can a response like the one below take over?

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A 0day.xxxxx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12015
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;0day.xxxxx.com. IN A

;; AUTHORITY SECTION:
0day.xxxxx.com. 900 IN SOA ns-xxx.awsdns-61.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 62 msec
;; SERVER: 192.168.xx.xx#53(192.168.xx.xx)
;; WHEN: Fri Nov 23 18:53:17 DST 2018
;; MSG SIZE rcvd: 130

As reported here https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping- Zendesk subdomain takeover requires making the subdomain an alias of default address. So it shouldn't be possible get a subdomain takeover without getting access to the domain registrar's control panel.

Am I wrong?

Service name

strikingly

Proof

https://medium.com/@sherif0x00/takeover-subdomains-pointing-to-strikingly-5e67df80cdfd

Conditions

I suppose that there is no conditions just needs to be not registered or expired.

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

Microsoft azure

is it possible subdomain takeover on azure?

subdomain returns azure 404 page and after checking with dig A records is public IP address

Shopify

Proof

https://hackerone.com/reports/416474

Documentation

Not Only FingerPrint Sorry, this shop is currently unavailable.
New FingerPrint that I've found in my report Now Your domain ( Name of subdomain ) is ready to connect to your Shopify Shop

Service name: FeedPress

Documentation

Based on the information shared in the hackerone report for FeedPress based subdomain, not able to takeover the ownership. The error message on the URL stated:

FeedPress
The feed has not been found.
You have a blog or a website? Let us handle your RSS feeds.

After creating the account on feedpress, and trying to takeover the subdomain by selecting My Hostname and entering the programs sub-domain, it results in the error message - "The hostname xyz.domain.com is already registered on FeedPress."

Is the sub-domain takeover in such scenario possible?

Thanks

Service name

Microsoft Azure

Proof

There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.

General approach in verifying subdomain takeover is to check, whether the Azure domain responds with NXDOMAIN DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond with NXDOMAIN are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded with NXDOMAIN.

Some H1 reports to prove this point:

• https://0xpatrik.com/subdomain-takeover-starbucks/ (HackerOne: https://hackerone.com/reports/325336)
• https://0xpatrik.com/subdomain-takeover-starbucks-ii/ (HackerOne: https://hackerone.com/reports/388622)

As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.

Documentation

These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:

• *.cloudapp.net
• *.cloudapp.azure.com
• *.azurewebsites.net
• *.blob.core.windows.net
• *.cloudapp.azure.com
• *.azure-api.net
• *.azurehdinsight.net
• *.azureedge.net
• *.azurecontainer.io
• *.database.windows.net
• *.azuredatalakestore.net
• *.search.windows.net
• *.azurecr.io
• *.redis.cache.windows.net
• *.azurehdinsight.net
• *.servicebus.windows.net
• *.visualstudio.com

HubSpot

Proof

Example of https://hackerone.com/reports/38007

Doc

I do the same takeover last 2 days so The vulnerability is still exist .

Service name
webflow

Website
https://webflow.com/

Report
https://hackerone.com/reports/399165

Subdomain takeover through webflow is possible but for creating POC you need a paid account because webflow need a paid account for creating subdomains and using web hosting through webflow.

Subdomain Takeover through readme.io

readme.io is another service which's subdomains can be taken over if it says "Project doesnt exist... yet!". There's a sign-up button and if someone does, then just simply entering the domain name on custom domain option can take over it.

Proof

I took over developer.bksah.com earlier. but didn't keep any PoC though. But it looks same like that as readme.io hosted sites are a subdomain of readme.io

https://xyz124.readme.io/inactive

Documentation

https://readme.readme.io/docs/introduction

Hi, I wanted to share a list of CNAMEs (or rather just substrings), seen for sub-domains from public BBPs/VDPs on various platforms that might indicate a takeover-able sub-domain. I created the list a few months ago (it might be dated) and never found time to utilize it further so I'm sharing it publicly as it might be helpful to extend what this repository covers:

