Feb 23
How do I take over another user subdomain name worth $$$$
Hello everyone
I would like to write down a finding regarding the takeover of another user’s Subdomain name. Previously I explained a little about how this website works.
So, the website that I’m testing has a feature to set each Subdomain name the same as Shopify
Users can change their subdomain name to another name, of course, they cannot change the subdomain name to one that already exists or is used by another user.
In touch I’m not allowed to mention the name of their company so we’ll call it REDACTED.COM (Actually they let me share my findings but waited until June 1st, so I’ll upload these findings later on my channel https://youtube.com/Parkerzanta )
How can I take over another user’s subdomain name? As usual, I did a test on several features but found nothing, the feature that caught my attention was setting the Subdomain Name, users can change each subdomain name as follows
Like the image above Attacker is my Subdomain name, and it will look like https://attacker.redacted.com what if I change the subdomain name to another user’s Subdomain name? I try to do it then the response will look like the following “REDACTED Page URL has already been taken”
So I tried adding SPACE at the end of the subdomain name, and it’s very surprising. I managed to change my Subdomain name to another user’s Subdomain name.
Yep that’s right, I added a SPACE at the end of the subdomain name:p or with the following URL encode %20 on the Burp Suite request as follows
POST /xxx/campaigns/1232/settings HTTP/2
Host: redacted.com
Cookie: cokiedsfsd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*;q=0.5, text/javascript, application/javascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://redacted.com/xxx/campaigns/1232/settings
X-Csrf-Token: KOFXStxcsdfcsdfVZ6WZsKJRGPg==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 602
[....]
utf8=%E2%9C%93&_method=patch&authenticity_token=KOFXStcWdGPg%3D%3D&campaign[redacted_slug]=victim%20&commit=Save+and+ContinueThe parameters “campaign[redacted_slug]” and “victim%20” are the subdomain name of the victim by adding space with the URL encoding, see the image below
Response “202 Accepted” that I managed to change my subdomain name to the victim’s Subdomain name, the previous Subdomain name https://attacker.redacted.com successfully changed to the victim Subdomain name https://victim.redacted.com
I immediately reported my findings to their Team after 2 days of waiting for them to reply to my email, that the findings were valid and I was given a bounty of $1250
Thank you for reading my writing, stay focused on your program and test all available features, don’t miss any little things.
You can see my other findings here https://blog.parkerzanta.net/ [Bahasa]
If you like my findings, give me a round of applause 👏 And ignore if there are wrong writing words
