parami-foundation / parami-blockchain Goto Github PK
View Code? Open in Web Editor NEWParami Chain
License: GNU General Public License v3.0
Parami Chain
License: GNU General Public License v3.0
Title:
Github Subdomain Takeover
Summary :
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.
Steps to find a vulnerability :
Vulnerable url : https://docs.parami.io
• It was easy to guess the CNAME of parami github pages which is parami.github.io
• As the CNAME is also available and subdomain is also empty, the subdomain is vulnerable to subdomain takeover.
• One should not public the CNAME publicly
Impact:
Risk, fake, website malicious code injection, users tricking company impersonation This issue can have really huge impact on the companies reputation someone could post malicious content on the compromised site and then your users will think it's official but it's not.
If the subdomain is not used then you can remove this subdomain from your dns entry.
Reference
Below hackerone report show critical any subdomain takeover is :
https://hackerone.com/reports/325336
Additional context
Add any other context about the problem here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.