Subdomain Takeover via netlify

[m7mdharoun]

netlify

https://medium.com/@alirazzaq/subdomain-takeover-worth-200-ed73f0a58ffe

Documentation

[AnotherWayIn]

when you attempt to add a custom domain on Netlify, they ask you to add a randomly-named cname record for them to verify. Because of this, it doesn't look like you can do takeovers anymore. Unless i've missed a trick?

[codingo]

@AnotherWayIn How random is the seed? Have you done collision checks on it?

I've managed to do takeovers on some services by looping the creation/deletion of a service with a random seed until I hit a collision for an old service either using javascript in a client session or looping in python/bash utilizing something like the AWS cli.

[codingo]

Also this seems more remote as it's a change from the old state, so I'm going to flag this as not vulnerable unless confirmed otherwise.

[AnotherWayIn]

Yeah, BF is not possible here. Mine for example is asking for the cname to be:
gallant-pare-4f7741.netlify.com
This is generated when you create a new site.

[codingo]

Closed via #53

[smartens80]

This vulnerability still exists (the company I work for was just informed by a white hat hacker that this affected us). If a sub domain (eg: mysubdomain.test.com) is pointing to a Netlify CNAME that is no longer in use by the original party and removed from the previous Netlify project, another party can add that subdomain to their own Netlify project and take it over.

[codingo]

@smartens80 it's one thing to highlight it, but it's another thing to do a claim. From my own testing it doesn't look like a claim isn't actually possible. Did they perform one in this case, or just let you know the DNS record was still there?

If you're unsure about this feel free to DM me on twitter under @codingo_ and we can talk through it further.

[codingo]

Potentially older domains are still vulnerable (without a seed), but this would still be considered an Edge Case. You should certainly be asking for proof of takeover on all reports though @smartens80.

[smartens80]

@codingo yes, they took over the sub domain and sent over as a poc. I've since removed the affected CNAME records from our DNS. I can PM you more info if you like?

[codingo]

Sounds good - I'm mostly interested in the format of the CNAME. What I suspect has happened is that older DNS records can still be taken over, and that this will need to be adjusted on the repository. If you can DM me it would be great to collect further information.

[codingo]

This is now confirmed as an edge case. Older DNS records for Netlify are still vulnerable to takeover.

[codingo]

Updated to master via #57

[jubobs]

@codingo Can you shed more light on

Older DNS records for Netlify are still vulnerable to takeover.

?

I know what you mean by "old DNS records for Netlify" (ones where the canonical name doesn't have a random subdomain), but how can you claim them?

[monizb]

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday.

[YASSlNE]

@codingo Can you shed more light on

Older DNS records for Netlify are still vulnerable to takeover.

?

I know what you mean by "old DNS records for Netlify" (ones where the canonical name doesn't have a random subdomain), but how can you claim them?

up

[pdelteil]

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday.

Can you share details? What's the CNAME ?

[wowits]

Confirming this in 2021, was able to take over 2 different subdomains pointed to Netlify just yesterday

Nah, it cannot be possible for subdomain until its root domain is vulnerable a new setting is implemented as fastly if this feature implemented by every1 then wht??

[Xplo8E]

How can create subdomain
something.netlify.com but in netlify it giving only **.netlify.app

How can move further??

[pdelteil]

So, I don't think is possible to perform the take over of a netlify account:

I had this case everybodywins.adobe.com

>  dig everybodywins.adobe.com

; <<>> DiG 9.16.1-Ubuntu <<>> everybodywins.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22410
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;everybodywins.adobe.com.	IN	A

;; ANSWER SECTION:
everybodywins.adobe.com. 10800	IN	CNAME	everybodywins.netlify.app.
everybodywins.netlify.app. 19	IN	A	54.205.240.192
everybodywins.netlify.app. 19	IN	A	157.245.242.152

;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Sep 04 21:44:28 UTC 2021
;; MSG SIZE  rcvd: 123

You can't create a domain everybodywins.netlify.app. It gives you

If you try to add a custom domain everybodywins.adobe.com, you will get

[Techbrunch]

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

[rsgian]

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

Can you tell how you managed to do this because the netlify is saying the site name is taken already

[m7mdharoun]

I just managed to takeover a sudomain:

stage.target.com.	273	IN	CNAME	stage--target.netlify.app.
stage--target.netlify.app. 20	IN	A	18.159.128.50
stage--target.netlify.app. 20	IN	A	206.189.58.26

Reponse before taking over:

HTTP/2 404 Not Found
Cache-Control: private, max-age=0
Content-Length: 50
Content-Type: text/plain; charset=utf-8
Date: Mon, 06 Sep 2021 09:37:01 GMT
Age: 0
Server: Netlify
X-Nf-Request-Id: 01FEX7FPBPDQ0V9YRG1PM3E0AP

Not found - Request ID: 01FEX7FPBPDQ0V9YRG1PM3E0AP

I just created a new app in Netlify and setup the domain.

Can you tell how you managed to do this because the netlify is saying the site name is taken already

Subdomain Takeover in Netlify as same as Takeover in Fastly Service if company add 3 subdomains and 1 of them is vulnerable you can't add the vulnerable 1 to your account unless company delete the whole Domain or closed their Netlify Account.

I mean this takeover Edge case.

