Comments (31)
There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.
Possibility 1: The domain the Zendesk domain is pointing towards, is in use. However, the host mapping has not been done correctly, which makes the domain displaying a 'help center closed' notice. This case is not vulnerable, because the Zendesk domain (so the CNAME reference (*.zendesk.com)) is occupied.
Possibility 2: The Zendesk domain is not in use and the target's domain name is displaying a 'help center closed' notice. Here, takeover is possible.
For succesfull takeover, follow the following steps:
- Go to zendesk.com and register for a free trial. When being asked what name you want the zendesk domain to have (foo.zendesk.com). If it is available for takeover, it will display a green checkmark.
- After registering, go to Settings > Account > Host mapping. Fill in the domain this Zendesk domain is pointing to.
- Enable SSL on the domain to stop the redirect when you browse to your target's domain (if SSL is not enabled, when browsing to the vulnerable domain (foo.vulnerable.com), Zendesk will redirect to your Zendesk subdomain).
- Start up a guide and enable unsafe content in Admin settings.
- In an article, add an extra line of source code (f.e. <script>alert("stored XSS for PoC")</script>)
- ???
- Profit.
from can-i-take-over-xyz.
Zendesk is still Vulnerable .. All Just check all the site subdomains if any subdomain is add to zendesk account and the other added too ( Only one will be the cname and the other one will redirect you to The finger print that give you the error )
Example if I add my subdomain ( support.example.com ) to my zendesk account with mine cname and add my other subdomain ( help.example.com ) to the same cname ..
my first subdomain support.example.com
will show me my Zendesk Site But When I go to help.example.com
I will find my self redirect to the finger print error
So you can takeover a Subdomain already Exist ?
Sure you can't !
Only if the company have an Only subdomain listed in Zendesk and the subdomain redirect you to finger print error So Sure you can Takeover!
from can-i-take-over-xyz.
If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work
from can-i-take-over-xyz.
@roblox1488 Did you have a specific method that you used that is separate from the above comments?
you have to wait a while after the subdomain stops being in use, then you can just register it normally like you would
from can-i-take-over-xyz.
Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY
Hello, I didn't test if it's still vulnerable or not (been 4 months since my last report as shown in the video), I will check hat tomorrow and will keep you updated.
(The POC video is mine from my report here : https://hackerone.com/reports/869605 but someone downloaded it and posted it on youtube, so the youtube channel is not mine)
from can-i-take-over-xyz.
Not sure why this is marked as "Not vulnerable"... As others have reported above, Zendesk is still vulnerable, although the necessary conditions may have changed over time. Let's take zendesk.example.com
as an example in what follows.
Regarding impact:
- Such a subdomain takeover is a phisher's wet dream. I've even seen cases in which emails sent to
[email protected]
automatically created a ticket in Zendesk; not bad for phishing users asking for help. - You can achieve stored XSS in the context of the subdomain, which may have implications for other subdomains of the target (e.g. if they have sensitive cookies improperly scoped to a common parent domain).
Signature
In my experience, there are two necessary conditions for a host to be vulnerable. First, zendesk.example.com
must have a CNAME record targeting some zendesk.com
subdomain corresponding to a Help Center. Second, zendesk.example.com
must be available as custom domain name on the platform. You can check that programmatically by sending a request of the following form (which the Zendesk frontend sends to the backend when you sign up for a free trial):
$ target="zendesk.example.org"
$ curl -s 'https://www.zendesk.com/wp-content/themes/zendesk-twentyeleven/lib/domain-check.php' \
-H 'authority: www.zendesk.com' \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: */*' \
-H 'x-requested-with: XMLHttpRequest' \
-H 'user-agent: REDACTED' \
-H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'origin: https://www.zendesk.com' \
-H 'sec-fetch-site: same-origin' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'referer: https://www.zendesk.com/register/' \
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
--data-raw "domain=$target" \
--compressed
Inspect the JSON response. You can safely ignore the value of the available
field, which I have found to be misleading. What truly matters is the presence of a suggestion
field in the response; if that field is present, the custom domain name is unavailable; otherwise, the custom domain name is available.
Be mindful that Zendesk sits behind Cloudflare, and if you hammer it with such requests, you'll likely get a temporary IP ban from Cloudflare.
A subtlety regarding cert provisioning
Zendesk offers you to provision a TLS cert (using Let's Encrypt) for your custom domain, but this provisioning can fail. Be aware that cert provisioning may fail multiple times at first, for no good reason, really; be patient but persistent: retry a few times.
However, one remarkable reason for cert-provisioning failure is when the root domain of your custom domain name features on Let's Encrypt deny list; in that case, provisioning of the cert will fail, but the error message shown in Zendesk's frontend will be indistinguishable from that of a transitory cert-provisioning failure. You simply won't be able to tell that it's due to a problem with Let's Encrypt, unless, perhaps, you ask Zendesk's support nicely.
If you cannot obtain a certificate for your custom domain, visiting it will simply redirect you to the associated Zendesk subdomain, which greatly reduces impact of the subdomain takeover :(
Tip: disable email notifications
As soon as you get a foothold and before notifying the target, I recommend disabling all email notifications in the Zendesk settings. Why? Once the target removes the offending CNAME record, you won't be able to access the Zendesk account; as a result, you won't be able to disable email notifications, and you'll keep receiving emails (marketing, etc.) until your free trial expires, which can be annoying.
from can-i-take-over-xyz.
I just got a successful takeover today.
Simply located a domain which was redirect to a Zendesk page saying "This help center has been deleted".
Found the CName. Registered that on ZenDesk as my account. Now it's pointing to mine. Setup an SSL cert so that it stops redirecting to my ZenDesk, and instead it actually hosts it on the real subdomain.