• .herokudns.com, .herokuapp.com, herokussl.com
• .azurewebsites.net, .cloudapp.net, .azure-api.net, .trafficmanager.net, .azureedge.net, .cloudapp.azure.com
• .cloudfront.net, .s3.amazonaws.com, .awsptr.com, .elasticbeanstalk.com,
• .uservoice.com
• unbouncepages.com
• ghs.google.com, ghs.googlehosted.com, .ghs-ssl.googlehosted.com
• .github.io, www.gitbooks.io
• sendgrid.net
• .feedpress.me
• .fastly.net
• .webflow.io, proxy.webflow.com
• .helpscoutdocs.com
• .readmessl.com
• .desk.com
• .zendesk.com
• .mktoweb.com
• .wordpress.com, .wpengine.com
• .cloudflare.net
• .netlify.com
• .bydiscourse.com
• .netdna-cdn.com
• .pageserve.co
• .pantheonsite.io
• .arlo.co
• .apigee.net
• .pmail5.com
• .cm-hosting.com
• ext-cust.squarespace.com, ext.squarespace.com, www.squarespace6.com
• .locationinsight.com
• .helpsite.io
• saas.moonami.com
• custom.bnc.lt
• .qualtrics.com
• .dotcmscloud.net, .dotcmscloud.com
• .knowledgeowl.com
• .atlashost.eu
• headwayapp.co
• domain.pixieset.com
• cname.bitly.com
• .awmdm.com
• .meteor.com
• .postaffiliatepro.com, na.iso.postaffiliatepro.com
• .copiny.com
• .kxcdn.com
• phs.getpostman.com
• .appdirect.com
• .streamshark.io

The ones below need an approved registration, a demo or similar stuff so it's hard to tell if they are takeover-able or not:

• .ethosce.com
• .custhelp.com
• .onelink-translations.com
• .mashery.com
• .edgesuite.net
• .akadns.net
• .edgekey.net
• akamaiedge.net
• .edgekey-staging.net
• .lldns.net
• .edgecastcdn.net
• centercode.com
• .jivesoftware.com
• .cvent.com
• .covisint.com
• .digitalrivercontent.net
• .akahost.net
• .connectedcommunity.org
• .lithium.com
• .sl.smartling.com
• pfsweb.com
• .bsd.net
• .vovici.net
• .extole.com
• .ent-sessionm.com
• .eloqua.com
• .inscname.net
• insnw.net
• .2o7.net
• .wnmh.net
• .footprint.net
• .llnwd.net
• .cust.socrata.net
• .scrool.se
• .phenompeople.com
• .investis.com
• .skilljar.com
• .imomentous.com
• .cleverbridge.com
• .insnw.net
• sailthru.com
• static.captora.com
• .q4web.com
• .omtrdc.net
• .devzing.com
• .pphosted.com
• .securepromotion.com
• .getbynder.com
• .certain.com
• .certainaws.com
• .eds.com
• .bluetie.com
• .relayware.com
• .yodlee.com
• .mrooms.net
• ssl.cdntwrk.com
• secure.gooddata.com
• .deltacdn.net
• .happyfox.com
• .proformaprostores.com
• .yext-cdn.com
• .edgecastdns.net
• .ecdns.net

Have fun.

Is subdomains hosted at discourse is vulnerable to takeover or not?

Service name

Shopify

Proof

1. Page must contain: Sorry, this shop is currently unavailable.
2. CNAME must contain: myshopify.com or shops.myshopify.com
3. REST API Query must answer with: "status":"available"

Please read the docs for more details.

Documentation

I wrote a long article and release a small script that performs three types of test (page error message, CNAME and REST API query).
https://medium.com/@thebuckhacker/how-to-do-55-000-subdomain-takeover-in-a-blink-of-an-eye-a94954c3fc75
https://github.com/buckhacker/SubDomainTakeoverTools/blob/master/ShopifySubdomainTakeoverCheck.py

The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.

https://github.com/EdOverflow/can-i-take-over-xyz#unbounce

Service name

Distil Networks Portal

Fingerprint

Requested Domain Unavailable

Documentation

1. Log your cPanel administrative portal
2. Select the DNS Zone Editor icon in the Domains section.
3. Select the domain you are modifying from the drop-down box.
4. Scroll down to the heading named Add DNS Record.
5. In the Host Record field, enter the your www.
6. Set the TTL to 1 Minute.
7. Select CNAME for your application from the the drop-down labeled Type.
8. In the Points To field, enter www.yourwebsite.com.distil.us
9. Click Add Record.

