├── index.html ├── .github └── workflows │ └── static.yml └── detect-all-takovers.yaml /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Subdomain Takeover - Proof of Concept 7 | 32 | 33 | 34 |
35 |

Subdomain Takeover - Proof of Concept

36 |

This subdomain is vulnerable to a subdomain takeover.

37 |

Proof of Control: If you can see this page, the takeover is successful!

38 |

Reported by: EslamMonex

39 |
40 | 41 | 42 | -------------------------------------------------------------------------------- /.github/workflows/static.yml: -------------------------------------------------------------------------------- 1 | # Simple workflow for deploying static content to GitHub Pages 2 | name: Deploy static content to Pages 3 | 4 | on: 5 | # Runs on pushes targeting the default branch 6 | push: 7 | branches: ["main"] 8 | 9 | # Allows you to run this workflow manually from the Actions tab 10 | workflow_dispatch: 11 | 12 | # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages 13 | permissions: 14 | contents: read 15 | pages: write 16 | id-token: write 17 | 18 | # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. 19 | # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. 20 | concurrency: 21 | group: "pages" 22 | cancel-in-progress: false 23 | 24 | jobs: 25 | # Single deploy job since we're just deploying 26 | deploy: 27 | environment: 28 | name: github-pages 29 | url: ${{ steps.deployment.outputs.page_url }} 30 | runs-on: ubuntu-latest 31 | steps: 32 | - name: Checkout 33 | uses: actions/checkout@v3 34 | - name: Setup Pages 35 | uses: actions/configure-pages@v3 36 | - name: Upload artifact 37 | uses: actions/upload-pages-artifact@v2 38 | with: 39 | # Upload entire repository 40 | path: '.' 41 | - name: Deploy to GitHub Pages 42 | id: deployment 43 | uses: actions/deploy-pages@v2 44 | -------------------------------------------------------------------------------- /detect-all-takovers.yaml: -------------------------------------------------------------------------------- 1 | id: detect-all-takeovers 2 | 3 | info: 4 | name: Subdomain Takeover Detection 5 | author: "melbadry9 & pxmme1337" 6 | severity: high 7 | 8 | # Update this list with new takeovers matchers 9 | # Do not delete other template files for takeover 10 | # https://github.com/EdOverflow/can-i-take-over-xyz 11 | # You need to claim the subdomain / CNAME of the subdomain to confirm the takeover. 12 | # Do not report subdomain takeover issues only based on detection. 13 | # Total number of services #71 14 | 15 | requests: 16 | - method: GET 17 | path: 18 | - "{{BaseURL}}/" 19 | matchers-condition: or 20 | 21 | matchers: 22 | - type: word 23 | name: acquia 24 | words: 25 | - If you are an Acquia Cloud customer and expect to see your site at this address 26 | - The site you are looking for could not be found. 27 | 28 | - type: word 29 | name: agilecrm 30 | words: 31 | - Sorry, this page is no longer available. 32 | 33 | - type: word 34 | name: airee 35 | words: 36 | - Ошибка 402. Сервис Айри.рф не оплачен 37 | 38 | - type: word 39 | name: aftership 40 | words: 41 | - Oops.

The page you're looking for doesn't 42 | exist. 43 | 44 | - type: word 45 | name: aha 46 | words: 47 | - There is no portal here ... sending you back to Aha! 48 | 49 | - type: word 50 | name: anima 51 | words: 52 | - "If this is your website and you've just created it, try refreshing in a minute" 53 | 54 | - type: word 55 | name: aws-bucket 56 | words: 57 | - "The specified bucket does not exist" 58 | 59 | - type: word 60 | name: bigcartel 61 | words: 62 | - "

Oops! We couldn’t find that page.

" 63 | 64 | - type: word 65 | name: bitbucket 66 | words: 67 | - The page you have requested does not exist 68 | - Repository not found 69 | 70 | - type: word 71 | name: brightcove 72 | words: 73 | - '

