GitHub Pages proofs #37
Comments
EdOverflow
added
the
vulnerable
|
Official GitHub Pages docs: https://help.github.com/articles/using-a-custom-domain-with-github-pages/ |
|
Closing as now available on main readme. |
|
Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken. snapshot attached. Is GitHub takeover still working for anyone?
|
Facing the same issue. |
|
Is it possible to takeover githubapp.com subdomains with github.io CNAME? |
|
Hi @sumgr0 I'm not quite sure but you should be able to, because it's not allowed only in case of There isn't any such notice regarding For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/ |
|
Hi @EdOverflow Github has started to appending the username to the github.io/ I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account. |
|
CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover. |
|
I was still able to takeover a domain |
|
Still works. +1 Looks like it's kind of conditional because it can say that the domain is claimed |
how you can takeover yet I have some of the vulnerable URLs, if you can help me.. |
|
There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable. |
|
@akincibor As mentioned, I ran into this specific issue where it required me to verify the domain by inserting a domain txt entry for verification on my account before I could add the custom domain to a repo. Do we know if this is always the case for subdomain takeovers via github.io, or only specific domains with a feature enabled? |
|
I've experienced the same with Github takeovers in the last couple of days. Looks like github has implemented it across the board. |
I found a subdomain pointing to xyz.github.io, and it is vulnerable, but when trying to set the vulnerable subdomain as the custom domain it asks to insert a txt entry for verification. |
Then, it's not vulnerable. |
|
|
This take over is no longer possible EdOverflow/can-i-take-over-xyz#37 (comment)
This does not apply to retrospective custom domains, right? |
|
I thought Github was no longer vulnerable to STO but actually I managed to take a subdomain. |
How? |
|
What if there is a 404 no pages site here error, but the account that owns it still exists? like if example30.github.io would 404, but the example30 account still existed, would it be vulnerable? |
|
I confirm that the vulnerability still exists, at least for domains without domain verification. Example: turakhia.ucsd.edu |
|
Confirmed, still be vuln. |
|
You must verify your domain dev-test.***** before you can use it. Check out https://docs.github.com/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages for more information. |
and others
Service name
GitHub Pages
Proof
GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:
For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.
To verify:
(Note: DOMAIN NAME has to be the affected domain, not the
github.iopage itself. This is due to Host header forwarding which affects the HTTP response)Documentation
There is only one format of GitHub Pages domains:
please note that having CNAME to
github.ioitself can also lead to subdomain takeover.The text was updated successfully, but these errors were encountered: