GitHub Pages proofs about can-i-take-over-xyz HOT 27 CLOSED

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

Facing the same issue.

from can-i-take-over-xyz.

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

from can-i-take-over-xyz.

I've experienced the same with Github takeovers in the last couple of days. Looks like github has implemented it across the board.

from can-i-take-over-xyz.

CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover.
https://github.community/t/the-cname-is-already-taken/149785

from can-i-take-over-xyz.

https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization

from can-i-take-over-xyz.

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. Is there any way to takeover such a domain?

Then, it's not vulnerable.

from can-i-take-over-xyz.

I confirm that the vulnerability still exists, at least for domains without domain verification. Example: turakhia.ucsd.edu

from can-i-take-over-xyz.

Official GitHub Pages docs: https://help.github.com/articles/using-a-custom-domain-with-github-pages/

from can-i-take-over-xyz.

Closing as now available on main readme.

from can-i-take-over-xyz.

Is it possible to takeover githubapp.com subdomains with github.io CNAME?

from can-i-take-over-xyz.

Hi @sumgr0

I'm not quite sure but you should be able to, because it's not allowed only in case of github.io, github.com, or github.page as per official error I'm currently getting.

There isn't any such notice regarding githubapp.com. So, I suppose you should be able to takeover if it's available.

For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/

from can-i-take-over-xyz.

Hi @EdOverflow
I am trying to takeover subdomain .github.io but when I create a repo and try to serve it via the Github Pages, I get a URL like netanmangal.github.io/.

Github has started to appending the username to the github.io/

I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account.

from can-i-take-over-xyz.

anything.github.io like this github account can we takeover or not

from can-i-take-over-xyz.

anything.github.io like this github account can we takeover or not ?

from can-i-take-over-xyz.

I was still able to takeover a domain

from can-i-take-over-xyz.

Still works. +1

Looks like it's kind of conditional because it can say that the domain is claimed

from can-i-take-over-xyz.

I was still able to takeover a domain

how you can takeover yet I have some of the vulnerable URLs, if you can help me..

from can-i-take-over-xyz.

There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable.

from can-i-take-over-xyz.

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.

Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

from can-i-take-over-xyz.

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.

Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification.
Is there any way to takeover such a domain?

from can-i-take-over-xyz.

i found a vulnerable xx.github.io subdmain but when i try to add the domain to a new repository, i get this message
The custom domain xxxxx.domain.com is already taken.
any solution ?

from can-i-take-over-xyz.

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️
GitHub has implemented DNS verification to confirm the legitimacy of domains.

from can-i-take-over-xyz.

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.

This does not apply to retrospective custom domains, right?

from can-i-take-over-xyz.

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

from can-i-take-over-xyz.

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

How?

from can-i-take-over-xyz.

What if there is a 404 no pages site here error, but the account that owns it still exists? like if example30.github.io would 404, but the example30 account still existed, would it be vulnerable?

from can-i-take-over-xyz.

Confirmed, still be vuln.

from can-i-take-over-xyz.