Possible subdomain takeovers gives me 1000 dollars

2 days ago 12
BOOK THIS SPACE FOR AD
ARTICLE AD

Lucky Vulnerabilities

Lucky_Vulnerabilities

Hello Bug hunters ,

I’m Someone from somewhere and I’m here to give you some “Hope” in bug hunting . As all you know that without proof of concept you cannot take bounty in subdomain takeover . But today I’m here to give hope in that because sometimes you’re “lucky” and get the bounty for this kind of possible vulnerabilities.

So let’s skip the introduction , we can jump into vulnerability .

So as you guy’s know about subdomain takeover , But let me give some advice to New hunters .

A subdomain takeover arises when an organization maintains DNS records for subdomains that point to inactive external services, such as GitHub Pages, AWS S3, or Azure Blob. When the resource linked to these subdomains is no longer active, attackers can claim the abandoned service to control the subdomain. This allows them to redirect users to malicious or phishing sites, distribute malware, compromise sensitive information, or harm SEO rankings by hosting spam content.

Through such exploitation, attackers can significantly erode user trust and pose substantial security risks. Preventing subdomain takeovers requires routine DNS audits, deactivating unused subdomains, and closely monitoring third-party service usage..

So as i said i’m here to give you some hope ,

LET’S START STORY !!!!

This story starts when i’m totally new in bug hunting and try to find some P2 , P3 vulnerabilities to make some money .

After spending 2–3 months i got some p4 and p5 but now i really try to find something specific. So my friend told me about Subdomain takeover and he tells me that , this is very simple and easy to find .

Then I’m fully ready and start’s hunting . After reporting 4 , 5 vulnerabilities i understand that, to subdomain takeover i need to find some old subdomains and their specific errors . After that I got many “not applicable” and p5 because of not fully exploitable scenario .

Here I’m very lucky …..

Because i find a program where in scope area specific mention of “If a potential subdomain takeover submission is found , please don’t actually take over the subdomain. Describe your case clearly but do not proceed in the real takeover.” This give me some goosebumps because i’m new and i only care about money .

I Go to my ubuntu terminal and runs some command

subfinder -d target.com | httpx -mc 404

After this i got around many subdomains . I checked them manually and i got some errors . But as i said , i’m very excited and i totally forget that what is scope and what is out of scope .

I got some domains that are giving me some error of cloundfront and msidentity.com . I reported them and i got

We checked this internally, but found no signs that these subdomain takeovers are actually possible.

After this i’m very sad because excitement is over then i’m think lets give a try and because this is on platform so traiger understand me and forward this to team . Then i send them

As in mention in responsible policy why this is consider as informative.In policy their is special mention of not real takeover the subdomain then why?? .
Please triage the issue again…

Here i got some reply in few minutes and i got

I will check with internal team. There is indeed mentioned to not take over the subdomain.

Now i’m again excited because first time i got traiged and severity is “HIGH” . In few days i got response from team and they send me

We will move this to pending as the customer is investigating this.

Now in few days i got a positive response from team and the bounty with

Now this is my first p2 Bounty and this is really not a vulnerability but because i’m a new one I only care about money and also this is very much intresting .

After this i again reported same type of bugs in different website for expecting positive result . And as i said “HOPE” is very much needed because after 4 , 5 reporting i get again a positive result with bounty of

So , This is all for today . Please make a “HOPE” in vulnerabilities because sometimes you’re lucky and get the reward for those whose are not a vulnerability .

I will again come to you with some crazy bounties ever you seen .

Thanks for today .

Lets HOPE .

Read Entire Article