Giters

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Short.io takeover

pdelteil opened this issue · comments

commented

Service name

Short.io

Proof

Screenshot from 2022-02-15 15-30-57

dig target.tld

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;target.tld.		IN	A

;; ANSWER SECTION:
target.tld.	3600	IN	A	52.21.33.16
target.tld.	3600	IN	A	52.2.56.64

Documentation

https://help.short.io/en/articles/4065825-general-subdomain-setup-instruction

commented

I also added this template to nuclei.

commented

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

  1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you
  2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

commented

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you

2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

confirm, not vulnerable anymore.

commented

Can you please update the Readme?

commented

@EdOverflow can you please update details about our website?

commented

Hello there @gugu,

I can confirm this takeover is still possible.

commented

Hello there @gugu,

I can confirm this takeover is still possible.

How ??

commented

Yes, more details will be helpful addition to your answer

commented

Hello there @gugu,
I can confirm this takeover is still possible.

How ??

Adding a custom domain discovered with the template. Test it yourself.

commented

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

commented

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

At mail hlynurfrey@gmail.com

commented

a custom domain discovered with the template. Test it you

what do you mean ?