The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion. On top of that, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here:
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
- https://0xpatrik.com/subdomain-takeover-ns/
Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.
I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.
A list of services that can be checked (although check for duplicates against this list first) can be found here: EdOverflow#26.
| Engine | Status | Fingerprint | Discussion | Documentation |
|---|---|---|---|---|
| Acquia | Not vulnerable | Web Site Not Found |
Issue #103 | |
| Agile CRM | Vulnerable | Sorry, this page is no longer available. |
Issue #145 | |
| Airee.ru | Vulnerable | Issue #104 | ||
| Anima | Vulnerable | If this is your website and you've just created it, try refreshing in a minute |
Issue #126 | Anima Documentation |
| Akamai | Not vulnerable | Issue #13 | ||
| AWS/S3 | Vulnerable | The specified bucket does not exist |
Issue #36 | |
| AWS/Load Balancer (ELB) | Not Vulnerable | status NXDOMAIN and CNAME pointing to XYZ.elb.amazonaws.com | Issue #137 | |
| AWS/Elastic Beanstalk | Vulnerable | 404 Not Found |
Issue #194 | |
| Bitbucket | Vulnerable | Repository not found |
||
| Campaign Monitor | Vulnerable | Trying to access your account? |
Issue #275 | Support Page |
| Cargo Collective | Vulnerable | 404 Not Found |
Issue #152 | Cargo Support Page |
| Cloudfront | Not vulnerable | ViewerCertificateException | Issue #29 | Domain Security on Amazon CloudFront |
| Desk | Not vulnerable | Please try again or try Desk.com free for 14 days. |
Issue #9 | |
| Digital Ocean | Vulnerable | Domain uses DO name servers with no records in DO. | ||
| Discourse | Vulnerable | Issue #49 | Hackerone | |
| Fastly | Not vulnerable | Fastly error: unknown domain: |
Issue #22 | |
| Feedpress | Not vulnerable | The feed has not been found. |
Issue #80 | |
| Firebase | Not vulnerable | Issue #128 | ||
| Fly.io | Vulnerable | 404 Not Found |
Issue #101 | |
| Freshdesk | Not vulnerable | We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signup |
Issue #214 | Freshdesk Support Page |
| Frontify | Edge case | 404 - Page Not Found Oops… looks like you got lost |
Issue #170 | |
| Gemfury | Vulnerable | 404: This page could not be found. |
Issue #154 | Article |
| Ghost | Vulnerable | The thing you were looking for is no longer here, or never was |
Issue #89 | |
| Github | Edge case | There isn't a GitHub Pages site here. |
Issue #37 Issue #68 | |
| Gitlab | Not vulnerable | HackerOne #312118 | ||
| Google Cloud Storage | Not vulnerable | NoSuchBucketThe specified bucket does not exist. |
||
| Google Sites | Not vulnerable | The requested URL was not found on this server. That’s all we know. |
Issue #277 | Google Support |
| HatenaBlog | vulnerable | 404 Blog is not found |
||
| Help Juice | Vulnerable | We could not find what you're looking for. |
Help Juice Support Page | |
| Help Scout | Vulnerable | No settings were found for this company: |
HelpScout Docs | |
| Heroku | Edge case | No such app |
Issue #38 | |
| HubSpot | Not vulnerable | This page isn't available |
Issue #59 | |
| Instapage | Not vulnerable | Issue #73 | ||
| Intercom | Vulnerable | Uh oh. That page doesn't exist. |
Issue #69 | Help center |
| JetBrains | Vulnerable | is not a registered InCloud YouTrack |
YouTrack InCloud Help Page | |
| Key CDN | Not vulnerable | Issue #112 | ||
| Kinsta | Vulnerable | No Site For Domain |
Issue #48 | kinsta-add-domain |
| Landingi | Edge case | It looks like you’re lost... |
Issue #117 | |
| LaunchRock | Vulnerable | It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. |
Issue #74 | |
| Mashery | Edge Case | Unrecognized domain |
HackerOne #275714, Issue #14 | |
| Mailchimp | Not Vulnerable | We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active. |
Discussion #250 | |
| Microsoft Azure | Vulnerable | Issue #35 | ||
| Netlify | Edge Case | Not Found - Request ID: |
Issue #40 | |
| Ngrok | Vulnerable | Tunnel *.ngrok.io not found |
Issue #92 | Ngrok Documentation |
| Pantheon | Vulnerable | 404 error unknown site! |
Issue #24 | Pantheon-Sub-takeover |
| Pingdom | Vulnerable | Sorry, couldn't find the status page |
Issue #144 | Support Page |
| Readme.io | Vulnerable | Project doesnt exist... yet! |
Issue #41 | |
| Sendgrid | Not vulnerable | |||
| Shopify | Edge Case | Sorry, this shop is currently unavailable. |
Issue #32, Issue #46 | Medium Article |
| Short.io | Vulnerable | Link does not exist |
Issue #260 | |
| SmartJobBoard | Vulnerable | This job board website is either expired or its domain name is invalid. |
Issue #139 | Support Page |
| Smartling | Edge Case | Domain is not configured |
Issue #67 | |
| Squarespace | Not vulnerable | |||
| Statuspage | Not Vulnerable | Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc |
PR #105 and PR #171 | Statuspage documentation |
| Strikingly | Vulnerable | page not found |
Issue #58 | Strikingly-Sub-takeover |
| Surge.sh | Vulnerable | project not found |
Surge Documentation | |
| SurveySparrow | Vulnerable | 'Ouch! Account not found' | Issue #281 | Custom domain |
| Tumblr | Edge Case | Whatever you were looking for doesn't currently exist at this address |
Issue #240 | Tumblr Custom Domains |
| Tilda | Edge Case | Please renew your subscription |
Issue #155PR #20 | |
| Uberflip | Vulnerable | Non-hub domain, The URL you've accessed does not provide a hub. |
Issue #150 | Uberflip Documentation |
| Unbounce | Not Vulnerable | The requested URL was not found on this server. |
Issue #11 | |
| Uptimerobot | Vulnerable | page not found |
Issue #45 | Uptimerobot-Sub-takeover |
| UserVoice | Not Vulnerable | This UserVoice subdomain is currently available! |
Issue #163 | |
| Vercel | Not Vulnerable | The deployment could not be found on Vercel.` | Issue #183 | |
| Webflow | Edge Case | The page you are looking for doesn't exist or has been moved. |
Issue #44 | forum webflow |
| Wix | Edge Case | Looks Like This Domain Isn't Connected To A Website Yet! |
Issue #231 | |
| Wordpress | Vulnerable | Redirects to https://wordpress.com/typo/?subdomain=<subdomain_prefix> // error page says *.wordpress.com doesn’t exist // error page says Warning! Domain mapping upgrade for this domain not found. |
PR #176 | More Info about deleted sites and Domain Mapping |
| Worksites | Vulnerable | Hello! Sorry, but the website you’re looking for doesn’t exist. |
Issue #142 | |
| WP Engine | Not vulnerable | |||
| Zendesk | Not vulnerable | Help Center Closed |
Issue #23 | Zendesk Support |