Security Report: Subdomain Takeover of https://testnets.mavryk.org/ Pointing to Github

[transferwisea]

Security Report: Subdomain Takeover of kona.optimism.io Pointing to Github

Title: Web Application Security Testing

Bug type = Server Security Misconfiguration > Misconfigure DNS > High Impact Subdomain Takeover

Priority = P2 (HIGH)

Description

Hi mavryk Team,

Recently, i just found some of your subdomain (*mavryk.org) pointing to vulnerable Third Party site "Github" This issue is about your subdomain being misconfigured in Github

https://testnets.mavryk.org/

Reconnaissance

I discovered that this subdomain “mavryk.org” has an error with Github App meaning a non-connection with any project. Based on my past discoveries, this is a possible subdomain takeover

Proof of Concept

Steps to Reproduce

• Go to Github.com and create an account
• Create a new Repository and deploy a sample app
• Go to Settings>Pages>Domain
• Then add the vulnerable subdomain testnets.mavryk.org
• Ownership is done.

Risk Breakdown

• Risk: Severe
• Difficulty to Exploit: Easy
• Complexity: Easy
• Weakness Categories: Deployment Misconfiguration/Stored XSS/Authentication Bypass (CWE: 16)
• CVSS2 Score: 9.3 (AV:N/AC:M/Au:S/C:C/I:C/A:N)

Remediations

• Check your DNS-configuration for subdomains pointing to services, not in use
• Set up your external service so it fully listens to your wildcard DNS.
• Our advice is to keep your DNS entries constantly vetted and restricted.
• Preventing subdomain takeovers is a matter of order of operations in lifecycle management for virtual hosts and DNS. Depending on the size of the organization, this may require communication and coordination across multiple departments, which can only increase the likelihood for a vulnerable misconfiguration.
• Create an inventory of all of your organization’s domains and their hosting providers, and update it as things change, to ensure that nothing is left dangling

Thank you