Subdomain takeover [Awarded $200]

Friendly
Friendly
May 7, 2019 · 3 min read

The story is simple, the reward was “alright”. Let’s start. ^_^

Image for post
Image for post

I came across a website known as ownCloud. Their bug bounty program is located here — https://owncloud.com/owncloud-bug-bounty-program/ and their H1 program is located here https://hackerone.com/owncloud

Their bounty program looked nice and juicy and I wanted some dough ( 🤑 )

So I ran https://github.com/aboul3la/Sublist3r [pretty sure everyone is aware of this] and I came cross a domain that was displayed as

Image for post
Image for post

So I did a quick search on their CNAME and it points to owncloud.fider.io but somehow wasn’t reflecting back on their feedback.owncloud.com domain. CNAME check tool I used — https://toolbox.googleapps.com/apps/dig/

I then registered on https://getfider.com/ a demo account and saw that they had a custom page to set whichever domain you wanted.

Image for post
Image for post

I then pointed the feedback.owncloud.com domain to my testing domain on https://getfider.com/ and saw that my inputs reflected over to http://feedback.owncloud.com/

Image for post
Image for post

I also noticed that they had an advanced page in the settings page which allows you to use CSS. I cooked up an IP grabber and a cookies grabber code via CSS to show the escalation of this.

Image for post
Image for post

I swiftly reported it and in 2 hours, the issue was fixed via email. I was then told to send the report on HackerOne and I got my bounty.

I thought I would have gotten $5k for their subdomain takeover, but turns out it was $200 since .ownCloud was out of scope. However, I’d deem this as a very high security risk and the payout should have been more, but what can you do — the company has “more rights” to your inputs than you yourself.

Grateful- but not satisfy.

Timeline:

4/20/2019 issue was reported. — 2 hours later the issue was fixed.

Via email talks 3 weeks 5/6/2019.

Paid out on 5/7/2019–$200.

Worth it? Not sure.

Thanks for reading.

If you have questions regarding this, then feel free to shoot me a DM on Twitter https://twitter.com/Skeletorkeys or, join our Discord Server https://discord.gg/B6rZDTB to talk to any of the hundreds of people for help, or just looking to talk to other Hax0rs.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store