From Sub domain Takeover to Open-Redirect

Anil Tom
Anil Tom
Aug 2, 2019 · 3 min read

Hey guys,

I am Anil Tom. Since I haven’t written a blog for a while, I just thought of writing one. Today, I am going to share one of my findings in Bugcrowd Private Bug Bounty Program.

Image for post
Image for post

After a long break, I logged in to my Bugcrowd Account and while checking the programs I noticed that there were some pending private program invitations. On further checking, one program grabbed my attention. So I selected that program and checked its scope. There were around SIX Domains in scope for that program, so I started opening each website.

While checking, I found that one website was greeted by this Godaddy web page

Image for post
Image for post

When I saw this page I was like “heyyyyy!!! Sub Domain Takeover.”

Image for post
Image for post

But when I checked it further and saw this

Image for post
Image for post

It was not expired :( the sub domain takeover was not possible

Image for post
Image for post

And as I was closing the tab, suddenly my mind said, why not try recon on this website. So I checked Domain Name Registration Data Lookup using https://lookup.icann.org/lookup and discovered that it was owned by the company itself. So I ran dirsearch against the domain but I could not find anything.

Then I checked whether this web site was Vulnerable for Open-Redirect ?

What is Open-Redirect Vulnerability?

Open-Redirect is basically is not a high impact vulnerability , A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Open redirection is listed in the OWASP Top 10 for 2013 and 2010 (10th position in both lists) since it is still an active threat in modern web applications. Open redirection occurs when a vulnerable web page is redirected to an untrusted and malicious page that may compromise the user. Open redirection attacks usually come with a phishing attack because the modified vulnerable link is identical to the original site, which increases the likelihood of success for the phishing attack.

The target let’s just say it was named redact.com. I changed the URL to https://redact.com//google.co.in/ and executed it and as expected I got a redirect to https://google.com

Image for post
Image for post

Then I made a PoC video and reported it to the Team

Image for post
Image for post

Timeline

Initial Report: 16 Jul 2019 , 12:45 am

Triaged : 17 Jul 2019 , 2:56 AM

Fixed: 17 Jul 2019, 3:06 AM

Bounty Awarded: 17 Jul 2019, 3:08 AM (150$)

Thanks for reading my writeup. I hope you enjoyed it.

wanna connect

Facebook : Anil Tom

Linkedin : Anil Tom

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store