Reference:

https://help.distilnetworks.com/hc/en-us/articles/216808648-Adding-Domains-and-Subdomains

Service name

Readme.io (https://readme.io/)

Proof

The subdomains reside on *.readme.io. It is a classic virtual hosting scenario like in other similar services.

To verify whether subdomain takeover may be possible, run:

http -b GET http://{DOMAIN NAME} | grep -F -q "Project doesnt exist... yet!" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(Assuming you have Readme.io account created.)

1. Go to dashboard.
2. Set Project Name and its subdomain. Subdomain does not need to match the domain you are trying to takeover.
3. In left sidebar, go to General Settings -> Custom Domain.
4. Set Custom domain to the domain you want to takeover.
5. Click Save.

Documentation

https://readme.readme.io/docs/setting-up-custom-domain

Service name

FreshDesk

Proof

if the subdomain have an fingerprint and the cname is the same fingerprint
Yes the subdomain can be takeover !

FingerPrint
We couldn't find support.example.com
May be this is still fresh!

You can claim it now at http://www.freshdesk.com/signup ``

Documentation

HarryMag could takeover a Subdomain
http://support.hvst.com/support/login

It seems subdomains can be taken over, I think. Can you check it?

Since the H1 report it's no longer possible to take over the domain.

Fastly will work only in some specific situations. In some cases they validate the customer domain before assign the fastly.net subdomain.

https://docs.fastly.com/guides/securing-communications/managing-domains-on-tls-certificates#verifying-domain-ownership

Verifying domain ownership
Any time you request addition of a domain to a certificate, you must verify you own the domain. This helps us ensure no one else is using your domain without your permission.

netlify

https://medium.com/@alirazzaq/subdomain-takeover-worth-200-ed73f0a58ffe

Documentation

Service name

Hi, I check many sites daily of this security vulnerability and extracted many subdomains and while trying to register it is a problem as in the image of the solution

Proof

Documentation

Instapage

Proof

http://www.geekboy.ninja/blog/hijacking-tons-of-instapage-expired-users-domains-subdomains/

Is it still possible ?

Hi.

I think it is good to mark "time" in the template.

Example) "Kinsta" service was added. But when?

So, I think it would be nice to add "time" to the "All entries" table.

By doing so, the newly added service can be confirmed intuitively.

Thanks.

For some of the mentioned vendors, which I've had experience dealing with, there is no clarification to hackers using this list of where a false positive could occur.

In the instance of Unbounce for example, an empty Unbounce would in some cases yield the same response as a claimed one.

By suggesting to hackers that it is vulnerable to takeover but it requires a paid account, this could cause confusion and lead to some hackers reading this to just file a report whenever they see an Unbounce with nothing on the homepage.

While I mentioned the Unbounce issue specifically, it might be good to mention the "gotchas" with other vendors when claiming domains more clearly (like is done presently with Fastly, although I think it could be clearer than just a "yes"). This isn't clear to lesser experienced hackers and likely also won't be clear to security teams handling these bugs, and would likely prevent it being fuel for long debates between hackers and teams about whether x takeover is actually vulnerable if it was more honest with the shortcomings of exploiting with certain vendors.

Service name

Heroku

Proof

Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).

Step-by-step:

1. Open new Heroku app.
2. Choose name and region (no effect on takeover).
3. Push PoC application using git to Heroku. The process is described in Deploy tab.
4. Switch to Settings tab.
5. Scroll to Domains and certificates.
6. Click Add domain.
7. Provide the domain name you want to takeover, click Save changes.
8. It might take some time for settings to propagate.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(there is an iFrame with aforementioned URL present)

Documentation

There are three domains that Heroku uses:

• *.herokudns.com
• *.herokuapp.com
• *.herokussl.com

At the moment, I can confirm only proper working on herokudns.com. IIRC, herokuapp.com is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.

Does subdomain with eloqua cloud could takeover?And how to use azure cloud to takeover sudomains?

We could integrate a TO-DO list into the README.md file for services that have not been tested yet. That way, people can help us expand the list by focusing on untested services.

Can anyone guide me that it is vulnerable or not?
The CNAME is pointed to the cloudflare
Web Page Blocked
Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.

