GitHub Pages Subdomain Takeover on aiaa-dpw.larc.nasa.gov (NASA VDP)

Researcher: Zabed Ullah Poyel Program: NASA - Vulnerability Disclosure Program (VDP) Status: Resolved Severity: P3 (Subdomain Takeover)…

Zabed Ullah Poyel

~3 min read · December 6, 2025 (Updated: December 6, 2025) · Free: Yes

Researcher: Zabed Ullah Poyel Program: NASA - Vulnerability Disclosure Program (VDP) Status: Resolved Severity: P3 (Subdomain Takeover) VRT: Server Security Misconfiguration > Misconfigured DNS > Subdomain Takeover Appreciation: NASA Letter of Appreciation (LoA)

Introduction

During routine reconnaissance under NASA's Vulnerability Disclosure Program, I identified a GitHub Pages subdomain takeover affecting:

aiaa-dpw.larc.nasa.gov

The subdomain pointed to GitHub Pages infrastructure, but NASA was not hosting content on a corresponding GitHub repository — leaving it unclaimed. This created a high-impact scenario where an attacker could host arbitrary content under a trusted nasa.gov domain.

Subdomain takeovers are especially dangerous for government domains because they enable:

Highly convincing phishing attacks
Malware distribution
Supply-chain compromise
Brand/reputation damage
Unauthorized JavaScript execution under a trusted domain

Recon & Identification

Step 1 — DNS Check

A simple DNS lookup showed that the subdomain resolved to GitHub Pages IPs:

dig aiaa-dpw.larc.nasa.gov +short
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

These IPs are part of GitHub Pages hosting infrastructure.

Step 2 — Visit the Subdomain

Accessing:

https://aiaa-dpw.larc.nasa.gov

showed a GitHub 404/placeholder page, indicating:

✔ DNS points to GitHub ✘ No GitHub repo is configured

This is the exact condition required for GitHub Pages takeover.

Exploitation (Ethical PoC)

Create a GitHub Repository

I created a GitHub Pages repo using my account and added this Custom Domain:

aiaa-dpw.larc.nasa.gov

GitHub performed DNS verification:

✔ DNS check successful ✔ The domain was attachable ✔ The NASA subdomain became linked to my repository

Deploy Proof-of-Control Page

I deployed a simple, non-harmful HTML file:

<h1>Subdomain Takeover by Zabed Ullah Poyel</h1>

Result: Successful takeover

Visiting the NASA subdomain now displayed my custom GitHub Pages content — proving full control.

Screenshots included in the submission:

GitHub Pages DNS check successful
The NASA subdomain displaying my custom page
DNS records pointing to GitHub Pages

Remediation

NASA successfully remediated the vulnerability by:

✔ Removing the outdated DNS records ✔ Decommissioning the unused GitHub Pages mapping ✔ Ensuring no unclaimed GitHub Pages subdomains remain exposed

The vulnerability was marked Resolved, and NASA issued an official Letter of Appreciation.

Letter of Appreciation

Hall of Fame

#nasa-subdomain-takeover #subdomain-takeover #github-pages-takeover #nasa-vdp #bug-bounty-nasa