A List Of Services & How To Claim Subdomain With Dangling DNS Records

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted.

This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

Safely Demonstrating A Subdomain Takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!– PoC by username –>

Also Read – Diaphora : Most Advanced Free & Open Source Program Diffing Tool

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program’s security policy and/or request clarifications from the team behind the program.

How To Contribute?

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26.

All Entries

EngineStatusFingerprintDiscussionDocumentation
AkamaiNot vulnerableIssue #13
AWS/S3VulnerableThe specified bucket does not existIssue #36
BitbucketVulnerableRepository not found
Campaign MonitorVulnerable‘Trying to access your account?’Support Page
Cargo CollectiveVulnerable404 Not FoundCargo Support Page
CloudfrontNot vulnerableViewerCertificateExceptionIssue #29Domain Security on Amazon CloudFront
DeskNot vulnerablePlease try again or try Desk.com free for 14 days.Issue #9
FastlyEdge caseFastly error: unknown domain:Issue #22
FeedpressVulnerableThe feed has not been found.HackerOne #195350
Fly.ioVulnerable404 Not FoundIssue #101
FreshdeskNot vulnerableFreshdesk Support Page
GhostVulnerableThe thing you were looking for is no longer here, or never was
GithubVulnerableThere isn't a Github Pages site here.Issue #37Issue #68
GitlabNot vulnerableHackerOne #312118
Google Cloud StorageNot vulnerable
HatenaBlogvulnerable404 Blog is not found
Help JuiceVulnerableWe could not find what you're looking for.Help Juice Support Page
Help ScoutVulnerableNo settings were found for this company:HelpScout Docs
HerokuEdge caseNo such appIssue #38
IntercomVulnerableUh oh. That page doesn't exist.Issue #69Help center
JetBrainsVulnerableis not a registered InCloud YouTrackYouTrack InCloud Help Page
KinstaVulnerableNo Site For DomainIssue #48kinsta-add-domain
LaunchRockVulnerableIt looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.Issue #74
MasheryEdge CaseUnrecognized domainHackerOne #275714Issue #14
Microsoft AzureVulnerableIssue #35
NetlifyEdge CaseIssue #40
PantheonVulnerable404 error unknown site!Issue #24Pantheon-Sub-takeover
Readme.ioVulnerableProject doesnt exist... yet!Issue #41
SendgridNot vulnerable
ShopifyEdge CaseSorry, this shop is currently unavailable.Issue #32Issue #46Medium Article
SquarespaceNot vulnerable
StatuspageVulnerableVisiting the subdomain will redirect users to https://www.statuspage.io.PR #105Statuspage documentation
StrikinglyVulnerablepage not foundIssue #58Strikingly-Sub-takeover
Surge.shVulnerableproject not foundSurge Documentation
TumblrVulnerableWhatever you were looking for doesn't currently exist at this address
TildaEdge CasePlease renew your subscriptionPR #20
UnbounceNot vulnerableThe requested URL was not found on this server.Issue #11
UptimerobotVulnerablepage not foundIssue #45Uptimerobot-Sub-takeover
UserVoiceVulnerableThis UserVoice subdomain is currently available!
WebflowNot VulnerableIssue #44forum webflow
WordPressVulnerableDo you want to register *.wordpress.com?
WP EngineNot vulnerable
ZendeskNot VulnerableHelp Center ClosedIssue #23Zendesk Support

Disclaimer

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program’s sole discretion. On top of that, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.