https://www.vecteezy.com/free-vector/rupee-symbol Rupee Symbol Vectors by Vecteezy

Hi everyone, hope everyone’s doing fine. It’s been a while since I published anything and now let me tell you in short, the story of the first bug that got me a bounty. So here goes.

What was the bug?

How I found it

The methodology I followed for doing recon on the domain was

Subdomain Enumeration →httprobe →Aquatone →Manually looking at the Screenshots.

I usually use Subfinder to list the subdomains of a domain.

subfinder -d “domain.com” -all -o subs.txt

This time I came across this website https://securitytrails.com/ and decided to give it a try. There were 45 subdomains listed for domain.com.

I copied all the subdomains to a text file and ran httprobe on it. This would determine which of the domains are alive.

cat subs.txt | httprobe -c 100 | tee subs-probed.txt

Then I used aquatone to screenshot all the subdomains and got a nice report rendered in HTML. Then I looked at the screenshots and manually visited the interesting domains.

One particular subdomain caught my eye. I found that the subdomain “subdomain.domain.com” displayed an error message saying “We can’t connect to the server at nonexistentdomain.com”. But there was a title for the webpage with the original domain name.

So I looked at the source of the page and saw that the page was actually having a frame tag like this:

<html>
<head>
<title> Domain </title>
</head>
<body>
<frame src=’https://nonexistentdomain.com/path’>
</body>
</html>

Since the frame tag could not load nonexistentdomain.com, it displayed the error.

I looked up the domain’s Whois records at https://www.name.com/whois-lookup. The domain was not registered by anyone and was available for purchase. So anyone who purchases the domain “nonexistentdomain.com” can serve any arbitrary content on “subdomain.domain.com”. Thus we can effectively takeover the subdomain.

The attacker can leverage this and serve whatever they want to in the subdomain. They can even serve a fake login page and make the user enter their credentials and store them.

I reported this to the company and they fixed it in a day and rewarded me with an Amazon Gift card.

And that’s it, thank you for reading! Happy hunting everyone!

Bug Bounty Hunter | CTF player | Student

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store