How do I take over another user subdomain name worth $$$$

3 min readFeb 23


Hello everyone

I would like to write down a finding regarding the takeover of another user’s Subdomain name. Previously I explained a little about how this website works.

So, the website that I’m testing has a feature to set each Subdomain name the same as Shopify
Users can change their subdomain name to another name, of course, they cannot change the subdomain name to one that already exists or is used by another user.

How can I take over another user’s subdomain name? As usual, I did a test on several features but found nothing, the feature that caught my attention was setting the Subdomain Name, users can change each subdomain name as follows

Settings subdomain name

Like the image above Attacker is my Subdomain name, and it will look like what if I change the subdomain name to another user’s Subdomain name? I try to do it then the response will look like the following “REDACTED Page URL has already been taken”

Subdomain already been taken

So I tried adding SPACE at the end of the subdomain name, and it’s very surprising. I managed to change my Subdomain name to another user’s Subdomain name.

Yep that’s right, I added a SPACE at the end of the subdomain name:p or with the following URL encode %20 on the Burp Suite request as follows

POST /xxx/campaigns/1232/settings HTTP/2
Cookie: cokiedsfsd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*;q=0.5, text/javascript, application/javascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: KOFXStxcsdfcsdfVZ6WZsKJRGPg==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 602


The parameters “campaign[redacted_slug]” and “victim%20” are the subdomain name of the victim by adding space with the URL encoding, see the image below

Request & respons

Response “202 Accepted” that I managed to change my subdomain name to the victim’s Subdomain name, the previous Subdomain name successfully changed to the victim Subdomain name

I immediately reported my findings to their Team after 2 days of waiting for them to reply to my email, that the findings were valid and I was given a bounty of $1250

Bounty awarded

Thank you for reading my writing, stay focused on your program and test all available features, don’t miss any little things.

Video PoC

You can see my other findings here [Bahasa]

If you like my findings, give me a round of applause 👏 And ignore if there are wrong writing words