Prial Islam

Subdomain Takeover by Prial P0C

Subdomain takeover due to misconfigured project settings

Hi readers,
Today I will write about Subdomain takeover. It’s a common Security issue that is actually a developers mistake when they left an Unused/unclaimed 3rd party Service DNS CNAME record for a subdomain of theirs and Hackers can claim those subdomains with the help of external services, it pointing to what could lead to serious issues. You can learn more about Subdomain takeover from detectify blog.While testing flock.com I got a domain flock.co what is under flock company. So I started looking at its subdomains and got the subdomain newdev.flock.co and when I visited the subdomain in the browser I got an error like the below screenshot

Project doesn't exist error
Project doesn’t exist error

This took my attention . So I checked the DNS record for this domain .

$ dig newdev.flock.co; <<>> DiG 9.10.6 <<>> newdev.flock.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newdev.flock.co. IN A;; ANSWER SECTION:
newdev.flock.co. 299 IN CNAME cname.readme.io.
cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com.
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.0.214.29
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.5.249.117;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From the above record, we can say the subdomain is pointing to CNAME cname.readme.io. So I start looking at custom domain documents on the readme.io website to understand how they work. From their document, I understand that

  • You need a subdomain pointing to your readme.io subdomain like yoursubdomain.readme.io.
  • Your subdomain should be configured in domains settings on the following page https://dash.readme.io/project/<project_Name>/v1.0/domains

So to take over I need to check if cname.readme.io is already claimed or not. But Unfortunately, it was already claimed 🙁. But I have seen many such services don’t force users to verify their ownership of domains by using the same CNAME txt record as their service subdomain. So still there’s hope.I opened an account in readme.io and I got a subdomain newdev.readme.io. Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes.Now when I visited newdev.flock.co It redirected me to http://newdev.flock.co/inactive this page what saying now that Not Yet Active

Subdomain Takeover by Prial P0C
Subdomain Takeover by Prial P0C

This is showing as I am using a trial account. In the webpage title above screenshot, you will see the project name that I used while creating the project. So now this domain is serving my contents from newdev.readme.io project page.

How to avoid such issues?: Always update your DNS records. remove CNAME or any other DNS records what is not in use.If you find a security vulnerability feel free to contact them via [email protected]

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

@naglinagli @0xCOD3 Congratulations @0xCOD3 , waiting for the workflow on this ❤️ Read More

Jan 27 2021, 8:20 am

@imranHudaA @naglinagli @PrettyRecon I can see 5 subdomain. One is base domain here. Read More

Jan 26 2021, 5:34 pm

@BrianBitange1 @naglinagli You got my github endpoints what I used to takeover 😷 Read More

Jan 26 2021, 1:43 pm

@Bugcrowd MVP swag arrived 🥰🔥 #BugBounty #ItTakesACrowd ❤️ https://t.co/rEU62Mvhc1 Read More

Jan 06 2021, 1:45 pm

2021 started with @Hacker0x01 #Hacker0x01 #TogetherWeHitHarder ❤️ https://t.co/s6vVGhD2XU Read More

Jan 05 2021, 7:38 pm

RT @hunter0x7: https://t.co/JMOjrkXlAN Read More

Jan 05 2021, 12:13 pm

Recent posts