Comments (27)
Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.
snapshot attached.
Is GitHub takeover still working for anyone?
Facing the same issue.
from can-i-take-over-xyz.
Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.
snapshot attached.
Is GitHub takeover still working for anyone?
from can-i-take-over-xyz.
I've experienced the same with Github takeovers in the last couple of days. Looks like github has implemented it across the board.
from can-i-take-over-xyz.
CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover.
https://github.community/t/the-cname-is-already-taken/149785
from can-i-take-over-xyz.
from can-i-take-over-xyz.
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. Is there any way to takeover such a domain?
Then, it's not vulnerable.
from can-i-take-over-xyz.
I confirm that the vulnerability still exists, at least for domains without domain verification. Example: turakhia.ucsd.edu
from can-i-take-over-xyz.
Official GitHub Pages docs: https://help.github.com/articles/using-a-custom-domain-with-github-pages/
from can-i-take-over-xyz.
Closing as now available on main readme.
from can-i-take-over-xyz.
Is it possible to takeover githubapp.com subdomains with github.io CNAME?
from can-i-take-over-xyz.
Hi @sumgr0
I'm not quite sure but you should be able to, because it's not allowed only in case of github.io, github.com, or github.page
as per official error I'm currently getting.
There isn't any such notice regarding githubapp.com
. So, I suppose you should be able to takeover if it's available.
For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/
from can-i-take-over-xyz.
Hi @EdOverflow
I am trying to takeover subdomain .github.io but when I create a repo and try to serve it via the Github Pages, I get a URL like netanmangal.github.io/.
Github has started to appending the username to the github.io/
I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account.
from can-i-take-over-xyz.
anything.github.io like this github account can we takeover or not
from can-i-take-over-xyz.
anything.github.io like this github account can we takeover or not ?
from can-i-take-over-xyz.
I was still able to takeover a domain
from can-i-take-over-xyz.
Still works. +1
Looks like it's kind of conditional because it can say that the domain is claimed
from can-i-take-over-xyz.
I was still able to takeover a domain
how you can takeover yet I have some of the vulnerable URLs, if you can help me..
from can-i-take-over-xyz.
There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable.
from can-i-take-over-xyz.
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?
from can-i-take-over-xyz.
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?
I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification.
Is there any way to takeover such a domain?
from can-i-take-over-xyz.
i found a vulnerable xx.github.io subdmain but when i try to add the domain to a new repository, i get this message
The custom domain xxxxx.domain.com
is already taken.
any solution ?
from can-i-take-over-xyz.
GitHub has implemented DNS verification to confirm the legitimacy of domains.
from can-i-take-over-xyz.
⚠️ ⚠️ GitHub's pages are now secure and no longer vulnerable.⚠️ ⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.
This does not apply to retrospective custom domains, right?
from can-i-take-over-xyz.
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
from can-i-take-over-xyz.
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.
How?
from can-i-take-over-xyz.
What if there is a 404 no pages site here error, but the account that owns it still exists? like if example30.github.io would 404, but the example30 account still existed, would it be vulnerable?
from can-i-take-over-xyz.
Confirmed, still be vuln.
from can-i-take-over-xyz.
Related Issues (20)
- How to inject page to domain with ns godaddy and a record from inmotion?
- Github DNS Check Successful Error HOT 1
- Better Uptime HOT 2
- splashthat.com not vulnerable
- Subdomain Takeover via Refined.com service
- Fingerprints file is no longer being generated
- Subdomain takeover via bubble.io
- Is salesforcce subdomains are vulnerable to takeover
- heroku deploying doesn't work
- Squarespace ( is this possible for subdomain takeover) HOT 2
- Few services that are not being detected on can-i-take-over-xyz HOT 1
- Squarespace Subdomain Takeover on EdgeCase as Domain Not Claimed HOT 1
- (Page Not Found) pointing to cdne-myjls-admin-int.azureedge.net ( IS THIS VULNERABLE??)
- is this vulnerable?
- Is mailgun.org still vulnerable?? HOT 4
- (404 Web Site not found) Microsoft Azure vulnerable?
- Is fillout.com vulnerable?
- Gemfury fingerprint is very prone to false positiver HOT 1
- cannot set a custom domain at this time.
- squadcast subdomain takeover
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from can-i-take-over-xyz.