GitHub Pages proofs

[PatrikHudak]

Service name

GitHub Pages

Proof

GitHub uses virtual hosting identical to other cloud services. The site needs to be specified explicitly in domain settings. Step-by-step process:

1. Go to new repository page
2. Set Repository name to canonical domain name (i.e., {something}.github.io from CNAME record)
3. Click Create repository
4. Push content using git to a newly created repo. GitHub itself provides the steps to achieve it
5. Switch to Settings tab
6. In GitHub Pages section choose master branch as source
7. Click Save
8. After saving, set Custom domain to source domain name (i.e., the domain name which you want to take over)
9. Click Save

For screenshots, please refer to https://0xpatrik.com/takeover-proofs/.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "<strong>There isn't a GitHub Pages site here.</strong>" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(Note: DOMAIN NAME has to be the affected domain, not the github.io page itself. This is due to Host header forwarding which affects the HTTP response)

Documentation

There is only one format of GitHub Pages domains:

• *.github.io

please note that having CNAME to github.io itself can also lead to subdomain takeover.

[PatrikHudak]

Official GitHub Pages docs: https://help.github.com/articles/using-a-custom-domain-with-github-pages/

[codingo]

Closing as now available on main readme.

[sumgr0]

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

[kishoretrommer]

Not able to takeover a subdomain pointing to GitHub.io. Error with CNAME is already taken.

snapshot attached.

Is GitHub takeover still working for anyone?

Facing the same issue.

[sumgr0]

Is it possible to takeover githubapp.com subdomains with github.io CNAME?

[ravkishu]

Hi @sumgr0

I'm not quite sure but you should be able to, because it's not allowed only in case of github.io, github.com, or github.page as per official error I'm currently getting.

There isn't any such notice regarding githubapp.com. So, I suppose you should be able to takeover if it's available.

For more you can head over to https://docs.github.com/articles/setting-up-your-pages-site-repository/

[netanmangal]

Hi @EdOverflow
I am trying to takeover subdomain .github.io but when I create a repo and try to serve it via the Github Pages, I get a URL like netanmangal.github.io/.

Github has started to appending the username to the github.io/

I have done something wrong or I think github pages are no longer vulnerable unless the user/organization have totally deleted their account.

[h3cksamrat]

CNAME already taken error occurs in once already created repo and attached cname, so as my understanding *.github.io is not available for takeover.
https://github.community/t/the-cname-is-already-taken/149785

[Abhaysoft-inc]

I was still able to takeover a domain

[Notselwyn]

Still works. +1

Looks like it's kind of conditional because it can say that the domain is claimed

[Elgllad99]

I was still able to takeover a domain

how you can takeover yet I have some of the vulnerable URLs, if you can help me..

[akincibor]

There is a new beta feature, every custom domain need to be verified. So Github is no more vulnerable.

[akincibor]

https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization