Hacktus

Subdomain Takeover leading to Full Account Takeover

Subdomain Takeover leading to Full Account Takeover

Hacktus's photo
Hacktus
·

2 min read

Table of contents

Introduction

In this blog post, I will walk you through the discovery of a critical vulnerability in redacted.com. This vulnerability allowed me to take over any user's account by exploiting a subdomain takeover, which led to account takeovers due to the shared ASP session across all subdomains. Moreover, I will emphasize the importance of patience and persistence in bug hunting, which ultimately led me to claim the maximum bounty.

The Discovery

It all started when I was hacking on the main domain and after I logged in, I noticed that the AspNetCore.Cookies was being shared in my requests everywhere across all other subdomains of the main domain.

By that time I realized that I only needed to find a Subdomain takeover to take over other users' accounts.

Then stumbled upon a subdomain takeover vulnerability in test.redacted.com. This subdomain was pointing to test-redacted.azurewebsites.net, and with the help of godiego blog post about Subdomain Takeover in Azure I managed to claim it.

root@hacktus:~# dig test.redacted.com

DiG 9.16.1-Ubuntu <<>> test.redacted.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64344
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.redacted.com.     IN      A
;; ANSWER SECTION:
test.redacted.com. 300  IN      CNAME   test-redacted.azurewebsites.net.

Then I navigated to the claimed subdomain and checked the logs and found that my cookies were logged there.

Eventually, I was able to take over anyone's account if they navigated to test.redacted.com/.

GET / HTTP/1.1
Host: test.redacted.com
Cookie: AspNetCore.Cookies=CfDJ8G4U4CYsUJ1sUeXOW7rO8WfE1_zVrJSr0bZLa47a8OULaZGzSGb_UYX9hGbiBk-5lAV0jKlGG5tzq3JFw0Z0tV5_jnmjXNq3xPyNquNphPtbXdJ--faQ2MvKjC-tbzyupFolYJYXgT9RYx1bs_B2vdJrg6mB4WT4jz6wB4sUeYsEiKXeTAsI1OQyGBVe0iBc4oD4_L4Iz6-1U6ZsE9ap3yn8xKjEoP7vjOIFCQlK2cKlCZb0e99dY-9ZhCsQ8nGt55D0-DKjVKTTB3vq8eOWW0N36Pm5Nc9oV7RGxELiNhE87jGUEA88zihLhkyu_1mDl7bHcTDvyp9Q

The Impact

An attacker exploiting this vulnerability could take over any user's account by navigating them to their claimed subdomain and accessing their sensitive information through the shared ASP session. This can result in unauthorized access, data theft, and other malicious activities.

Conclusion

This blog post highlights the importance of understanding and securing subdomains, as well as the potential risks associated with misconfigurations. In this case, the subdomain takeover vulnerability led to account takeovers due to the shared ASP session. If I rushed to report this vulnerability as a normal STO bug, I was gonna end up with a medium/high report with a bounty of 500-1500$, Instead, I digged further to get the most impact out of it before reporting.

Timeline

Reported : January 30, 2023 7:40pm
Fixed : January 30, 2023 9:52pm
Severity: Critical(9.5)
Bounty : 3000$

Happy hacking and stay secure!

penetration testingpentestinghackingbugbountybugbountytips