1
00:00:01,400 --> 00:00:03,860
Hello, everyone, and welcome to this video.

2
00:00:04,490 --> 00:00:11,330
So in this video, I'm going to show you a new resource that we have created and we have given it the

3
00:00:11,330 --> 00:00:11,790
names.

4
00:00:11,810 --> 00:00:16,280
Can I take over all XYZ now before this video

5
00:00:16,310 --> 00:00:23,300
You must have seen about can I take over XYZ which was the Edoverflow repository, which contained

6
00:00:23,300 --> 00:00:27,270
all the fingerprints for subdomain takeover based vulnerabilities.

7
00:00:27,920 --> 00:00:35,750
Now, we identified that particular repository was not updated since two years and there were several

8
00:00:35,750 --> 00:00:40,920
inconsistencies into those fingerprints, into that repository.

9
00:00:41,270 --> 00:00:42,830
So we tried to fix it.

10
00:00:42,830 --> 00:00:50,540
And we have added more awesome fingerprints into this repository to make your subdomain takeover based

11
00:00:50,720 --> 00:00:54,170
hunting more comprehensive and more awesome.

12
00:00:55,130 --> 00:00:57,340
So what is going to take over all X, Y, Z?

13
00:00:57,680 --> 00:01:05,210
So it is a list of fingerprints which are actually updated for your subdomain because and we have classified

14
00:01:05,210 --> 00:01:10,810
this into 2 fingerprints basically, which are old fingerprint and a new fingerprint.

15
00:01:11,240 --> 00:01:15,620
So it contains 75 fingerprints, as I already said.

16
00:01:15,890 --> 00:01:23,090
And the point you should know is, first of all, there are 75 list of cloud based services that we

17
00:01:23,090 --> 00:01:25,220
have added, which is up to date.

18
00:01:25,790 --> 00:01:32,360
Based on that, we are going to do identification of dangling CName records and we are going to use those

19
00:01:32,360 --> 00:01:38,340
lists of fingerprints and identify the status of takeover of any of the domain or subdomain.

20
00:01:39,230 --> 00:01:40,730
So it is the practical time.

21
00:01:40,730 --> 00:01:44,000
And let's see, how can we utilize this new repository?

22
00:01:44,160 --> 00:01:50,630
If I and you can find this, can I take over all X, Y, Z on my GitHub report on Shifa one, two,

23
00:01:50,630 --> 00:01:52,730
three by the name of all subdomains takeover

24
00:01:52,730 --> 00:01:59,210
all right now, when we come over here, if you scroll down, then you can see all entries over

25
00:01:59,210 --> 00:01:59,510
here.

26
00:01:59,510 --> 00:02:02,240
And these are all the entries that we have created.

27
00:02:02,240 --> 00:02:09,130
And they are around more than 75 new entries with the updated cloud service providers.

28
00:02:09,140 --> 00:02:15,980
And if you go back to here and you can see these are some of the old entries which are updated and can

29
00:02:15,980 --> 00:02:17,060
I takeover XYZ?

30
00:02:17,060 --> 00:02:26,480
And as we have already discussed about it, now, just to show you the proof of concept about the inconsistency

31
00:02:26,480 --> 00:02:33,260
that were present in can I takeover XYZ you can come over here and search for Heroku and you can

32
00:02:33,260 --> 00:02:38,180
see into Heroku for the old can I take over X, Y, Z.

33
00:02:38,450 --> 00:02:43,230
I have added an old fingerprint, if you can see over here and the new fingerprint over here.

34
00:02:43,670 --> 00:02:44,020
All right.

35
00:02:44,030 --> 00:02:44,600
So let's see.

36
00:02:44,600 --> 00:02:49,640
The old fingerprint for Heroku and the old fingerprint was no such app.

37
00:02:49,940 --> 00:02:53,480
And we have added a new fingerprint which says there's nothing here at.

38
00:02:53,930 --> 00:02:55,880
And let me show you over here.

39
00:02:55,880 --> 00:03:02,360
And you can see this is a Heroku subdomain or Heroku domain that we have identified from Censys which

40
00:03:02,360 --> 00:03:05,740
have already shown you and here you can see there's nothing here.

41
00:03:05,760 --> 00:03:09,700
That is the message that we are getting into the response.

42
00:03:10,220 --> 00:03:17,840
So through this way, we are also getting those targets which should not be missed and are vulnerable

43
00:03:17,840 --> 00:03:19,760
to Heroku based subdomain.

