can-i-take-over-xyz
"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Top Related Projects
Find, verify, and analyze leaked credentials
A collection of hacks and one-off scripts
Community curated list of templates for the nuclei engine to find security vulnerabilities.
Incredibly fast crawler designed for OSINT.
Quick Overview
The "Can I take over XYZ?" project is a comprehensive list of services and their vulnerability to subdomain takeover attacks. It provides information on whether various services and platforms are susceptible to these attacks, along with references and additional notes. This repository serves as a valuable resource for security researchers and penetration testers.
Pros
- Extensive list of services and platforms, covering a wide range of potential targets
- Regularly updated with community contributions, ensuring up-to-date information
- Includes detailed notes and references for each entry, providing context and further reading
- Useful for both offensive and defensive security professionals
Cons
- May encourage malicious actors to exploit vulnerabilities if used irresponsibly
- Some entries may become outdated if services change their security measures
- Requires careful interpretation and verification before acting on the information
- Does not provide detailed remediation steps for vulnerable services
Competitor Comparisons
Find, verify, and analyze leaked credentials
Pros of Trufflehog
- More comprehensive security scanning tool, covering a wider range of potential vulnerabilities
- Actively maintained with regular updates and new features
- Supports scanning of Git repositories, filesystems, and S3 buckets
Cons of Trufflehog
- More complex to set up and use compared to the simpler can-i-take-over-xyz
- May produce more false positives due to its broader scanning capabilities
- Requires more system resources to run effectively
Code Comparison
can-i-take-over-xyz (README.md):
| Service | Status | Fingerprint | Discussion | Documentation
| ------- | ------ | ----------- | ---------- | ------------- |
| Acquia | Not vulnerable | `Web Site Not Found` | [Issue #18](https://github.com/EdOverflow/can-i-take-over-xyz/issues/18) | [Documentation](https://docs.acquia.com/)
Trufflehog (trufflehog/detectors/github.py):
class Github(DetectorBase):
def __init__(self, config=None):
super().__init__(config)
self.secret_type = "Github"
self.secret_regex = re.compile(r'(?:^|[^a-zA-Z0-9])(?:github|gh)(?:[-_])?(?:token|pat|key|secret)(?:[-_])?(?:=|:)?\s*([a-zA-Z0-9]{35,40})\b', re.IGNORECASE)
The code snippets highlight the different approaches: can-i-take-over-xyz focuses on documenting subdomain takeover vulnerabilities, while Trufflehog implements active scanning for secrets using regex patterns.
A collection of hacks and one-off scripts
Pros of hacks
- Broader scope, covering various security and hacking tools
- More active development with frequent updates
- Larger collection of scripts and tools
Cons of hacks
- Less focused on a specific security topic
- May require more technical knowledge to use effectively
- Documentation could be more comprehensive
Code comparison
can-i-take-over-xyz:
- Service: GitHub
Status: Not vulnerable
Fingerprint: "There isn't a GitHub Pages site here."
Ref: https://github.com/EdOverflow/can-i-take-over-xyz/issues/37
hacks:
func main() {
sc := bufio.NewScanner(os.Stdin)
for sc.Scan() {
fmt.Println(hash(sc.Text()))
}
}
The can-i-take-over-xyz repository focuses on subdomain takeover vulnerabilities, using YAML to define service fingerprints. In contrast, hacks contains various Go scripts for different security tasks, as shown in the example that hashes input strings.
While can-i-take-over-xyz provides a specialized resource for subdomain takeovers, hacks offers a diverse set of tools for broader security testing and analysis. The choice between them depends on the specific needs of the user and their level of expertise in security testing.
Community curated list of templates for the nuclei engine to find security vulnerabilities.
Pros of nuclei-templates
- Broader scope: Covers a wide range of security checks beyond subdomain takeovers
- Active development: Regularly updated with new templates and improvements
- Integration with Nuclei: Seamlessly works with the Nuclei vulnerability scanner
Cons of nuclei-templates
- Complexity: Requires more setup and understanding to use effectively
- Resource-intensive: Running all templates can be time-consuming and resource-heavy
Code Comparison
can-i-take-over-xyz example:
- Engine: GitHub Pages
Status: Vulnerable
Fingerprint: There isn't a GitHub Pages site here.
Reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/37
nuclei-templates example:
id: github-pages-takeover
info:
name: GitHub Pages Takeover
author: pdteam
severity: high
description: Detects potential GitHub Pages takeover
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "There isn't a GitHub Pages site here."
The nuclei-templates example provides more structured information and is designed to work with the Nuclei scanner, while can-i-take-over-xyz offers a simpler, more readable format focused specifically on subdomain takeovers.
Incredibly fast crawler designed for OSINT.
Pros of Photon
- More versatile: Photon is a multi-purpose OSINT tool for web reconnaissance, while can-i-take-over-xyz focuses specifically on subdomain takeovers
- Active development: Photon has more recent updates and a larger community of contributors
- Broader feature set: Includes capabilities like crawling, data extraction, and directory fuzzing
Cons of Photon
- Higher complexity: Requires more setup and configuration compared to the straightforward nature of can-i-take-over-xyz
- Resource-intensive: May consume more system resources due to its comprehensive scanning capabilities
Code Comparison
Photon (example usage):
from photon import Photon
photon = Photon(url='https://example.com')
photon.crawl(thread_count=3)
can-i-take-over-xyz (example usage):
# No direct code usage; primarily a reference guide
# Users typically consult the repository's README for information
Note: The code comparison is limited as can-i-take-over-xyz is primarily a reference guide rather than a tool with direct code usage.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Disclaimer :warning:
The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion.
Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action.
Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.
What is a subdomain takeover?
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
You can read up more about subdomain takeovers here:
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
- https://0xpatrik.com/subdomain-takeover-ns/
Safely demonstrating a subdomain takeover
Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:
$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->
Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.
How to use this project
I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.
How to contribute
You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.
A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26.
All entries
Note: fingerprints.json
is automatically updated based on the content of this table.
Column header definitions:
Engine
: Name of serviceStatus
: Whether the service is vulnerableVerified by CI/CD
: Whether automated fingerprint check is currently passingDomains
: Comma-separate domains (used for fingerprint auto-verification)Fingerprint
: Regex indicating vulnerable page (orNXDOMAIN
, indicating non-existent DNS record)Discussion
: Link to issue on this repo for discussionDocumentation
: Link to official documentation
Engine | Status | Verified by CI/CD | Domains | Fingerprint | Discussion | Documentation |
---|---|---|---|---|---|---|
AWS/Elastic Beanstalk | Vulnerable | ð© | elasticbeanstalk.com | NXDOMAIN | Issue #194 | |
AWS/Load Balancer (ELB) | Not vulnerable | ð¥ | elb.amazonaws.com | NXDOMAIN | Issue #137 | |
AWS/S3 | Vulnerable | ð© | s3.amazonaws.com | The specified bucket does not exist | Issue #36 | |
Acquia | Not vulnerable | ð¥ | Web Site Not Found | Issue #103 | ||
Agile CRM | Vulnerable | ð¥ | agilecrm.com | Sorry, this page is no longer available. | Issue #145 | |
Airee.ru | Vulnerable | ð© | airee.ru | ÐÑибка 402. СеÑÐ²Ð¸Ñ ÐйÑи.ÑÑ Ð½Ðµ оплаÑен | Issue #104 | |