Error Code: 404

' 74 | 75 | - type: word 76 | name: campaignmonitor 77 | words: 78 | - "Trying to access your account?" 79 | - or 97 | - 404 Not Found
98 | 99 | - type: word 100 | name: fastly 101 | words: 102 | - "Fastly error: unknown domain:" 103 | 104 | - type: word 105 | name: feedpress 106 | words: 107 | - The feed has not been found. 108 | 109 | - type: word 110 | name: frontify 111 | words: 112 | - 404 - Page Not Found 113 | - Oops… looks like you got lost 114 | condition: and 115 | part: body 116 | 117 | - type: word 118 | name: gemfury 119 | words: 120 | - "404: This page could not be found." 121 | 122 | - type: word 123 | name: getresponse 124 | words: 125 | - With GetResponse Landing Pages, lead generation has never been easier 126 | 127 | - type: word 128 | name: ghost 129 | words: 130 | - The thing you were looking for is no longer here 131 | - The thing you were looking for is no longer here, or never was 132 | 133 | - type: word 134 | name: github 135 | words: 136 | - There isn't a GitHub Pages site here. 137 | - For root URLs (like http://example.com/) you must provide an index.html file 138 | 139 | - type: word 140 | name: hatenablog 141 | words: 142 | - 404 Blog is not found 143 | - Sorry, we can't find the page you're looking for. 144 | 145 | - type: word 146 | name: helpjuice 147 | words: 148 | - We could not find what you're looking for. 149 | 150 | - type: word 151 | name: helprace 152 | words: 153 | - Alias not configured! 154 | - Admin of this Helprace account needs to set up domain alias 155 | - "(see Step 2 here: Using your own domain with Helprace)." 156 | 157 | - type: word 158 | name: helpscout 159 | words: 160 | - "No settings were found for this company:" 161 | 162 | - type: word 163 | name: heroku 164 | words: 165 | - There's nothing here, yet. 166 | - herokucdn.com/error-pages/no-such-app.html 167 | - "No such app" 168 | 169 | - type: word 170 | name: hubspot 171 | words: 172 | - Domain not found 173 | - does not exist in our system 174 | 175 | - type: word 176 | name: intercom 177 | words: 178 | - This page is reserved for artistic dogs. 179 | -

Uh oh. That page doesn’t exist.

180 | 181 | - type: word 182 | name: jazzhr 183 | words: 184 | - This account no longer active 185 | 186 | - type: word 187 | name: jetbrains 188 | words: 189 | - is not a registered InCloud YouTrack. 190 | 191 | - type: word 192 | name: kinsta 193 | words: 194 | - No Site For Domain 195 | 196 | - type: word 197 | name: landingi 198 | words: 199 | - It looks like you're lost 200 | - The page you are looking for is not found 201 | 202 | - type: word 203 | name: launchrock 204 | words: 205 | - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens 206 | to all of us. 207 | 208 | - type: word 209 | name: mashery 210 | words: 211 | - Unrecognized domain 212 | 213 | - type: word 214 | name: ngrok 215 | words: 216 | - ngrok.io not found 217 | - Tunnel *.ngrok.io not found 218 | 219 | - type: word 220 | name: pantheon.io 221 | words: 222 | - "The gods are wise, but do not know of the site which you seek." 223 | 224 | - type: word 225 | name: pingdom 226 | words: 227 | - Public Report Not Activated 228 | - This public report page has not been activated by the user 229 | 230 | - type: word 231 | name: proposify 232 | words: 233 | - If you need immediate assistance, please contact Error 404: Page Not Found" 287 | 288 | - type: word 289 | name: teamwork 290 | words: 291 | - Oops - We didn't find your site. 292 | 293 | - type: word 294 | name: thinkific 295 | words: 296 | - You may have mistyped the address or the page may have moved. 297 | 298 | - type: word 299 | name: tictail 300 | words: 301 | - Building a brand of your own? 302 | - 'to target URL: The page you are looking for doesn't exist or has been 345 | moved.

346 | 347 | - type: word 348 | name: wishpond 349 | words: 350 | - https://www.wishpond.com/404?campaign=true 351 | 352 | - type: word 353 | name: wordpress 354 | words: 355 | - Do you want to register 356 | 357 | - type: regex 358 | name: worksites 359 | regex: 360 | - "(?:Company Not Found|you’re looking for doesn’t exist)" 361 | 362 | - type: word 363 | name: wufoo 364 | words: 365 | - Profile not found 366 | - Hmmm....something is not right. 367 | 368 | - type: word 369 | name: zendesk 370 | words: 371 | - this help center no longer exists 372 | 373 | - type: word 374 | name: readthedocs 375 | words: 376 | - unknown to Read the Docs 377 | 378 | - type: word 379 | name: tilda 380 | words: 381 | - Please renew your subscription 382 | - Please go to the site settings and put the domain name in the Domain tab. 383 | 384 | - type: word 385 | name: smart-jobboard 386 | words: 387 | - This job board website is either expired or its domain name is invalid. 388 | --------------------------------------------------------------------------------