How to take over another users subdomain? Bug bounty writeup
Hello everyone
I would like to write down a finding regarding the takeover of another user’s Subdomain name. Previously I explained a little about how this website works.
So, the website that I’m testing has a feature to set each Subdomain name the same as Shopify
Users can change their subdomain name to another name, of course, they cannot change the subdomain name to one that already exists or is used by another user.
How can I take over another user’s subdomain name? As usual, I did a test on several features but found nothing, the feature that caught my attention was setting the Subdomain Name, users can change each subdomain name as follows
Like the image above Attacker is my Subdomain name, and it will look like https://attacker.redacted.com what if I change the subdomain name to another user’s Subdomain name? I try to do it then the response will look like the following “REDACTED Page URL has already been taken”
So I tried adding SPACE at the end of the subdomain name, and it’s very surprising. I managed to change my Subdomain name to another user’s Subdomain name.
Yep that’s right, I added a SPACE at the end of the subdomain name:p or with the following URL encode %20 on the Burp Suite request as follows
POST /xxx/campaigns/1232/settings HTTP/2
Host: redacted.com
Cookie: cokiedsfsd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*;q=0.5, text/javascript, application/javascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://redacted.com/xxx/campaigns/1232/settings
X-Csrf-Token: KOFXStxcsdfcsdfVZ6WZsKJRGPg==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 602
[....]
utf8=%E2%9C%93&_method=patch&authenticity_token=KOFXStcWdGPg%3D%3D&campaign[redacted_slug]=victim%20&commit=Save+and+Continue
The parameters “campaign[redacted_slug]” and “victim%20” are the subdomain name of the victim by adding space with the URL encoding, see the image below
Response “202 Accepted” that I managed to change my subdomain name to the victim’s Subdomain name, the previous Subdomain name https://attacker.redacted.com successfully changed to the victim Subdomain name https://victim.redacted.com
I immediately reported my findings to their Team after 2 days of waiting for them to reply to my email, that the findings were valid and I was given a bounty of $1250
Thank you for reading my writing, stay focused on your program and test all available features, don’t miss any little things.
Thank you for reading my writing, don’t forget to give your applause 👏
Follow me at https://x.com/parkerzanta
[!] The source of this article comes from Parkerzanta Blog which I wrote in English.