Akamai | Not vulnerable | ð¥ | Issue #13 | |||
Anima | Vulnerable | ð© | animaapp.io | The page you were looking for does not exist. | Issue #126 | Anima Documentation |
Bitbucket | Vulnerable | ð© | bitbucket.io | Repository not found | Issue #97 | |
Campaign Monitor | Vulnerable | ð¥ | Trying to access your account? | Issue #275 | Support Page | |
Canny | Vulnerable | ð¥ | Company Not Found There is no such company. Did you enter the right URL? | Issue #114 | ||
Cargo Collective | Vulnerable | ð¥ | 404 Not Found | Issue #152 | Cargo Support Page | |
Cloudfront | Not vulnerable | ð¥ | ViewerCertificateException | Issue #29 | Domain Security on Amazon CloudFront | |
Desk | Not vulnerable | ð¥ | Please try again or try Desk.com free for 14 days. | Issue #9 | ||
Digital Ocean | Vulnerable | ð¥ | Domain uses DO name servers with no records in DO. | |||
Discourse | Vulnerable | ð© | trydiscourse.com | NXDOMAIN | Issue #49 | Hackerone |
Dreamhost | Not vulnerable | ð¥ | Site Not Found Well, this is awkward. The site you're looking for is not here. | Issue #153 Issue #5 | ||
Fastly | Not vulnerable | ð¥ | Fastly error: unknown domain: | Issue #22 | ||
Feedpress | Not vulnerable | ð¥ | The feed has not been found. | Issue #80 | ||
Firebase | Not vulnerable | ð¥ | Issue #128 | |||
Fly.io | Not vulnerable | ð¥ | 404 Not Found | Issue #101 | ||
Freshdesk | Not vulnerable | ð¥ | We couldn't find servicedesk.victim.tld Maybe this is still fresh! You can claim it now at http://www.freshservice.com/signup | Issue #214 | Freshdesk Support Page | |
Frontify | Edge case | ð¥ | 404 - Page Not Found Oops⦠looks like you got lost | Issue #170 | ||
Gemfury | Vulnerable | ð© | furyns.com | 404: This page could not be found. | Issue #154 | Article |
Getresponse | Vulnerable | ð¥ | With GetResponse Landing Pages, lead generation has never been easier | Issue #235 | ||
Ghost | Vulnerable | ð¥ | ghost.io | Site unavailable\.|Failed to resolve DNS path for this host | Issue #89 | |
Github | Edge case | ð¥ | There isn't a GitHub Pages site here. | Issue #37 Issue #68 | ||
Gitlab | Not vulnerable | ð¥ | HackerOne #312118 | |||
Google Cloud Storage | Not vulnerable | ð¥ | <?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message></Error> | |||
Google Sites | Not vulnerable | ð¥ | The requested URL was not found on this server. Thatâs all we know. | Issue #277 | Google Support | |
HatenaBlog | Vulnerable | ð© | hatenablog.com | 404 Blog is not found | ||
Help Juice | Vulnerable | ð© | helpjuice.com | We could not find what you're looking for. | Help Juice Support Page | |
Help Scout | Vulnerable | ð© | helpscoutdocs.com | No settings were found for this company: | HelpScout Docs | |
Helprace | Vulnerable | ð© | helprace.com | HTTP_STATUS=301 | Issue #115 | |
Heroku | Edge case | ð¥ | No such app | Issue #38 | ||
HubSpot | Not vulnerable | ð¥ | This page isn't available | Issue #59 | ||
Instapage | Not vulnerable | ð¥ | Issue #73 | |||
Intercom | Edge case | ð¥ | Uh oh. That page doesn't exist. | Issue #69 | Help center | |
JetBrains | Vulnerable | ð¥ | youtrack.cloud | is not a registered InCloud YouTrack | PR #107 | YouTrack InCloud Help Page |
Key CDN | Not vulnerable | ð¥ | Issue #112 | |||
Kinsta | Not vulnerable | ð¥ | No Site For Domain | Issue #48 | kinsta-add-domain | |
Landingi | Edge case | ð¥ | It looks like youâre lost... | Issue #117 | ||
LaunchRock | Vulnerable | ð¥ | launchrock.com | HTTP_STATUS=500 | Issue #74 | |
Mailchimp | Not vulnerable | ð¥ | We can't find that page It looks like you're trying to reach a page that was built by Mailchimp but is no longer active. | Discussion #250 | ||
Mashery | Edge case | ð¥ | Unrecognized domain | Issue #14 | HackerOne | |
