| Web-Site name | Vulnerable | Error Show | Issue Number | Free/paid | Pattern | ||
|---|---|---|---|---|---|---|---|
| https://worksites.net/ | Vulnerable | Hello! Sorry | but the website you’re looking for doesn’t exist. | Issue #142 | |||
| Uptimerobot | Vulnerable | page not found | Issue #45 | (paid) | ['stats.uptimerobot.com'] | ||
| Uberflip | Vulnerable | Non-hub domain | The URL you've accessed does not provide a hub. | Issue #150 | (Paid) | ['read.uberflip.com' | 'uberflip.com'] |
| SurveySparrow | Vulnerable | 'Ouch! Account not found' | Issue #281 | (Piad) + (free Trial) | |||
| Surge.sh | Vulnerable | project not found | (Free) | ['surge.sh'] | |||
| Strikingly | Vulnerable | page not found | Issue #58 | (Free) | ['.s.strikinglydns.com'] | ||
| SmartJobBoard | Vulnerable | This job board website is either expired or its domain name is invalid. | Issue #139 | (14 Days free) | "[""smartjobboard.com"" | ""mysmartjobboard.com""]" | |
| Short.io | Vulnerable | Link does not exist | Issue #260 | (free Trile) | "[""cname.short.io""]" | ||
| Readme.io | Vulnerable | Project doesnt exist... yet! | Issue #41 | (paid) | ['readme.io'] | ||
| Pingdom | Vulnerable | Sorry | couldn't find the status page | Issue #144 | (30 Days Free) | ['stats.pingdom.com'] | |
| Pantheon | Vulnerable | 404 error unknown site! | Issue #24 | (free) | ['pantheonsite.io'] | ||
| Ngrok | Vulnerable | Tunnel *.ngrok.io not found | Issue #92 | (Paid) | ['ngrok.io'] | ||
| LaunchRock | Vulnerable | It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. | Issue #74 | (padi) | ['launchrock.com'] | ||
| Kinsta | Vulnerable | No Site For Domain | Issue #48 | (Paid) | "[""kinsta.com""]" | ||
| JetBrains | Vulnerable | is not a registered InCloud YouTrack | (paid) | ['myjetbrains.com'] | |||
| Intercom | Vulnerable | Uh oh. That page doesn't exist. | Issue #69 | (Free) | ['custom.intercom.help'] | ||
| Help Scout | Vulnerable | No settings were found for this company: | (Paid) | ['helpscoutdocs.com'] | |||
| HatenaBlog | vulnerable | 404 Blog is not found | "[""hatenablog.com""]" | ||||
| Gemfury | Vulnerable | 404: This page could not be found. | Issue #154 | Article (paid) | "[""furyns.com""]" | ||
| Fly.io | Vulnerable | 404 Not Found | Issue #101 | (free) | |||
| Discourse | Vulnerable | Issue #49 | (Paid) | ||||
| Digital Ocean | Vulnerable | Domain uses DO name servers with no records in DO. | (Paid) | ||||
| Cargo Collective | Vulnerable | 404 Not Found | Issue #152 | (paid) | ['subdomain.cargocollective.com'] | ||
| AWS/Elastic Beanstalk | Vulnerable | 404 Not Found | Issue #194 | (paid) | ['elasticbeanstalk.com'] | ||
| AWS/Load Balancer (ELB) | Not Vulnerable | status NXDOMAIN and CNAME pointing to XYZ.elb.amazonaws.com | Issue #137 | (paid) | |||
| AWS/S3 | Vulnerable | The specified bucket does not exist | Issue #36 | (paid) | bucket-name.s3.region-code.amazonaws.com | ||
| Campaign Monitor | Vulnerable | Trying to access your account? | Issue #275 | (free) | ['createsend.com' | 'name.createsend.com'] | |
| Agile CRM | Vulnerable | Sorry | this page is no longer available. | Issue #145 | ['cname.agilecrm.com' | 'agilecrm.com'] | |
| Anima | Vulnerable | If this is your website and you've just created it | try refreshing in a minute | Issue #126 | (paid) | ||
| Airee.ru | Vulnerable | Issue #104 | (free) | ['cdn.airee.com' | 'airee.com'] |
Subdomain takeover is a high-security vulnerability via which an attacker can control an expired management service from where the subdomain of the site was pointing
It can be anything some of the vendors uses services like Shopify to build their shopping platform without changing their official subdomain you may have seen while shopping into some of the site something like powered by Shopify or something else this whole process of connecting one service to another is done by Cname.
Cname stands for the canonical name it is something that is related to hosting and domain connecting system so suppose you buy one domain from godaddy.com and hosting from hostinger.com for connecting this space we have things like nameserver did setup with nameserver and web services to get started this is the whole process apply on the name as well it is used to pointing one domain to another domain without getting the change with an actual subdomain.And if the name record expired then any malicious actor can perform a takeover
$ subfinder -d Takeway.com > subdomain.txt
$ massdns -r resolvers.txt -t CNAME -o S -w scope-CNAME.txt subdomain.txt
$ cat scope-CNAME.txt | grep -v -e"takeaway\.com\.$" | cut -f 3 -d" " | sed 's/.$//g'
thuisbezorgdbeta.hypernode.io
geomaps.takeaway.com.s3.amazonaws.com
$ nuclei -l Cname.txt -t /home/rooter/Desktop/nuclei-templates/takeovers
$ dig images.takeaway.com