Service name

Amazon (AWS) S3

Proof

Amazon S3 service is indeed vulnerable. Amazon S3 follows pretty much the same concept of virtual hosting as other cloud providers. S3 buckets might be configured as website hosting to serve static content as web servers. If the canonical domain name has website in it, the S3 bucket is specified as Website hosting. I suspect that non-website and website configured buckets are handled by separate load balancers, and therefore they don't work with each other. The only difference will be in the bucket creation where correct website flag needs to be set if necessary. Step-by-step process:

1. Go to S3 panel
2. Click Create Bucket
3. Set Bucket name to source domain name (i.e., the domain you want to take over)
4. Click Next multiple times to finish
5. Open the created bucket
6. Click Upload
7. Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
8. In Permissions tab select Grant public read access to this object(s)
9. After upload, select the file and click More -> Change metadata
10. Click Add metadata, select Content-Type and value should reflect the type of document. If HTML, choose text/html, etc.
11. (Optional) If the bucket was configured as a website
    1. Switch to Properties tab
    2. Click Static website hosting
    3. Select Use this bucket to host a website
    4. As an index, choose the file that you uploaded
    5. Click Save

To verify the domain, I run:

http -b GET http://{SOURCE DOMAIN NAME} | grep -E -q '<Code>NoSuchBucket</Code>|<li>Code: NoSuchBucket</li>' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

Note that there are two possible error pages depending on the bucket settings (set as website hosting or not).

Some reports on H1, claiming S3 buckets:

• https://hackerone.com/reports/121461
• https://hackerone.com/reports/294201

Documentation

There are several formats of domains that Amazon uses for S3 (RegExp):

• ^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$
• ^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$
• ^[a-z0-9\.\-]{0,63}\.?s3[\.-](eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$
• ^[a-z0-9\.\-]{0,63}\.?s3.dualstack\.(eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$

Note that there are cases where only raw domain (e.g. s3.amazon.com) is included in CNAME and takeover is still possible.

(Documentation taken from https://0xpatrik.com/takeover-proofs/)

Service name

AWS S3 && Fastly

I've come across a sub-domain with a CNAME pointing to Fastly.net service while the actual http fingerprint confirms the S3 bucket Not in Use.

Is there are possibility of takeover through S3 bucket (which is not known) while the CNAME points to i2.shared.us-eu.fastly.net?

Service name

LaunchRock offers service to create marketing pages.

Proof

I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.

Documentation

String to determine subdomain takeover:

It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.

The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:

54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54

If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel

Ability to inject custom JS

Yes, we can add arbitrary Javascript through control panel.

Last checked date

Dec 2018

Service name

Ngrok allows you to expose a web server running on your local machine to the internet. Just tell ngrok what port your web server is listening on.

Proof

Visiting the subdomain from your browser will show a HTML page, like shown below:

Perform a dig or host command, you will see a CNAME record pointing to [CUSTOM].ngrok.io.

To perform the takeover:

1. Make an account on https://ngrok.com/
2. Link a credit card to your account and pay for the $5/month. Otherwise, you are not allowed to make use of Custom subdomains. Important to note: You will get a refund within 15 days.
3. Follow the steps on https://dashboard.ngrok.com/get-started to link the binary to your account.
4. Run the following command: ./ngrok http 80 -subdomain quikke. Note, quikke needs to be replaced with the value before .ngrok.io
   5.Visit the subdomain again:

The error message is basically saying that I do not have a HTTP service running on port 80 on my local machine.

Documentation

• https://ngrok.com/

Usually we see the Subdomain Takeover vulnerability affecting the front-end but I think APIs can also be affected.
For example Apigee use the same CNAME approach to set up an environment (e.g. https://docs-new.apigee.com/custom-domain). The problem is you need a paid Apigee account to create the custom domain.
Do you guys have any reference example or reference that Apigee APIs or any other vendor can be exploited?

Thanks!
Ricardo Iramar

This Issue is vulnerable or not?

(Warning! Domain mapping upgrade for this domain not found. Please log in and go to the Domains Upgrades page of your blog to use this domain.)