Microsoft Azure | Vulnerable | ð© | cloudapp.net, cloudapp.azure.com, azurewebsites.net, blob.core.windows.net, cloudapp.azure.com, azure-api.net, azurehdinsight.net, azureedge.net, azurecontainer.io, database.windows.net, azuredatalakestore.net, search.windows.net, azurecr.io, redis.cache.windows.net, azurehdinsight.net, servicebus.windows.net, visualstudio.com | NXDOMAIN | Issue #35 | |
Netlify | Edge case | ð¥ | Not Found - Request ID: | Issue #40 | ||
Ngrok | Vulnerable | ð© | ngrok.io | Tunnel .*.ngrok.io not found | Issue #92 | Ngrok Documentation |
Pantheon | Vulnerable | ð¥ | 404 error unknown site! | Issue #24 | Documentation Pantheon-Sub-takeover | |
Pingdom | Vulnerable | ð¥ | Sorry, couldn't find the status page | Issue #144 | Support Page | |
Readme.io | Vulnerable | ð¥ | readme.io | The creators of this project are still working on making everything perfect! | Issue #41 | |
Readthedocs | Vulnerable | ð¥ | The link you have followed or the URL that you entered does not exist. | Issue #160 | ||
Sendgrid | Not vulnerable | ð¥ | ||||
Shopify | Edge case | ð¥ | Sorry, this shop is currently unavailable. | Issue #32 Issue #46 | Medium Article | |
Short.io | Vulnerable | ð¥ | Link does not exist | Issue #260 | ||
SmartJobBoard | Vulnerable | ð© | 52.16.160.97 | This job board website is either expired or its domain name is invalid. | Issue #139 | Support Page |
Smartling | Edge case | ð¥ | Domain is not configured | Issue #67 | ||
Smugsmug | Vulnerable | ð¥ | Issue #60 | |||
Squarespace | Not vulnerable | ð¥ | ||||
Statuspage | Not vulnerable | ð¥ | Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in This Doc PR #105 PR #171 | Statuspage documentation | ||
Strikingly | Vulnerable | ð© | s.strikinglydns.com | PAGE NOT FOUND. | Issue #58 | Strikingly-Sub-takeover |
Surge.sh | Vulnerable | ð© | na-west1.surge.sh | project not found | Issue #198 | Surge Documentation |
SurveySparrow | Vulnerable | ð© | surveysparrow.com | Account not found. | Issue #281 | Custom domain |
Tilda | Edge case | ð¥ | Please renew your subscription | Issue #155 PR #20 | ||
Tumblr | Edge case | ð¥ | Whatever you were looking for doesn't currently exist at this address | Issue #240 | Tumblr Custom Domains | |
Uberflip | Vulnerable | ð© | read.uberflip.com | The URL you've accessed does not provide a hub. | Issue #150 | Uberflip Documentation |
Unbounce | Not vulnerable | ð¥ | The requested URL was not found on this server. | Issue #11 | ||
Uptimerobot | Vulnerable | ð¥ | stats.uptimerobot.com | page not found | Issue #45 | Uptimerobot-Sub-takeover |
UserVoice | Not vulnerable | ð¥ | This UserVoice subdomain is currently available! | Issue #163 | ||
Vercel | Edge case | ð¥ | https://nonexistent-example.vercel.com/ | DEPLOYMENT_NOT_FOUND. | Issue #183 | Adding & Configuring a Custom Domain |
WP Engine | Not vulnerable | ð¥ | ||||
Webflow | Edge case | ð¥ | The page you are looking for doesn't exist or has been moved. | Issue #44 | forum webflow | |
Wix | Edge case | ð¥ | Looks Like This Domain Isn't Connected To A Website Yet! | Issue #231 | ||
Wordpress | Vulnerable | ð© | wordpress.com | Do you want to register .*.wordpress.com? | PR #176 | |
Worksites | Vulnerable | ð© | worksites.net, 69.164.223.206 | Hello! Sorry, but the website you’re looking for doesn’t exist. | Issue #142 | |
Zendesk | Not vulnerable | ð¥ | Help Center Closed | Issue #23 | Zendesk Support |
Top Related Projects
Find, verify, and analyze leaked credentials
A collection of hacks and one-off scripts
Community curated list of templates for the nuclei engine to find security vulnerabilities.
Incredibly fast crawler designed for OSINT.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot