Bugcrowd’s Domain & Subdomain Takeover vulnerability!
Hey, I decided to Write about this Issue because I have seen some people are still confused about “Fastly error: unknown domain” Many Subdomains of BugBounty programs have This error on their Subdomains and People Report is Without Claiming or Try to claim That..
But If you try to claim such Subdoamin it will ask U to add Main domain instead of subdomain… So back to the main story, last Sunday i decided to test Bugcrowd itself as it’s one of most secure BugBounty programs!
While i was checking Reverse IP Lookup For bugcrowd.com I got these 2 results
Reverse IP Lookup Results — 2 domains hosted on IP address 104.20.60.51
Domain View Whois Record Screenshots
1. bugcrowd.com
2. bugcrowdtrafficcontrol.com
As I Frequently Visit bugcrowd.com The other domain bugcrowdtrafficcontrol.com was New for Me as I haven’t seen this domain I decided to Pay a Visit 😛 and I saw an error on the domain!
Fastly error: unknown domain: bugcrowdtrafficcontrol.com. Please check that this domain has been added to a service.
When I saw the error It suddenly clicks to my mind That I have seen such errors on subdomains of some websites but when I tried to takeover them via Fastly services They ask to add the main domain But in this case It was the main domain. So I checked the WHOis info for this domain and it was!
Diagnostics
DNS Records for bugcrowdtrafficcontrol.com
Hostname Type TTL Priority Content
bugcrowdtrafficcontrol.com SOA 1551 edna.ns.cloudflare.com [email protected] 2025379154 10000 2400 604800 3600
bugcrowdtrafficcontrol.com NS 86399 edna.ns.cloudflare.com
bugcrowdtrafficcontrol.com NS 86399 lee.ns.cloudflare.com
bugcrowdtrafficcontrol.com A 299 104.20.5.239
bugcrowdtrafficcontrol.com A 299 104.20.4.239
bugcrowdtrafficcontrol.com MX 299 5 alt2.aspmx.l.google.com
bugcrowdtrafficcontrol.com MX 299 5 alt1.aspmx.l.google.com
bugcrowdtrafficcontrol.com MX 299 1 aspmx.l.google.com
bugcrowdtrafficcontrol.com MX 299 10 alt4.aspmx.l.google.com
bugcrowdtrafficcontrol.com MX 299 10 alt3.aspmx.l.google.com
www.bugcrowdtrafficcontrol.com A 299 104.20.60.51
www.bugcrowdtrafficcontrol.com A 299 104.20.61.51
www.bugcrowdtrafficcontrol.com AAAA 299 2400:cb00:2048:1::6814:3c33
www.bugcrowdtrafficcontrol.com AAAA 299 2400:cb00:2048:1::6814:3d33
www.bugcrowdtrafficcontrol.com CNAME 299 www.bugcrowd.com
and this Information is Enough for Me to Confirm that the domain was indeed owned by Bugcrowd!
TAKEOVER:
Well I opened My Fastly account and tried to make a Service named bugcrowdtrafficcontrol.com & With teh IP of the domain….., And Boom… It says!
Your service has been created and activated.
Domain 'bugcrowdtrafficcontrol.com' was created
2017-08-13 19:15 +00:00
by khizer
Click the following link to see if your site is configured correctly: http://bugcrowdtrafficcontrol.com.global.prod.fastly.net.
It may take up to a minute for your site to be ready.
So Now as The domain is added to my account i visit the domain again an This time the error was changed to
Error 503 hostname doesn't match against certificate
hostname doesn't match against certificate
Guru Mediation:
Details: cache-cdg8721-CDG 1502652983 264973953
Varnish cache server
the Error was same to My Fastly service URL http://bugcrowdtrafficcontrol.com.global.prod.fastly.net, The Error was generate due to My mistake… I’m unaware of how to use these services so a little messed Up! But i qucikly figured out that if i add the same service to my cloudfront account and change the Plan to Business (it cost upto 200$ ) You can gain Complete Access of the domain 🙂
Now if You remember the WHOis information showed me another thing The Subdomain
www.bugcrowdtrafficcontrol.com
When i visited that subdomain and It showed Me an error!
Well as soon as i saw this error I remember that some days a go a guys published a Blog about taking over DonaldJTrump’s Website subdomain by same service and i tried to follow his steps But Unfortunately My card was declined while buying the services to Takeover the subdomain …. That’s Why I was Unable to takeover The Subdomain Completely!
How to takeover:
- Signed up as client in Pantheon service.
- Created a Sandboxed domain as WordPress or Drupal.
- Added a credit card, then subscribed as ‘Professional’ to setup the sandboxed domain.
- Used a feature called “custom domains” to add the vulnerable subdomain to my account.
- Waited for the verification and building process to be finish.
- Boom You will be the admin of the subdomain
So At the end I reported this To Bugcrowd! 😛 Because potentially the domain & Subdomain both was owned by Bugcrowd…
Their Reply:
The Report was Closed as N/A 😛 lol I was Hoping it to Be closed as Resolved 😛 But I still got 600$ 🙂
Thanks 🙂
Hope it will solve the problem for some about Fastly error 🙂
Discover more from Security Breached Blog
Subscribe to get the latest posts sent to your email.
[…] Bugcrowd domain subdomain takeover vulnerability […]
[…] https://blog.securitybreached.org/2017/10/10/bugcrowds-domain-subdomain-takeover-vulnerability/ https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/ […]
what tools you used?