MCPcopy Index your code
hub / github.com/EdOverflow/can-i-take-over-xyz

github.com/EdOverflow/can-i-take-over-xyz @main sqlite

repository ↗ · DeepWiki ↗
10 symbols 30 edges 1 files 4 documented · 40%
README

image

Disclaimer :warning:

The authors of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. This project heavily relies on contributions from the public; therefore, proving that something is vulnerable is the security researcher and bug bounty program's sole discretion.

Furthermore, it is important to clarify that this project does not aim to identify or disclose bypasses to security measures implemented by various services. Instead, it is expected that such bypasses be reported directly to the affected service for appropriate action.

Finally, it is worth noting that some bug bounty programs may accept dangling DNS record reports without requiring proof of compromise.

What is a subdomain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here:

Safely demonstrating a subdomain takeover

Based on personal experience, claiming the subdomain discreetly and serving a harmless file on a hidden page is usually enough to demonstrate the security vulnerability. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html

Please be advised that this depends on what bug bounty program you are targeting. When in doubt, please refer to the bug bounty program's security policy and/or request clarifications from the team behind the program.

How to use this project

I recommend searching for the name of the service you are targeting in the issues tab. That way you can see the on-going discussion and more detailed steps on how to claim the subdomain you are after.

How to contribute

You can submit new services here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/new?template=new-entry.md.

A list of services that can be checked (although check for duplicates against this list first) can be found here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/26.

All entries

Note: fingerprints.json is automatically updated based on the content of this table.

Column header definitions:

  • Engine: Name of service
  • Status: Whether the service is vulnerable
  • Verified by CI/CD: Whether automated fingerprint check is currently passing
  • Domains: Comma-separate domains (used for fingerprint auto-verification)
  • Fingerprint: Regex indicating vulnerable page (or NXDOMAIN, indicating non-existent DNS record)
  • Discussion: Link to issue on this repo for discussion
  • Documentation: Link to official documentation
Engine Status Verified by CI/CD Domains Fingerprint Discussion Documentation
AWS/Elastic Beanstalk Vulnerable 🟩 elasticbeanstalk.com NXDOMAIN Issue #194
AWS/Load Balancer (ELB) Not vulnerable 🟥 elb.amazonaws.com NXDOMAIN Issue #137
AWS/S3 Vulnerable 🟩 s3.amazonaws.com The specified bucket does not exist Issue #36
Acquia Not vulnerable 🟥 Web Site Not Found Issue #103
Agile CRM Vulnerable 🟥 agilecrm.com Sorry, this page is no longer available. Issue #145
Airee.ru Vulnerable 🟩 airee.ru Ошибка 402. Сервис Айри.рф не оплачен Issue #104
Akamai Not vulnerable 🟥 Issue #13
Anima Vulnerable 🟩 animaapp.io The page you were looking for does not exist. Issue #126 Anima Documentation
Bitbucket

Core symbols most depended-on inside this repo

errprint
called by 6
scripts/gen_fingerprints.py
_verify_response
called by 2
scripts/gen_fingerprints.py
rand_string
called by 2
scripts/gen_fingerprints.py
verify
called by 1
scripts/gen_fingerprints.py
make_markdown_table
called by 1
scripts/gen_fingerprints.py
parse_fingerprints
called by 1
scripts/gen_fingerprints.py
make_fingerprint_table
called by 1
scripts/gen_fingerprints.py
json
called by 0
scripts/gen_fingerprints.py

Shape

Function 5
Method 4
Class 1

Languages

Python100%

Modules by API surface

scripts/gen_fingerprints.py10 symbols

For agents

$ claude mcp add can-i-take-over-xyz \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact