How Github Page Takeover Works?
Hello folks,
I will share my experience how I found the Github page takeover vulnerability. Because there are still many who are confused about how to exploit it, I will explain in detail. In this report I can’t tell the website because it’s a private program on Hackerone.
The thing that has the potential to be a Github page we can takeover is when the page we access displays a 404 Github error status, as shown below.
The next step to verify if this can be takeover is to look at the CNAME of the web with dig tool.
$ dig sub.redacted.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> sub.redacted.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24134
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sub.redacted.com. IN A
;; ANSWER SECTION:
sub.redacted.com. 600 IN CNAME sub.redacted.com.edegekey.net.
sub.redacted.com.edegekey.net. 300 IN CNAME xxx.github.io.
xxx.github.io. 3600 IN A 192.192.192.192
xxx.github.io. 3600 IN A 192.192.192.192
xxx.github.io. 3600 IN A 192.192.192.192
xxx.github.io. 3600 IN A 192.192.192.192
As we can see the CNAME points to the Github page (xxx.github.io). This shows that we can takeover the Github page. To takeover, we need to create a repo named the Github page we got (xxx.github.io). https://github.com/new
After creating the repo, upload the files to the repo to show on the web page. Then go to setting page for your repo and see Pages
section. Set source
to Deploy from a branch
and set Custom Domain
to your target subdomain Github page. Save it !
After you setting the repo, now go to your target subdomain Github page.
All steps must match in order to work properly. If any one fails, then that subdomain is not vulnerable to takeover. For example, when searching for the website’s CNAME, but there is no xxx.github.io or github.io. So it can’t be takeover.
Reference: https://0xpatrik.com/takeover-proofs/