GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → deepwn → GitPageHijack

deepwn / GitPageHijack

Licence: other
OK now. Let's hijack github user's custom domain.

Programming Languages

shell
77523 projects
HTML
75241 projects

Labels

github-pagedomainwildcardtakeoverdns-recordhijack

Projects that are alternatives of or similar to GitPageHijack

vim-tw.github.io
Vim zh-hant community website
Stars: ✭ 19 (-57.78%)
Mutual labels:  github-page
-old-denver-devs.github.io
Denver developers lil website.
Stars: ✭ 12 (-73.33%)
Mutual labels:  github-page
urlzap
⚡️ Your own static URL shortener
Stars: ✭ 57 (+26.67%)
Mutual labels:  github-page
frontend-clean-architecture
React + TypeScript app built using the clean architecture principles in a more functional way · 🧼 🏛 🍪
Stars: ✭ 1,816 (+3935.56%)
Mutual labels:  domain
chicio.github.io
👻 Fabrizio Duroni (me 😄) personal website. Created using GatsbyJS, Styled Components, Storybook, Typescript, tsParticles, GitHub pages, Github Actions, Upptime.
Stars: ✭ 20 (-55.56%)
Mutual labels:  github-page
domin
Domain Name Search untuk mencari ketersedian nama domain.
Stars: ✭ 17 (-62.22%)
Mutual labels:  domain
dnstake
DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover
Stars: ✭ 723 (+1506.67%)
Mutual labels:  takeover
JWildcard
A Java library with wildcard utils
Stars: ✭ 14 (-68.89%)
Mutual labels:  wildcard
developerIdentity
Developers Identity(Portfolio) Template that helps you showcase your work and skills as a software developer.
Stars: ✭ 21 (-53.33%)
Mutual labels:  github-page
extract-domain
Extract domain name from an URL
Stars: ✭ 22 (-51.11%)
Mutual labels:  domain
node-match-path
Matches a URL against a path. Parameters, wildcards, RegExp.
Stars: ✭ 30 (-33.33%)
Mutual labels:  wildcard
Android-Clean-Architecture
This is a sample movie list Android application built to demonstrate use of Clean Architecture tools. Dedicated to all Android Developers - (Kotlin, MVVM, Clean Architecture, Rx-Java, Dagger, OkHttp, Unit Testing, SOLID principles, Code Coverage)
Stars: ✭ 268 (+495.56%)
Mutual labels:  domain
reveal-jekyll
Online presentation for GitHub Pages and Jekyll in Markdown using reveal.js with a Solarized Color Theme
Stars: ✭ 67 (+48.89%)
Mutual labels:  github-page
domnibus
Access domain information via python and command line.
Stars: ✭ 16 (-64.44%)
Mutual labels:  domain
2.0.0
React Bangkok 2.0.0 website powered by Next 3 ^_^
Stars: ✭ 46 (+2.22%)
Mutual labels:  github-page
available
Domain availability checking for Golang
Stars: ✭ 30 (-33.33%)
Mutual labels:  domain
domain-monitor
Self-hosted server to monitor WHOIS records for specified domains.
Stars: ✭ 36 (-20%)
Mutual labels:  domain
domain-word
Tells you which "words" can be written as a publicly available domain
Stars: ✭ 40 (-11.11%)
Mutual labels:  domain
regXwild
⏱ Superfast ^Advanced wildcards++? | Unique algorithms that was implemented on native unmanaged C++ but easily accessible in .NET via Conari (with caching of 0x29 opcodes +optimizations) etc.
Stars: ✭ 20 (-55.56%)
Mutual labels:  wildcard
guessTor
Bruteforces [.onion] domains
Stars: ✭ 78 (+73.33%)
Mutual labels:  domain
View All Similar Projects ➔

GitPageHijack

OK now. Let's hijack github user's custom domain.

And I cearted this repo for quick checking with this idea.

Find the weakness

Some days early I found an odd on github.

If users used wildcard DNS records to GitHub Pages.

That will let anyone can hijacking others user's sub-domain.

just like demo: http://hijack.michellerobinscreative.com

Why this will happend

If an alone DNS records www.deepwn.com => GitHub Page:

If a wildcard DNS records *.deepwn.com => GitHub Page:

You can see. if a wildcard DNS records point to GitHub Page servers. you can ask for any sub-domain and answers all point to GitHub.

But, not only you can hosting on GitHub that anybody can do it.

So. If we do found a wildcard DNS records of custom domain in GitHub then we can do hijacking now.

How many custom domains in GitHub

You can see that's a lot lot lot lot of commits about domains

How many vulnerable

Just testing with run.sh to get limit 1 day's data we can found 11 vulnerables. OMG :(

2018-05-14 (day: 13--14)

androidx.de
bayes.dk
claudiuandrei.com
crunchbitcoin.com
eskont.ponomarevlad.ru
fwb.app
goldtum.com
hijack.michellerobinscreative.com (come from my demo)
lit.max.pub
paulispace.com
sumit.app
valuate.app

Advice:

GitHub already checked the DNS for user's domain when it put in settings.

And see we already have waring alert if problems about DNS or domain.

So why don't let peoples set a verify repo-name or username org-name in 'TXT' records? (can add a TXT but not must do)

Then server go check the DNS if a wildcard only should host for one username. just like some custom domain set in Mail-servers, used 'TXT' to verify the mail domain.

By this way we can control which repo can using this sub-domain and stop hosting if some one hijacking my page.

At last

I had to report this to GitHub Security Bug Bounty. And write down this for you to tell you what kind of attack you maybe need face to.

Now we can see some "Danger Notes" in document https://help.github.com/articles/troubleshooting-custom-domains/#unsupported-custom-domain-name. But it's not be fixed and still none verify for this "BUG".

Now you need do attention to your settings before this be fixed.

I open this repo to alert you

PLEASE DON'T USE WILDCARD DNS RECORD FOR CUSTOM DOMAIN ON GITHUB !!!

PLEASE DON'T USE WILDCARD DNS RECORD FOR CUSTOM DOMAIN ON GITHUB !!!

PLEASE DON'T USE WILDCARD DNS RECORD FOR CUSTOM DOMAIN ON GITHUB !!!

dev with love & hack with love :)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].