[SimonGurney]

I just took over a netlify and it wasn't an edge case. I think its still fully possible

The company had a cname to x-y.netlify.app

I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app

I clicked edit and changed my netlify site name to be x-y.netlify.app

I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

[samogod]

I just took over a netlify and it wasn't an edge case. I think its still fully possible

The company had a cname to x-y.netlify.app

I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app

I clicked edit and changed my netlify site name to be x-y.netlify.app

I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

[danzee1]

I just took over a netlify and it wasn't an edge case. I think its still fully possible
The company had a cname to x-y.netlify.app
I signed up for netlkify and got given a domain called foo-bar-657657.netlify.app
I clicked edit and changed my netlify site name to be x-y.netlify.app
I added their subdomain as an additional domain and then it provisioned a letsencrypt cert on there for me.

Not possible anymore !!

[CalfCrusher]

What when CNAME points to *.netlifyglobalcdn.com ?
Is it possible the tko ?

[Kaue-Navarro]

Good Morning

Yesterday I managed to do the subdomain takeover in a cname of *.netlifyglobalcdn.com

What I needed to do was:

Adding the cname to the default domain, if you can, is the first step.

You just took the cname.

This works for me.

But in this case it wasn't the subdomain takeover it was just the takeover of cname, for some reason the subdomain was still not redirecting to cname.

So in the field to add the subdomain I added the root domain, and then created an alias as in the image.

This is how the subdomain takeover works completely.

I reported it to the company yesterday and today it was corrected, they had removed the cname.

So yes it is still possible to takeover on netlify

[Sechunt3r]

Thanks @Kaue-Navarro
The technique you suggested completely works & full subdomain takeover is still possible on netlify.

Cname-Settings:

POC:

[pdelteil]

Hey @Sechunt3r,

You revealed the subdomain you took over on the page title. :(

[b1bek]

subdomain has cname foo-bar-xyz.netlify.app , i got it and my site is hosted at foo-bar-xyz.netlify.app but the subdomain still has error like this

now when trying to add subdomain in custom domain it shows this error

Can anyone confirm if *.netlify.app is still possible or not?

[Kaue-Navarro]

1- Change the netlify.app subdomain name that you have in your account to the one you found vulnerable if it allows it is the first step, this will give you power only to the cname.

2- Step you put the root domain of the subdomain in that field to add domain the root domain.

3 - Create the alias with the subdomain you found.

Done these three then yes you will have full control.

Important if the first step does not work you will not be able to assume the subdomain completely.

[gonzxph]

How can i contact you bro? I have a question

[Kaue-Navarro]

Yes, my contact in linkedin Kauê Navarro

[FalcoXYZ]

Just took over a Netlify app, can confirm this still works.

CNAME was set to: randomappname.netlify.com (it was .com, not .app)

Steps I took to take it over:

1. I deployed a new app in Netlify with Nextjs template. (can be any template)
2. Changed my app name to the one that was set as CNAME. In my example: randomappname
3. Added an additional sub-domain under the "domain management" tab.
4. This additional subdomain will be set as the "primary domain" and the Netlify domain will be "default subdomain"

[pdelteil]

Just took over a Netlify app, can confirm this still works.

CNAME was set to: randomappname.netlify.com (it was .com, not .app)

Steps I took to take it over:

1. I deployed a new app in Netlify with Nextjs template. (can be any template)

2. Changed my app name to the one that was set as CNAME. In my example: randomappname

3. Added an additional sub-domain under the "domain management" tab.

4. This additional subdomain will be set as the "primary domain" and the Netlify domain will be "default subdomain"

This is not really accurate. You don't need to change the name of your app. Just add the vulnerable subdomain as a domain alias.

This is my example:

Vulnerable subdomain pretty.domain.com

Dig pretty.domain.com

;; ANSWER SECTION:
pretty.domain.com.	300	IN	CNAME	pretty-another.netlify.com.
pretty-another.netlify.com. 20	IN	A	52.X
pretty-another.netlify.com. 20	IN	A	177.Y

To take over this subdomain I just created an alias. You cannot accomplish the same with every vulnerable subdomain since it depends on some edge conditions (account deleted, etc).

[molitona]

Hi @Kaue-Navarro @pdelteil

I've a vuln subdomain that doesn't point to any cname, is it vuln to STO ?

[molitona]

@Kaue-Navarro

Tried to put the CNAME itself in here and got "custom_domain has a reserved word"

tried to put the vuln subdomain and got already used domain

any help, am i doing something wrong ?

[Kaue-Navarro]

If you don't get the first step to use the custom cname you thought of what you created, I believe you won't be able to point to the main domain and create the subdomain;

Which then in this case is not vulnerable.

[molitona]

If you don't get the first step to use the custom cname you thought of what you created, I believe you won't be able to point to the main domain and create the subdomain;

Which then in this case is not vulnerable.

Yep i tried adding the cname when created a project and uploaded it.Then it ask me to add custom subdomain in 2nd step and it said "custom domain has a reserved word" (1st picture) after i put the CNAME value, am i correct in steps but it's not vuln ?

[alice12o1]

It's Possible to takeover netlify subdomain now ?

[Sachin85y]

It's Possible to takeover netlify subdomain now ?

No brother no ways to takeover now