If vulnerable then how i takeover through wordpress

Service name

GitHub Pages

Proof

GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:

1. Go to new repository page
2. Set Repository name to canonical domain name (i.e., {something}.github.io from CNAME record)
3. Click Create repository
4. Push content using git to a newly created repo. GitHub itself provides the steps to achieve it
5. Switch to Settings tab
6. In GitHub Pages section choose master branch as source
7. Click Save
8. After saving, set Custom domain to source domain name (i.e., the domain name which you want to take over)
9. Click Save

For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "<strong>There isn't a GitHub Pages site here.</strong>" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(Note: DOMAIN NAME has to be the affected domain, not the github.io page itself. This is due to Host header forwarding which affects the HTTP response)

Documentation

There is only one format of GitHub Pages domains:

• *.github.io

please note that having CNAME to github.io itself can also lead to subdomain takeover.

Service name

Kinsta

Website

https://kinsta.com/

Credential

Condition

Subdomain takeover through Kinsta is possible but for creating POC you need a paid account because kinsta need a paid account for creating subdomains and using web hosting through kinsta.

I found some subdomains that look like this:
Server: edgesuite and akadns (Akamai)
I found some different 404 responses for those subdomains
look like :
1>File not found."

2>Service Unavailable - DNS failure
The server is temporarily unable to service your request. Please try again later.

3>An error occurred while processing your request.

This is what I getting from that Akamai CDN service
which is different from the last one

Invalid URL
The requested URL "[no URL]", is invalid.

Does anyone know if this vulnerable to a takeover?

Service name

Smartling is a translation service.

Proof

If the vulnerable domain has a CNAME pointing to e.g. *.smartling.com - open that domain and check for the string:

"Domain is not configured"

This means it should be possible to takeover.

Documentation

Problem here is I can't actually be sure this works. A couple of subdomain takeover tools mention this service as well as this fingerprint, but I can't actually look up any report or blog post specifying this. Furthermore, to have access to smartling it seems you actually have to go through a manual register / validation process (I might be wrong).

The best reference so far is actually smartling documentation here. Reading the article, it doesn't seem any kind of ownership verification is done so, in theory, should be possible to just register a domain and complete the takeover.

If anyone can dig a bit more on this, would be awesome.

AWS finally started mitigating subdomain takeovers on CloudFront. When you try to register Alias (CNAME) for your CloudFront distribution, it refuses to do so if the DNS zone file has CNAME to different CloudFront domain.
This is a type of verification from cloudfront that you can't takeover any subdomain even both (http OR https) port (80 and 443) shows error.
If the DNS zone file has CNAME to different CloudFront domain.

so,from cloudfront bye bye bug bounty

When you try to takeover subdomain you will get this as a further alert!

Smugmug

Proof To Takeover

1. Create your custom subdomain on smugmug example : your-custom.smugmug.com
2. go to https://your-custom.smugmug.com/settings?nick=your-custom
3. Scroll down and add the vulnerable domain

Note : The cname of vulnerable subdomain must be SmugMug's CNAME (domains.smugmug.com)

There have been a few subdomains that I've come across now that look like this:
Server: AkamaiGHost
and the page will say:

Invalid URL
The requested URL "[no URL]", is invalid.

As far as I can tell, this message is coming from Akamai, I'm assuming from their CDN service unless they have others? Does anyone know if this vulnerable to a takeover?

Intercom Help Center

Proof

If you get an Error Similar to this one that gives 404 Error simply go to https://www.intercom.com/customer-support-software create a new account buy the service or get a free demo for 14 days

Then visit https://app.intercom.io/a/apps/pr1twx7u/articles/site/settings and add the subdomain that's giving error in custom domain field

Turn On the Help Center and Publish a test article also otherwise you won't be able to turn on the help center

after you turn on successfully you'll be the admin of the help center

Documentation

https://www.intercom.com/help/

Thanks 😉

Cloudfront 502 error

Error showing

502 ERROR
The request could not be satisfied.
CloudFront wasn't able to connect to the origin.
If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by following steps in the CloudFront documentation (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html).

Generated by cloudfront (CloudFront)
Request ID: xcB9zQ3IRZxqwgV5duuhW*****EVskahplQSTbcUuNjG86Pg==

when I used dig command no CNAME to cloudfront.

On 502 error it is not vuln to subdomain takeover.

Uptimerobot.com

There is no additional verification for add custom domain. just add cname record and pointing to stats.uptimerobot.com

https://exploit.linuxsec.org/uptimerobot-com-custom-domain-subdomain-takeover/

sorry it is indonesian language. but i add some screenshot so i think you will understand.

I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io

When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.

So I created a github page and added sub.example.com as custom domain.

And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.