Nov 21, 2019

[ DNS Takeover ] Potentially Takeover for all SubDomains That uses Campaign Monitor Newsletters Services

Takeover for all SubDomains That uses Campaign Monitor  Newsletters Services 

Recently, I've found that all Campaign Monitor  Newsletters Services are vulnerable to Potentially Takeover. I've reported it 2 months ago and No reply due too I was banned from Bugcrowd So I will share this takeover here.

Explain of My Found:
There are many companies thats use Campaign Monitor as email service. so they must create  subdomian for this service example : 
and must have cname is belong to Campaign Monitor services

all connected subdomains to this cname
can read all Campaign for other users 
So any attacker can create a new Campaign 
and connect it to the main subdomain.

Poc example :
I've attached my Campaign to a vulnerable subdomain
you will see it redirect to my DNS and my fake Campaign


Nov 20, 2019

Subdomain Takeover via

Subdomain Takeover via
was in Private Program on BugCrowd

what is dns ?
its a dns service Belong to
if you create an account on campaignmonitor 
this will give you a subdomain on

companies count on Campaign Monitor for email campaigns
So campaignmonitor is only for emails 

Steps to subdomain Takeover example 
When I go to 
i found the site like this pic

I notice that subdomain 
is alias to

This mean the domain plan is expired on campaignmonitor
and ready to reactive on another email 

1) So I created an account on
and choose any name
name here i mean an

2) After this you need only to add the subdomain of takeover
By going to

Then Just Choose a Custom domain

3) add your vulnerable subdomain
Then Click next 
wait 1 min and the setup will be verified

Congrats 😉
 4) Now when you go to
its will show your

Takeover Steps is now finished
Now when anyone go to 
it ask him to login to Campaign Monitor
yes as I said at first Campaign Monitor is only to manage emails and Subscribes 

Now if you need to create a small Page Show 
you will only create a Subscribes Page 

Go to this Path

You can Upload your subscribe page or choose from the templates on the site

example like mine 

Reward was 900$
fixed in 10 min from report 

Sep 20, 2019

How I able to Takeover 10 subdomains in a Private Program ?

Program : Private Program 
Vulnerability : Subdomain Takeover
Subdomain : 10 Subdomins
Bounty : 500$

How I able to Takeover 10 subdomains in a Private Program ?

I was able to takeover 10 subdomains by ( Fastly Service ) due to the domain was not used on Fastly account 

when I tried to visit some subdomains 
it was show me this message 

This message mean it Possible to 
Takeover The domain By Fastly. 

So I tried to add the domain to my fastly account and it was allowed to added 
so this mean I've takeover the domainand every subdomain show the message above is takeover too .

10 subdomains were shown the same message !
so This was what i do .

You can see my blog about 
how to takeover by Fastly to Know what I mean.


Sep 5, 2019

DOM Based XSS in Private Program


Domain :
Target :
Program : Private on HackerOne
Bounty : 500$

DOM Based XSS in

PrettyPhoto is widely used in various WordPress themes and plugins. 
XSS was  in the setTimeout function in js/jquery.prettyPhoto.js in prettyPhoto 3.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted PATH_INTO to the default URI. 

Poc was[gallery]/1,<a%20onclick="document.write(document.cookie);">/

How to Fix
PrettyPhoto DOM Based XSS
You can fix the DOM based XSS in prettyPhoto by opening up jquery.prettyPhoto.js in your favorite editor. 
Scroll to line 876 and add the lines:

// xss prevention
hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');
At least versions 3.1.4 and 3.1.5 of prettyPhoto, depending on your download source, are vulnerable to this DOM based XSS. As always, test such code fixes first before putting it in production!

Jul 30, 2019

SQL Injection in

SQL Injection in Login.php at Private Program

Program : Private on HackerOne
Method : POST
Affected Path : Login.php
Affected Parameter : username
Bounty : Out Of Scope

Vulnerable url was


Site was Shown to me 2 login Places 
( Username & Password) 

in Username I've put only ( ' )

Then It shows me this error
This mean This site is vulnerable to SQL injection 

Now I just capture the request 
and Add it in list.txt file 

Then Used SQLMAP to dump the database

Jul 28, 2019

Old GitHub Profile Takeover!

Old GitHub Profile Takeover! 

Program : Private on HackerOne
Bounty : 1000$
Fix : by cooperate with company.


This bug was so simple and was a nice catch so I want to Write about it 

Simply what I've found ! 
When I searching for bugs in company code on GitHub.

There was many repositories & Codes mention a Old Github Profile which was worked well.

Example of work
when you try to download some files from this link

The link will redirect to

And download will start Normally 

So what was the Bug here ? 
When I go to
an error was shown to me Not Found Profile

So I able to create any profile with the old company profile name !
And change some repositories to vulnerable files to prove poc

Not Found profile takeover can lead to disable migrate new Profile with Old Profile


Jun 11, 2019

Can I takeover XYZ ( Steps )

Can I takeover XYZ ( Steps ) ?

Based on can-i-take-over-xyz


Service : HeroKu 
Fingerprint: No Such app

There is two Types of Takeover in this Service 
1) HerokuDNS ( Edgecase
2) HeroKuapp

Steps to Takeover : 
Please note : This takeover Edgecase ( HeroKuDns ) cause dns of this webiste is an Ip address belong to Heroku
 HeroKuapp takeover is the same steps but the dns of the domain or subdomain is example : so you only will create anew app called haronapplication


Service : Wufoo
FingerPrint : Profile Not found.
Subdomain cname will be like
and full steps is here 


Service : Unbounce 
Fingerprint: The requested url was not found on this server.

Takeover Steps : 
Still possible for old clients
Steps here 


Service : HubSpot
Fingerprint : Domain Not found.
Takeover Steps :
Soon will be added.

info here 


Service : Shopify 
FingerPrint : Sorry, this shop is currently unavailable.

Takeover Steps :


Service : Campaign Monitor
FingerPrint : Trying to access your account?

Takeover Steps : 


Service : Fastly 
FingerPrint: Fastly error: unknown domain

Takeover Steps: 
Create your Fastly account for free and Do this steps in video



Apr 13, 2019

[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )

Today I will Share a New Found about 
Subdomain Takeovers
Via HeroKuDNS 
[ Edge Case ]

Many Blogs says You can't takeover from herokudns any more 
because now they use a Random cname generator 

In this blog I will explain How could I takeover this Domain 
And Adding it to my Custom Domains List on my heroku dashboard
1) if you see the this pic 
which Show you in Title " No Such App "

2) Now Go to see DNS of the Subdomain 
if you found it like this ( IPS) 

3) You can Add it Directly to your Heroku Account to any App as a Custom domain 
Yes When You add it you will get a Random Cname Like what happen when I added to my account 

4)  Domain or Subdomain is now Connected 


Apr 12, 2019

[RCE] Remote code execution at (CVE-2017-5638)

Apache Struts CVE-2017-5638 
Remote Code Execution Vulnerability
Program : Private on HackerOne
Bounty : 2000$ and 250$ Bouns
Subdomain :

Today I will Post my new Find 
Remote code execution
in Api Subdomain of Private Program 
which was used a Vulnerable version of Apache Struts

CVE-2017-5638 Describe : 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Poc was : 

References :