44
00:03:19,770 --> 00:03:22,580
takeover let me show you one more example.

45
00:03:23,870 --> 00:03:33,800
To make it more clear and more understandable so you can see Shopify and the old case for Shopify was.

46
00:03:35,180 --> 00:03:39,950
If I if I search shopify you can see Edgecase, which means sometimes it is vulnerable

47
00:03:40,260 --> 00:03:46,160
Sometimes it is not vulnerable and sometimes only the security researchers are able to take over the

48
00:03:46,160 --> 00:03:47,450
Shopify subdomains.

49
00:03:47,840 --> 00:03:49,660
And you can see the fingerprint is sorry.

50
00:03:50,000 --> 00:03:52,290
This shop is currently unavailable.

51
00:03:52,760 --> 00:03:59,330
We have modified the fingerprint and the new fingerprint, which has been added, is only one step left.

52
00:03:59,360 --> 00:04:05,440
And let me show you the target, which are vulnerable to Shopify subdomains record.

53
00:04:05,450 --> 00:04:09,440
And we have written over here as a vulnerable instance of Atkiss.

54
00:04:09,620 --> 00:04:14,720
So let me show you over here a life target which is vulnerable to Shopify takeover.

55
00:04:17,710 --> 00:04:25,060
Let's wait for this to complete, and you can see we have got some quick target, so let me go on any

56
00:04:25,060 --> 00:04:33,400
of the target on board 80 just to load the application and let's see if we are able to identify one

57
00:04:33,400 --> 00:04:35,140
of the Shopify supplement.

58
00:04:36,070 --> 00:04:40,390
And you can see what here it's dude dispensary dot com.

59
00:04:40,420 --> 00:04:40,840
All right.

60
00:04:40,840 --> 00:04:44,650
So we have a target which is vulnerable to Shopify takeover.

61
00:04:44,650 --> 00:04:49,330
And the new fingerprint that we have added is only one step left.

62
00:04:49,510 --> 00:04:56,920
Similarly, we have more targets that you can identify from sensors which will be vulnerable to Shopify

63
00:04:56,920 --> 00:05:04,600
subdomain because so like this, we identified what were the previous issues into the repository and

64
00:05:04,600 --> 00:05:12,580
we have tried to fix it with multiple new fingerprints as well as we have added new target as well,

65
00:05:12,580 --> 00:05:18,020
which are evolved recently and are not added to the old repository.

66
00:05:19,060 --> 00:05:25,600
So I hope you find this very, very useful for talking about subdomain take over responsibilities.

67
00:05:26,020 --> 00:05:33,040
And yes, we are going to constantly update this with more and more fingerprints of new and new cloud

68
00:05:33,040 --> 00:05:35,180
service platforms that we identify.

69
00:05:35,410 --> 00:05:42,040
And in case we see if any of the target subdomains or the target cloud service providers are not vulnerable,

70
00:05:42,040 --> 00:05:43,950
we will update the status over here.

71
00:05:44,410 --> 00:05:50,440
Also, we will be updating the new fingerprints in case we identify any new fingerprint while doing

72
00:05:50,440 --> 00:05:51,170
our research.

73
00:05:51,610 --> 00:05:58,300
So I hope this turns out to be very, very helpful for every one of you in identifying of subdomain

74
00:05:58,340 --> 00:05:59,890
takeover based on liabilities.

75
00:06:00,610 --> 00:06:01,480
One last thing.

76
00:06:01,960 --> 00:06:03,730
You can also contribute over here.

77
00:06:03,730 --> 00:06:10,000
If you identify that any of the new fingerprint while doing your research or you are doing subdomains

78
00:06:10,000 --> 00:06:16,420
because you can just submit a new entry over here, or if you find a new cloud service provider that

79
00:06:16,420 --> 00:06:21,310
involves and is vulnerable to subdomain takeovers based on your research, you can add it over here.

80
00:06:21,550 --> 00:06:24,900
You can just add the title and leave the comment and submit other issue.

81
00:06:25,180 --> 00:06:27,520
We will verify that at our end.

82
00:06:27,910 --> 00:06:34,020
And if it is valid, we will add it to the new list of can I take over all X, Y, Z?

83
00:06:34,660 --> 00:06:36,280
So I hope you guys understood.

84
00:06:36,490 --> 00:06:37,060
Thank you.