Subdomain Takeover

One of the easiest ways to spot a subdomain takeover vulnerability is by the error message.

Subdomain Takeover

Occurs when a subdomain is pointing to another domain (CNAME) that no longer exists.

• An attacker can then register the non-existing domain. Now the target subdomain will point to a domain the attacker controls.

A bunch of examples and walkthroughs on exploiting different providers:

• https://github.com/EdOverflow/can-i-take-over-xyz

GitHub Takeover

After we have an indicator that this site is vulnerable we need to get the GitHub page the vulnerable subdomain is pointing to. We need this information so we can register the domain through github.

1. Use the "dig" command to gather the DNS records of the vulnerable domain.

2. If the domain points to the github page, try to register a domain on Github.

Steps to register a domain on Github:

1. Create a Github repo with the same name as the CNAME record.

2. Create an “index.html” file in the repo.

3. Set the repo as the main branch.

4. set the custom domain to the target domain you are going after.

5. When you visit the target domain you should see the page you set up.

¯\_(ツ)_/¯

SWAP Tabs

1

2

3

4

5

6