Hi everyone, hope everyone’s doing fine. It’s been a while since I published anything and now let me tell you in short, the story of the first bug that got me a bounty. So here goes.
What was the bug?
A subdomain of the website had an iframe with reference to a domain that did not exist. The domain was available for purchase. So anyone can purchase the domain and serve any content on the subdomain similar to a subdomain takeover.
How I found it
Let’s call the website “domain.com”. I did some initial recon on the domain.
The methodology I followed for doing recon on the domain was
Subdomain Enumeration →httprobe →Aquatone →Manually looking at the Screenshots.
I usually use Subfinder to list the subdomains of a domain.
subfinder -d “domain.com” -all -o subs.txt
This time I came across this website https://securitytrails.com/ and decided to give it a try. There were 45 subdomains listed for domain.com.
I copied all the subdomains to a text file and ran httprobe on it. This would determine which of the domains are alive.
cat subs.txt | httprobe -c 100 | tee subs-probed.txt
Then I used aquatone to screenshot all the subdomains and got a nice report rendered in HTML. Then I looked at the screenshots and manually visited the interesting domains.
One particular subdomain caught my eye. I found that the subdomain “subdomain.domain.com” displayed an error message saying “We can’t connect to the server at nonexistentdomain.com”. But there was a title for the webpage with the original domain name.
So I looked at the source of the page and saw that the page was actually having a frame tag like this:
<title> Domain </title>
Since the frame tag could not load nonexistentdomain.com, it displayed the error.
I looked up the domain’s Whois records at https://www.name.com/whois-lookup. The domain was not registered by anyone and was available for purchase. So anyone who purchases the domain “nonexistentdomain.com” can serve any arbitrary content on “subdomain.domain.com”. Thus we can effectively takeover the subdomain.
The attacker can leverage this and serve whatever they want to in the subdomain. They can even serve a fake login page and make the user enter their credentials and store them.
I reported this to the company and they fixed it in a day and rewarded me with an Amazon Gift card.
And that’s it, thank you for reading! Happy hunting everyone!