Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Pages proofs #37

Closed
PatrikHudak opened this issue Sep 12, 2018 · 28 comments
Closed

GitHub Pages proofs #37

PatrikHudak opened this issue Sep 12, 2018 · 28 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@PatrikHudak
Copy link

Service name

GitHub Pages

Proof

GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:

  1. Go to new repository page
  2. Set Repository name to canonical domain name (i.e., {something}.github.io from CNAME record)
  3. Click Create repository
  4. Push content using git to a newly created repo. GitHub itself provides the steps to achieve it
  5. Switch to Settings tab
  6. In GitHub Pages section choose master branch as source
  7. Click Save
  8. After saving, set Custom domain to source domain name (i.e., the domain name which you want to take over)
  9. Click Save

For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "<strong>There isn't a GitHub Pages site here.</strong>" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(Note: DOMAIN NAME has to be the affected domain, not the github.io page itself. This is due to Host header forwarding which affects the HTTP response)

Documentation

There is only one format of GitHub Pages domains:

  • *.github.io

please note that having CNAME to github.io itself can also lead to subdomain takeover.

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 13, 2018
@PatrikHudak
Copy link
Author

@codingo
Copy link
Collaborator

codingo commented Oct 15, 2018

Closing as now available on main readme.

@codingo codingo closed this as completed Oct 15, 2018
@sumgr0
Copy link

sumgr0 commented Mar 23, 2019

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

Screenshot 2019-03-23 at 1 41 20 PM

@kishoretrommer
Copy link

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

Screenshot 2019-03-23 at 1 41 20 PM

Facing the same issue.

@sumgr0
Copy link

sumgr0 commented May 30, 2020

Is it possible to takeover githubapp.com subdomains with github.io CNAME?

@ravkishu
Copy link

Hi @sumgr0

I'm not quite sure but you should be able to, because it's not allowed only in case of github.io, github.com, or github.page as per official error I'm currently getting.
image

There isn't any such notice regarding githubapp.com. So, I suppose you should be able to takeover if it's available.

For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/

@netanmangal
Copy link

Hi @EdOverflow
I am trying to takeover subdomain .github.io but when I create a repo and try to serve it via the Github Pages, I get a URL like netanmangal.github.io/.

Github has started to appending the username to the github.io/

I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account.

@h3cksamrat
Copy link

CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover.
https://github.521000.bestmunity/t/the-cname-is-already-taken/149785

@Abhaysoft-inc
Copy link

I was still able to takeover a domain

@Notselwyn
Copy link

Still works. +1

Looks like it's kind of conditional because it can say that the domain is claimed

@Elgllad99
Copy link

I was still able to takeover a domain

how you can takeover yet I have some of the vulnerable URLs, if you can help me..

@akincibor
Copy link

There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable.

@akincibor
Copy link

@jbreed
Copy link

jbreed commented Jul 19, 2022

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.

Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

@sumgr0
Copy link

sumgr0 commented Jul 21, 2022

I've experienced the same with Github takeovers in the last couple of days. Looks like github has implemented it across the board.

@Irresistible-K
Copy link

Irresistible-K commented Sep 2, 2022

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.

Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification.
Is there any way to takeover such a domain?

@pdelteil
Copy link
Contributor

@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo.
Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled?

I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. Is there any way to takeover such a domain?

Then, it's not vulnerable.

@sa1tama0
Copy link

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️
GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

pdelteil added a commit to pdelteil/nuclei-templates that referenced this issue Dec 12, 2022
@EdOverflow
Copy link
Owner

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️ GitHub has implemented DNS verification to confirm the legitimacy of domains.

GitHub

This does not apply to retrospective custom domains, right?

@akincibor
Copy link

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

@pdelteil
Copy link
Contributor

I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain.

How?

@jleuth
Copy link

jleuth commented Nov 12, 2023

What if there is a 404 no pages site here error, but the account that owns it still exists? like if example30.github.io would 404, but the example30 account still existed, would it be vulnerable?

@corneliusroemer
Copy link

I confirm that the vulnerability still exists, at least for domains without domain verification. Example: turakhia.ucsd.edu

@cyberduck404
Copy link

Confirmed, still be vuln.

@Paulino123p
Copy link

You must verify your domain dev-test.***** before you can use it. Check out https://docs.github.com/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages for more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests