Feb 18, 2019

2 Subdomains Takeover via Unbounce in a Private Program









Many Researchers asked me about this takeover is still exist or fixed ? 
Yes this takeover still exist with 3 scenarios 
as Akita Zen said 


*****************************
Bug Type : Subdomain Takeover 
Service : Unbounce 
Severity : Critical 
Program : Private on Hackerone
Status : Duplicate after fixing it

*************************
In a Private Program on HackerOne I've found a 2 subdomains
get.example.com
try.example.com
 has an cname  pointing to unbouncepages.com
and show me the takeover error ( Finger print ) 
So I made an account and tried to add the domain to my page on unbounce and it connected Successful 


Steps to takeover 
1) create an account on unbounce with credit card  
2) create your unbounce page 
3) add a domain to your page 
if give you the domain is already taken this mean there is no takeover.
example : info.hacker.one
its show us the takeover finger print but its already worked and added to another account so there is no takeover in it.




Timeline 
Reported : 6 Nov,2018
Traiged : 7 Nov,2018
I notice that they Fixed it : 7 Nov,2018 after 2 hours 
Duplicate : 10 Nov,2018


******************************

Feb 17, 2019

Reflected XSS in GoodHire.com CMS

Reflected XSS in GoodHire.com CMS






Program : inflection
Bug Type : Reflected XSS
Severity : High 
Domain : GoodHire.com
Bounty : 0$ + Bouns 150$

******************************
Affected Parameter was in HubSpot CMS
referrerUrl
Affected Path 
/_hcms/cta

**********************************
Payload
{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


**********************************
Poc was : 
https://www.goodhire.com/_hcms/cta?referrerUrl={%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:%22%22//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


***********************************
More about this Bug please visit my write up 






****************************************

Feb 16, 2019

Subdomain Takeover via Wufoo Service in a Private Program







Program : Private Program On Hackerone
Bug Type : Subdomain Takeover
Service : WUFOO
Severity :  Medium (cause it redirect)
Reward : 500$
Subdomain : Bug.example.com

*********************************
Wufoo 
Wufoo's HTML form builder helps you create online web forms. Use our web form creator to power your contact forms, online surveys, and event registrations.

*************************************
Steps and how I found this Bug 

When I go directly to the Subdomain 
It redirect me to another subdomain and Show me this error


First I notice that Profile Not found 
So I searched About Wufoo and See what it do

1) When you create a free profile on Wufoo 
they give you a Subdomain for your profile

yourprofile.wufoo.com

2) You can change it later so I changed it to subdomian cname which was not found

3) Created a Form to provide more Poc 


4 ) Seems this Poc is enough if you wanna add a page or JavaScript Codes
 you will upgrade your free account 




**********************************

Feb 15, 2019

Subdomain Takeover via HubSpot






Last Year I was able to Subdomain takeover in A public Program via HubSpot Service and After that the Program closed my report as informative by a HackerOne Staff. 

Some Researchers says " You can't takeover subdomains via HubSpot any more " after the report of Frans Rosen https://hackerone.com/reports/38007 it was  4 years ago and Seems that Hubspot fixed Their DNS services.

In This Blog I want only to say and Provide that 
HubSpot is still vulnerable to subdomain takeovers

In my Report I was able to ByPass the DNS Confirmation and made the subdomain connect direct to my new DNS 

Subdomain Takeover via HubSpot Finger Print 

 POC





*************************************

Souq.com Subdomain Takeover via jazzhr.com service





Program :  Souq

Vulnerability : Subdomain Takeover 

Impact  : High


`jobs.souq.com` was vulnerable to subdomain takeover via `jazzhr.com` Service

When I visit jobs.souq.com it was shown me an error ( finger print )


So I started to see the cname 
 `Jobs.souq.com` was has a cname `souq.applytojob.com`

So I go directly to the service provider and they was allowed me to take the cname `souq.applytojob.com



`jobs.souq.com` not allowed me to connect it directly seems there was a Bug ! 

 After 1 day I notice that subdomain has been connected to the cname in some paths example : `/app/share/`



Funny thing there is someone apply to fake Security Job ! 😀

Time line 
2019-02-04: Bug reported
2019-01-05: Fixed with no comments 
2019-01-06: Closed as Informative ! 




