.png)
4 months ago
28 BOOK THIS SPACE FOR AD
ARTICLE AD
This blog explains everything: https://www.hackerone.com/hackerone-community-blog/guide-subdomain-takeovers
Hatena blog (はてなブログ) is relatively famous blogging platform in Japan and has unique cultures on it.
As a Hatena Blog PRO (Paid) feature, You can set custom domain on your blog site, with referring A record to 13.230.115.161 / 13.115.18.61 or CNAME record to hatenablog.com. Additionally, you need to set custom domain on hatena blog configuration.
After a while, the domain settings will be verified, and you will be able to access your blog with your custom domain.
Since there is no domain verification mechanism, custom domain can be taken over by attackers. Below are the potential scenarios that admins need to be careful.
Set A/CNAME record but forgot to set hatena blog custom domainDeleted hatena blog but forgot to remove A/CNAME recordExpired hatena blog PRO subscription ? ( Not 100% sure. I didn’t really confirmed this )If you find subdomains referring hatenablog.com / 13.230.115.161 / 13.115.18.61 and if you see this page, that’s it.
To place a PoC, you need to take your own hatena ID, set up a blog, and purchase PRO subscription. Domain configuration can be changed from here: https://blog.hatena.ne.jp/my/config/detail
I found one example on the bug bounty program of 株式会社シンクロ・フード, and the finding disclosed at 2024/07/18.
Bengali (Bangladesh) · 
English (United States) ·