In this blog post, I will walk you through the discovery of a critical vulnerability in
redacted.com. This vulnerability allowed me to take over any user's account by exploiting a subdomain takeover, which led to account takeovers due to the shared ASP session across all subdomains. Moreover, I will emphasize the importance of patience and persistence in bug hunting, which ultimately led me to claim the maximum bounty.
It all started when I was hacking on the main domain and after I logged in, I noticed that the
AspNetCore.Cookies was being shared in my requests everywhere across all other subdomains of the main domain.
By that time I realized that I only needed to find a Subdomain takeover to take over other users' accounts.
Then stumbled upon a subdomain takeover vulnerability in
test.redacted.com. This subdomain was pointing to
test-redacted.azurewebsites.net, and with the help of godiego blog post about Subdomain Takeover in Azure I managed to claim it.
root@hacktus:~# dig test.redacted.com DiG 9.16.1-Ubuntu <<>> test.redacted.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64344 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.redacted.com. IN A ;; ANSWER SECTION: test.redacted.com. 300 IN CNAME test-redacted.azurewebsites.net.
Then I navigated to the claimed subdomain and checked the logs and found that my cookies were logged there.
Eventually, I was able to take over anyone's account if they navigated to
GET / HTTP/1.1 Host: test.redacted.com Cookie: AspNetCore.Cookies=CfDJ8G4U4CYsUJ1sUeXOW7rO8WfE1_zVrJSr0bZLa47a8OULaZGzSGb_UYX9hGbiBk-5lAV0jKlGG5tzq3JFw0Z0tV5_jnmjXNq3xPyNquNphPtbXdJ--faQ2MvKjC-tbzyupFolYJYXgT9RYx1bs_B2vdJrg6mB4WT4jz6wB4sUeYsEiKXeTAsI1OQyGBVe0iBc4oD4_L4Iz6-1U6ZsE9ap3yn8xKjEoP7vjOIFCQlK2cKlCZb0e99dY-9ZhCsQ8nGt55D0-DKjVKTTB3vq8eOWW0N36Pm5Nc9oV7RGxELiNhE87jGUEA88zihLhkyu_1mDl7bHcTDvyp9Q
An attacker exploiting this vulnerability could take over any user's account by navigating them to their claimed subdomain and accessing their sensitive information through the shared ASP session. This can result in unauthorized access, data theft, and other malicious activities.
This blog post highlights the importance of understanding and securing subdomains, as well as the potential risks associated with misconfigurations. In this case, the subdomain takeover vulnerability led to account takeovers due to the shared ASP session. If I rushed to report this vulnerability as a normal STO bug, I was gonna end up with a medium/high report with a bounty of 500-1500$, Instead, I digged further to get the most impact out of it before reporting.
Reported : January 30, 2023 7:40pm
Fixed : January 30, 2023 9:52pm
Bounty : 3000$
Happy hacking and stay secure!