Feb 26, 2019

[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com

Bug Type : Reflected XSS
Affected Site : americangreetings.com 
Yahoo Subdomain : greetings.yahoo.com

I've reported this to yahoo and Greeting but was marked as infromative 
so they don't mind to disclose it.

This XSS  still work 

I've found that yahoo subdomain greetings.yahoo.com can be redirect to any path americangreetings.com 

So I tried to get a reflected XSS at americangreetings.com in paths

The XSS was affected this path 
/search-results/{xss payload}

Suggested fix to yahoo was
to make fix like 
it redirect only to site home only 


Poc link : 

http://greetings.yahoo.com/search-results/'"--><Details Open OnToggle=confirm`Haron`>



Feb 22, 2019

AWS s3 Buckets Create

Amazon aws s3 buckets are Simple and Can be created by everyone

Steps to create a S3 bucket 

1) you must create an amazon aws account first ( Required Credit Card ) 
 your payment information so we can verify your identity. They will not charge you unless your usage exceeds the AWS Free Tier Limits.

3) create Bucket is simple here as you see in pic 

2) Enter you Bucket name 
I've choose HaronBucket 
Please remember this will be your bucket link 
exmaple as mine 

Click Next Then Next if you don't need a special config or permissions

After clicking Create Bucket
Your Bucket will be Shown in Buckets Home

Now Upload your files is very easy 
1) go to your buckets home
2) choose your bucket which you want to upload files 
or you can go to this link ( add your bucket )

3) Click on get Start and Choose your files you want to upload :) then click upload

4 ) Your upload file will be shown in your bucket home files click on the file which you upload

5) click on Make Public and scroll down you will see your file link Public

Subdomain Misconfiguration lead to AWS S3 Buckets Reader

Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/

Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list


Please see this Write Up for create your Bucket 


Feb 18, 2019

2 Subdomains Takeover via Unbounce in a Private Program

Many Researchers asked me about this takeover is still exist or fixed ? 
Yes this takeover still exist with 3 scenarios 
as Akita Zen said 

Bug Type : Subdomain Takeover 
Service : Unbounce 
Severity : Critical 
Program : Private on Hackerone
Status : Duplicate after fixing it

In a Private Program on HackerOne I've found a 2 subdomains
 has an cname  pointing to unbouncepages.com
and show me the takeover error ( Finger print ) 
So I made an account and tried to add the domain to my page on unbounce and it connected Successful 

Steps to takeover 
1) create an account on unbounce with credit card  
2) create your unbounce page 
3) add a domain to your page 
if give you the domain is already taken this mean there is no takeover.
example : info.hacker.one
its show us the takeover finger print but its already worked and added to another account so there is no takeover in it.

Reported : 6 Nov,2018
Traiged : 7 Nov,2018
I notice that they Fixed it : 7 Nov,2018 after 2 hours 
Duplicate : 10 Nov,2018


Feb 17, 2019

Reflected XSS in GoodHire.com CMS

Reflected XSS in GoodHire.com CMS

Program : inflection
Bug Type : Reflected XSS
Severity : High 
Domain : GoodHire.com
Bounty : 0$ + Bouns 150$

Affected Parameter was in HubSpot CMS
Affected Path 


Poc was : 

More about this Bug please visit my write up 


Feb 16, 2019

Subdomain Takeover via Wufoo Service in a Private Program

Program : Private Program On Hackerone
Bug Type : Subdomain Takeover
Service : WUFOO
Severity :  Medium (cause it redirect)
Reward : 500$
Subdomain : Bug.example.com

Wufoo's HTML form builder helps you create online web forms. Use our web form creator to power your contact forms, online surveys, and event registrations.

Steps and how I found this Bug 

When I go directly to the Subdomain 
It redirect me to another subdomain and Show me this error

First I notice that Profile Not found 
So I searched About Wufoo and See what it do

1) When you create a free profile on Wufoo 
they give you a Subdomain for your profile


2) You can change it later so I changed it to subdomian cname which was not found

3) Created a Form to provide more Poc 

4 ) Seems this Poc is enough if you wanna add a page or JavaScript Codes
 you will upgrade your free account 


Feb 15, 2019

Subdomain Takeover via HubSpot

Last Year I was able to Subdomain takeover in A public Program via HubSpot Service and After that the Program closed my report as informative by a HackerOne Staff. 

Some Researchers says " You can't takeover subdomains via HubSpot any more " after the report of Frans Rosen https://hackerone.com/reports/38007 it was  4 years ago and Seems that Hubspot fixed Their DNS services.

In This Blog I want only to say and Provide that 
HubSpot is still vulnerable to subdomain takeovers

In my Report I was able to ByPass the DNS Confirmation and made the subdomain connect direct to my new DNS 

Subdomain Takeover via HubSpot Finger Print 



Souq.com Subdomain Takeover via jazzhr.com service

Program :  Souq

Vulnerability : Subdomain Takeover 

Impact  : High

`jobs.souq.com` was vulnerable to subdomain takeover via `jazzhr.com` Service

When I visit jobs.souq.com it was shown me an error ( finger print )

So I started to see the cname 
 `Jobs.souq.com` was has a cname `souq.applytojob.com`

So I go directly to the service provider and they was allowed me to take the cname `souq.applytojob.com

`jobs.souq.com` not allowed me to connect it directly seems there was a Bug ! 

 After 1 day I notice that subdomain has been connected to the cname in some paths example : `/app/share/`

Funny thing there is someone apply to fake Security Job ! 😀

Time line 
2019-02-04: Bug reported
2019-01-05: Fixed with no comments 
2019-01-06: Closed as Informative ! 

Feb 14, 2019

[SSRF] Server Side Request Forgery in a private Program developers.example.com


Program : Private program ( HackerOne ) 
Subdomain : Developers.Example.com 
Bounty : 200$
Severity : Critical
Issue Type : SSRF  


I've found SSRF vulnerability in a Private Program on HackerOne

The affected subdomain ( developers ) was used 
vulnerable confluence instance  version <= 6.00

POC example :



 any AWS instance can query an ip and receive information related to that instance and even account information. I then checked the local host name through the AWS meta-data end point, by visiting