Feb 14, 2019

[SSRF] Server Side Request Forgery in a private Program developers.example.com







*****************************************

Program : Private program ( HackerOne ) 
Subdomain : Developers.Example.com 
Bounty : 200$
Severity : Critical
Issue Type : SSRF  

****************************************

I've found SSRF vulnerability in a Private Program on HackerOne

The affected subdomain ( developers ) was used 
vulnerable confluence instance  version <= 6.00

POC example :

developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

****************************

 any AWS instance can query an ip and receive information related to that instance and even account information. I then checked the local host name through the AWS meta-data end point, by visiting 
http://169.254.169.254/latest/meta-data/local-hostname/


developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/









Oct 1, 2018

Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps





Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com )


Program : Shopify

Domain : exchangemarketplace.com
in Scope : yes it belong to shopify 

exchange.shopify.com = exchangemarketplace.com
Bounty : Not eligible for bounty!
*****************************************
I was using aquatone but it show me the subdomain and didn't show me that vulnerable to subdomain Takeover vulnerability !!
when I go directly to 
blog.exchangemarketplace.com
I found it asking me to connect the domain to my shopify Store !
Shopify team was fast response triaged and fixed the report in 15 min from triage 


****************************
Takeover steps 
1) create your free trial account of shopify store 
2) now you have a free account you just need to add your vulnerable subdomain from here 
https://your-shop.myshopify.com/admin/settings/domains
and click on ( Connect existing domain )
3) Add your vulnerable subdomain and click on verify ( connect )
it will be like this poc
4) wait minute and now when you enter your shopify store url 
it will redirect to vulnerable subdomain
*********************************
My disclosed report on Hackerone

Sep 11, 2018

Subdomain Takeover via campaignmonitor








Subdomain Takeover via Campaignmonitor.com
was in Private Program on BugCrowd

what is createsend.com dns ?
its a dns service Belong to campaignmonitor.com
if you create an account on campaignmonitor 
this will give you a subdomain on createsend.com

companies count on Campaign Monitor for email campaigns
So campaignmonitor is only for emails 

*****************************************************************
Steps to subdomain Takeover example 
*****************************************************************
When I go to 
example.site.com 
i found the site like this pic


I notice that subdomain 
example.site.com 
is alias to 
testexample.createsend.com


This mean the domain plan is expired on campaignmonitor
and ready to reactive on another email 

1) So I created an account on campaignmonitor.com
and choose any name
name here i mean an  example.createsend.com

2) After this you need only to add the subdomain of takeover
By going to 
example.createsend.com/account
then 
example.createsend.com/account/customize

Then Just Choose a Custom domain 

example.createsend.com/account/customize/customdomain/manage

3) add your vulnerable subdomain example.site.com
Then Click next 
wait 1 min and the setup will be verified

Congrats 😉
 4) Now when you go to  example.site.com
its will show your example.createsend.com

Takeover Steps is now finished
****************************************************************
Now when anyone go to example.site.com 
it ask him to login to Campaign Monitor
yes as I said at first Campaign Monitor is only to manage emails and Subscribes 

Now if you need to create a small Page Show 
you will only create a Subscribes Page 

Go to this Path

https://example.site.com/templates/create

You can Upload your subscribe page or choose from the templates on the site

example like mine 



***********************************************************************
Reward was 900$
fixed in 10 min from report 
*****************************************************

Aug 29, 2018

Reflected XSS in Django REST Framework Api at MapBox Subdomain








Reflected XSS in  
Django REST framework API at
 MapBox Subdomain 


Bounty : 500 $
Program : Mapbox
subdomain : osmcha.mapbox.com

******************************************************************

While I was testing osmcha.mapbox.com 
I've found that Django REST framework API is Available for all Users 
( i don't mean admin panel I mean the normal paths )

So I start testing this /changesets/ path 
but i admit its hard to find a bug in Django Api
https://osmcha.mapbox.com/api/v1/changesets/


I notice that there is some Parameters 
https://osmcha.mapbox.com/api/v1/changesets/?page=1&page_size=75&date__gte=2017-07-01

so i Started to test it 
The affected Parameter was date__gte=
its accept any payload to make XSS 

Poc was 
https://osmcha.mapbox.com/api/v1/changesets/?date__gte=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(1)%3C/scRipt%3E&format=json&page=2&page_size=75


**********************************************