Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shopify Real Check with REST API #32

Closed
buckhacker opened this issue Sep 12, 2018 · 3 comments
Closed

Shopify Real Check with REST API #32

buckhacker opened this issue Sep 12, 2018 · 3 comments
Assignees
@codingo
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@buckhacker
Copy link

Service name

Shopify

Proof

  1. Page must contain: Sorry, this shop is currently unavailable.
  2. CNAME must contain: myshopify.com or shops.myshopify.com
  3. REST API Query must answer with: "status":"available"

Please read the docs for more details.

Documentation

I wrote a long article and release a small script that performs three types of test (page error message, CNAME and REST API query).
https://medium.com/@thebuckhacker/how-to-do-55-000-subdomain-takeover-in-a-blink-of-an-eye-a94954c3fc75
https://github.com/buckhacker/SubDomainTakeoverTools/blob/master/ShopifySubdomainTakeoverCheck.py
@codingo
Copy link
Collaborator

codingo commented Sep 12, 2018

I'm familiar with your article / repository - quite a fan of this work (cottoned onto it early via a Github watch).

I'll review this shortly.

@codingo codingo self-assigned this Sep 12, 2018
@codingo codingo added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 12, 2018
@codingo codingo mentioned this issue Sep 12, 2018
Merged
@codingo
Copy link
Collaborator

codingo commented Sep 12, 2018

Resolved in #33

@codingo codingo closed this as completed Sep 12, 2018
@Techbrunch
Copy link

A potentially interesting case:

ftp.target.com.		2236	IN	CNAME	target.com.
target.com.		44	IN	A	23.227.38.65
www.target.com.		28	IN	CNAME	target2.myshopify.com.
target2.myshopify.com.	1928	IN	CNAME	shops.myshopify.com.
shops.myshopify.com.	15	IN	A	23.227.38.74

target.com redirects to www.target.com (301)

In Shopify target.com and www.target.com were not available but ftp.target.com was and I was able to takeover the subdomain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codingo codingo

Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@codingo @Techbrunch @buckhacker