can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Published 20 hours ago verified publisher icon EdOverflow

Subdomain takeover of Alibaba Cloud OSS

Open janthraper opened this issue 3 years ago • 1 comments

Alibaba Cloud OSS

A subdomain pointing to unclaimed Alibaba OSS bucket via CNAME is vulnerable for takeover. The website will throw an error like this when the bucket doesn't exist.

test

Step-by-step process:

  1. Go to OSS panel
  2. Click Create Bucket
  3. Set Bucket name to source domain name (i.e., the domain you want to take over)
  4. Click OK to finish
  5. Open the created bucket (Select Access Control List (ACL) as public)
  6. Go to Files and Click Upload
  7. Select the file which will be used for PoC (HTML or TXT file)
  8. Set file ACL as public read

Verify by going to the subdomain.

Documentation

https://www.alibabacloud.com/help/doc-detail/31899.htm?spm=a2c63.p38356.879954.14.71cd374fq6kJ5W#concept-ars-bhz-5db https://www.alibabacloud.com/help/doc-detail/31836.htm https://partners-intl.aliyun.com/help/doc-detail/31902.htm

janthraper avatar Aug 01 '20 07:08 janthraper

Hi @janthraper

I appreciate this research but can you please:

  1. Suggest the CNAME pattern in Alibaba Cloud that you're talking about
  2. PoC will be much appreciated if possible.

ravkishu avatar Dec 15 '20 19:12 ravkishu