GitHub.io Subdomain Takeover

[jatoch]

I have found a subdomain sub.example.com
And the CNAME is pointing to 1234.github.io

When navigating to sub.example.com
It will show the 404 error
There isn't a GitHub Pages site here.

So I created a github page and added sub.example.com as custom domain.

And it will say that this CNAME has already been taken.
Am I doing something wrong? Or is it not vulnerable.

[EdOverflow]

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

1. Username-based subdomains;
2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

• There is no index page (404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checking https://github.com/<name> to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such as site:example.github.io to find hidden directories that have been crawled by Google.

The following cases are vulnerable:

• There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
• There is no account or organisation under https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content on https://<name>.github.io/.

I hope this clears up any uncertainties when it comes to GitHub pages.

[Phoenix1112]

@EdOverflow I'm trying to create a test environment for myself. I created a github repo and created a simple index.html file. then I created a site with the extension .io.
I had previously purchased a domain address with a .com extension. I added the subdomain address I created with github to my domain name as a cname record.

example:

dig cname www.guidebookdemo.com

www.guidebookdemo.com cname phoenix1112.github.io

You can see that my username is used as the subdomain address in the site address i created for github.(phoenix1112)

now, if the phoenix1112.github.io address was unavailable, how would we get the phoenix1112 username to get this github address? if the username is used for the subdomain name, how do we get someone else's username?

[EdOverflow]

You would have to hope that the user — phoenix1112 in your example — deletes their account so that you can then claim that username. There is no other way around it as far as I know.

[Phoenix1112]

@EdOverflow i did takeover now... the user name does not matter.. i did test it..

dig cname www.guidebookdemo.com

www.guidebookdemo.com CNAME phoenix1112.github.io

I deleted the files I created phoenix1112.github.io. I created a repo with another user and wrote www.guidebookdemo.com in the site name. and I created an index.htm file

After 10 minutes, when I opened www.guidebookdemo.com, my index.html file started to appear. Although I am not a phoenix1112 user, I did takeover www.guidebookdemo.com.

[EdOverflow]

Actually, now that I think of it, I have submitted two subdomain takeovers using the exact process you described above roughly two years ago. Silly me! :P

You are absolutely right, the username is not actually important. Thank you for double-checking this, @Phoenix1112.

[melardev]

Actually, I don't even think the name of the repo matters, just create any repo, go to settings of that repo, enable Github pages and add your custom domain there, reply to me if you think I am wrong.

Update: but I also had issues with "CNAME has already been taken." even though the page was showing the fingerprint message, I don't know why ;O

[Shrimant12]

Check site: "traget.github.io" and see you get the repo. In my case, it was also showing There isn't a Github Pages site here. but when checked using site: "traget.github.io" all the pages and everything was present. So this case is also not vulnerable.

[7RUST]

website name example.com pointing to cname example.github.io. Now there is still content on example.com but when navigated to example.github.io it says a 404. I tried to create a github repo but when trying to add a domain, it says cname is already taken. I am kinda confused as if it is pointing to an unclaimed github.io domain, it should be vulnerable right ?

[adityathebe]

@saurabh96216 IIRC the cname is irrelevant as long as it is pointing to .github.io

[mnijres]

@EdOverflow Hi Ed, it seems github no longer vulnerable for sub-domain takeOver since they add account name before the sub-domain that planing to takeover it.
For example the sub-domain suppose to be vulnerable is example.gitexample.com
When creating page they add your github name before the page name like (hxxps://mnijres.github.io/example.gitexample.com)
Since mnijres is my github name.

[mnijres]

After testing 1.516.945 sub-domains included (cloudfront, fastly, Github.io, tumbler,shopify)

Non of them are vulnerable to sub-domain takevoer anymore !

I will try my luck with something else.

[cyberbharathi]

There are multiple scenarios when it comes to GitHub subdomain takeovers. First we need consider the two types of GitHub pages/subdomains:

1. Username-based subdomains;
2. Organisation-based subdomain.

As the names already state, the former is based on the GitHub user's handle (e.g. https://github.com/edoverflow ➞ edoverflow.github.io) and the latter is one that uses an organisation's handle (https://liberapay.com/liberapay ➞ liberapay.github.io).

With this in mind, it becomes a little easier to determine whether or not a page is vulnerable.

The following case is not vulnerable:

• There is no index page (404), but there are subpages with content. So https://example.github.io/ might display a 404, but there is a repository somewhere serving content under https://example.github.io/foobar. This is why I would always recommend checking https://github.com/<name> to see if there are any indications as to where the user or organisation might be serving content from or using a simple Google Dork such as site:example.github.io to find hidden directories that have been crawled by Google.

The following cases are vulnerable:

• There is no content being served on that GitHub host at all. This means that there is not a single repository that has claimed the GitHub page;
• There is no account or organisation under https://github.com/<name>. You can sign up for an account or set up an organisation under that name and proceed to serve content on https://<name>.github.io/.

I hope this clears up any uncertainties when it comes to GitHub pages.

Hello @EdOverflow I have try this similar way and my target vulnerable to this way. Can I report it to the Vendor as Github Subdomain takeover? and it could be a valid issue?

[sa1tama0]

⚠️⚠️ GitHub's pages are now secure and no longer vulnerable. ⚠️⚠️
GitHub has implemented DNS verification to confirm the legitimacy of domains.