there's a CNAME attached, not what the CNAME is. I was having some issue's checking whether the CNAME specified is included into it. I'll work on the fine-tuning later tonight.

  {
    "service": "netlify",
    "cname": [
      "netlify.com"
    ],
    "fingerprint": [
      "Not Found"
    ],
    "verify": {
      "size": 9,
      "cname": true
    },
    "nxdomain": false
  },

--

➜  subjack git:(master) ✗ cat test.txt
netlify.cody.su
1512435609.cloud.vimeo.com
➜  subjack git:(master) ✗ ./sj -w test.txt -a
[NETLIFY] netlify.cody.su
➜  subjack git:(master) ✗
AnotherWayIn commented 6 years ago

thanks :)

AnotherWayIn commented 6 years ago

Hi, I think this might have had a knock on effect as when I use the -a flag now i'm getting connection errors (and still FPs)

net.Error timeout=false, temp=true: read tcp 172.31.51.253:52974->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:52978->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:52984->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:52996->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:53010->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:53018->199.15.84.131:43: read: connection reset by peer [NETLIFY] cds.ie1.twilio.com [NETLIFY] cds.twilio.com [NETLIFY] cds.us1.twilio.com net.Error timeout=false, temp=true: read tcp 172.31.51.253:57174->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57178->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57182->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57184->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57186->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57190->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57192->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57194->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57198->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57200->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57202->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57204->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57208->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57210->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57212->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:57214->199.15.84.131:43: read: connection reset by peer net.Error timeout=false, temp=true: read tcp 172.31.51.253:44252->199.7.54.74:43: read: connection reset by peer

haccer commented 6 years ago

Hmm, yeah something must not be right. It was acting weird when I was trying to implement a fix. Going to reopen this issue. I’ll work on this some more Sunday.

AnotherWayIn commented 6 years ago

Also, when you attempt to add a custom domain on Netlify, they ask you to add a randomly-named cname record for them to verify. Because of this, it doesn't look like you can do takeovers anymore.

haccer commented 6 years ago

Thanks, going to remove it @AnotherWayIn