Need to figure out a way to get stored XSS via zendesk admin so that I can improve on the impact...
from can-i-take-over-xyz.
Double dipping there? Get a bounty from ZenDesk and the company?
@Cillian-Collins See if you can use the ZenDesk name to also generate emails from that domain, you can leverage that email to pivot into internal slack/jira instances.
Read:
https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
If it works, I totally accept tips to my PayPal account. 🤣
from can-i-take-over-xyz.
@bgxdoc @gauravdrago
Not Sure About The Free Trial and Premium . To Solve This Zendesk has Three cases when you see helpdesk is close :
1- Deleted Help Desk You can Take over it
2- inactive you can't Take over it until 90 days passed
3- sometimes compaines used only chat widget from zendesk without help center it will respond with the same message but You can't take over
Not Sure if there are any cases or not if someone already faced another case he can put it to solve this issue
from can-i-take-over-xyz.
Thank you @JvdHout1011
I can confirm the takeover still working, i tookover a subdomain through zendesk portal few minutes ago.
POC here :
https://prnt.sc/s80l2i
https://prntscr.com/s80mhi
from can-i-take-over-xyz.
@soareswallace I confirm, already took over 10 subdomains the last 3 days, I sent reports to hackerone but most of them are "ineligible" and they said "We do in fact consider bounty payment on a case by case basis for bounty ".
from can-i-take-over-xyz.
Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY
from can-i-take-over-xyz.
This takeover is possible when a Zendesk account has been deleted, but still remains available in the host domains DNS record.
When you dig the record you will see the CNAME, this corresponds to the name of the Zendesk account you need to (re)create. Once you've done so you'll now have claimed Zendesk on this host domain.
This is a much less valuable takeover than other scenarios as you aren't hosting content on the domain like you are in other takeovers (removing XSS/CORS possibilities) and you're instead hosting a new support (zendesk) instance . It's useful for red teaming and social engineering, but I wouldn't expect the bounty payments to be as much as in other scenarios where you can demonstrate more relevant risk.
from can-i-take-over-xyz.
My experience with a zendesk takeover attempt this morning.
from can-i-take-over-xyz.
Thank-you @JesseClarkND, I was also familiar with this one through a recent attempt. I've made a change to the repo in line with your proofs and will now close this issue (see: #51).
Appreciate your efforts!
from can-i-take-over-xyz.
i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.
upate: i have only trial account, is that why zendesk is not showing it on the subdomain?
Update: it worked.
from can-i-take-over-xyz.
@bgxdoc If you could describe your steps to achieve it so that it worked, that would be awesome.
from can-i-take-over-xyz.
i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.
upate: i have only trial account, is that why zendesk is not showing it on the subdomain?
Update: it worked.
how it worked what you changed
from can-i-take-over-xyz.
@gauravdrago:
on above comment, @YosefMahmoud has already described the solution. It's the same thing i did to make it work.
" If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work. "
from can-i-take-over-xyz.
from can-i-take-over-xyz.
@gauravdrago
I believe Zendesk has Free Trial option, use that. Incase you have used the trial account before then simply create a new account and then use free trial.
from can-i-take-over-xyz.
from can-i-take-over-xyz.
@gauravdrago
It worked for me back then. but why not now, I don't know, i guess they might have disabled it for trial accounts.
I will look into this once i get free time from my work.
from can-i-take-over-xyz.
from can-i-take-over-xyz.
still possible
from can-i-take-over-xyz.
@roblox1488 Did you have a specific method that you used that is separate from the above comments?
from can-i-take-over-xyz.
Looks like it is vulnerable in some cases, This person was able to takeover the zendesk portal.
https://hackerone.com/reports/759454
from can-i-take-over-xyz.
There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.
..............
Thanks @JvdHout1011 for good write-up. Yes it is still possible to hijack/takeover subdomain through zendesk portal. I takover the subdomain of support.*******.com and i'm receiving their help desk emails on zendesk dashboard.
POC : https://drive.google.com/file/d/1h4QomND3n7O5dRCzyGmHQ78qdFcpK51L/view?usp=sharing
from can-i-take-over-xyz.
Update : There's something wrong with the trial period ending just after confirming my email. Happened 5 times in 5 subdomains I was trying to takeover.
Is it cause i was using the same ip? (will try from another ip)
Anyone confirm this issue please?
from can-i-take-over-xyz.
@JvdHout1011 I can confirm the takeover still works.
@EdOverflow Please update this. Using @JvdHout1011's method, the takeover is still possible.
from can-i-take-over-xyz.
There is a report already about this take over on H1. I believe it is possible.
https://hackerone.com/reports/810807
from can-i-take-over-xyz.
Related Issues (20)
- How to inject page to domain with ns godaddy and a record from inmotion?
- Github DNS Check Successful Error HOT 1
- Better Uptime HOT 2
- splashthat.com not vulnerable
- Subdomain Takeover via Refined.com service
- Fingerprints file is no longer being generated
- Subdomain takeover via bubble.io
- Is salesforcce subdomains are vulnerable to takeover
- heroku deploying doesn't work
- Squarespace ( is this possible for subdomain takeover) HOT 2
- Few services that are not being detected on can-i-take-over-xyz HOT 1
- Squarespace Subdomain Takeover on EdgeCase as Domain Not Claimed HOT 1
- (Page Not Found) pointing to cdne-myjls-admin-int.azureedge.net ( IS THIS VULNERABLE??)
- is this vulnerable?
- Is mailgun.org still vulnerable?? HOT 4
- (404 Web Site not found) Microsoft Azure vulnerable?
- Is fillout.com vulnerable?
- Gemfury fingerprint is very prone to false positiver HOT 1
- cannot set a custom domain at this time.
- squadcast subdomain takeover
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from can-i-take-over-xyz.