can-i-take-over-xyz
can-i-take-over-xyz copied to clipboard
EdOverflow
Subdomains pointing to vercel.com are vulnerable
Service name
Vercel
Proof
Successful subdomain takeover on a harvard.edu subdomain (screenshot).
Documentation
- Create a new repository on Github and upload an index.html
- Visit https://vercel.com/ and sign up using your Github account
- Create a new project and point it to the previously created Github repository
- Open the "Domains" tab on Vercel and add the vulnerable domain
- Boom! Exploited!
Can you share the cname regex and the fingerprint?
Sure
{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }
There are definitely edge cases here.
$ host -t CNAME anythingrandom.console.dev.twilio.com
anythingrandom.console.dev.twilio.com is an alias for cname.vercel-dns.com.
$ curl 'https://anythingrandom.console.dev.twilio.com/' 10:12:48
The deployment could not be found on Vercel.
DEPLOYMENT_NOT_FOUND
so the cname we need to grep is vercel-dns.com not vercel.com. thank you @adityathebe
Can you share the cname regex and the fingerprint?
Sure
{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }
are you takeover any subdomain? Do you have any poc?
Summary for 2021: U can takeover mashed.potato.com only if potato.com is not used in the account of the victim, otherwise, u will get Already owned err.
It still vulnerable yesterday I takeover 2 subdomains and I've upload my index
@M359AH u took over mashed.potato.com even when potato.com is already registered? If yes, please share how you managed to do that? Just curious :0
@jan-muhammad-zaidi
Hello Muhammed
I've found the subdomain I got this error page
- After it, I go to see the CNAME
;; AUTHORITY SECTION:
vercel.app. 60 IN SOA ns1.vercel-dns.com. hostmaster.nsone.net. 1644228969 43200 7200 1209600 60
;; Query time: 134 msec
;; SERVER:#53(.131)
;; WHEN: Mon Feb 07 12:41:00 EET 2022
;; MSG SIZE rcvd: 119
Now I go to vercel.app and add a public repository contains my PoC index and after import the project I've add the domain and added successfully
and my PoC has been uploaded
How come it's not showing a domain already registered error? Like this
Hello @jan-muhammad-zaidi
I think your target is not vulnerable because It should be registered without an errors like my comment above
Domain takeovers using Vercel are definitely still possible.
However, they are limited. In my testing, I found that a domain is not vulnerable if:
- The root domain is used by a Vercel account (i.e. the root domain points to
76.76.21.21and is linked to a project). - The domain/root domain is verified, even if the root domain does not point to
76.76.21.21. - Another subdomain of the same root domain is used by a Vercel account.
In practice, this means many subdomains will not be vulnerable (but subdomains definitely can be vulnerable).
There seems to be only one way to be sure a domain is vulnerable or not: try it out.
I created a PR to update the README: #375
I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?
I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?
This has happened to me too, please show me the solution
It's not possible anymore because you have to add a txt record, and that is not possible in the case of subdomain takeover.
